Red Flags Abound in 2013 Anthem Security Audit

A report from a federal auditor raised serious concerns over Anthem's internal IT practices - two years before the company announced it had been hacked.
A report from a federal auditor raised serious concerns over Anthem’s internal IT practices – two years before the company announced it had been hacked.

In-brief: A 2013 audit of Anthem Inc. contains a number of red flags about the company’s internal information security practices, and suggests Anthem was trying to mislead auditors to avoid scrutiny. 

A 2013 audit of Anthem Inc. raised red flags about lax IT practices at the organization, years before Anthem was the victim of a major data breach.

The audit, a copy of which is available on the Office of Personnel Management Web site, makes ten recommendations for the Indiana based health insurer, many of them underlining the need to implement basic security controls such as configuration and patch management, as well as regular vulnerability scans.

The report raises questions about the quality of internal processes at Anthem, which acknowledged in February that it was the victim of a “sophisticated attack” that resulted in the theft of personal data on tens of millions of patients.

In a 2013 filing, the company revealed that its corporate IT policy was to patch “high severity vulnerabilities” within three to six months of a software patch becoming available, according to a company response to a 2013 audit by the U.S. government’s Office of Personnel Management.

But the 2013 audit by OPM was able to get substantial access to Anthem’s network – and it found evidence of loose IT practices in the process.

Among the findings in 2013, OPM said it identified several assets that “are not subject to routine vulnerability scanning” and – in fact- may have never been scanned for vulnerabilities. Wellpoint/Anthem staff. “Any server not subject to routine scanning may contain a vulnerability
that an attacker could exploit to gain access to the WellPoint network,” OPM warned Wellpoint/Anthem.

The company was also faulted for not having any verifiable configuration and compliance auditing program. Indeed, the 2013 reports depicts a company playing fast and loose with auditors in an effort to avoid scrutiny.

Specifically: OPM asked permission to conduct automated scans to test configuration of Wellpoint/Anthem IT assets against the company’s approved baseline configuration.

However, WellPoint staff informed the auditors that “a corporate
policy prohibited external entities from connecting to the WellPoint network.”

When auditors asked to see the company’s compliance auditing program documentation, they “were initially provided a description of what appeared to be a thorough configuration compliance auditing program at WellPoint.” However, WellPoint was “unable to provide any evidence that a configuration compliance auditing program had ever been in place at the company.”

That kind of back and forth pepper the 2013 audit, which reads like the script of an information security reality television show.

Regarding the OIG’s finding that WellPoint failed to regularly audit the activity of privileged users on its network, and the recommendation that WellPoint/Anthem “implement a process to routinely review elevated user (administrator) activity,” WellPoint responded by claiming that “the Plan stated that Management is in the process of implementing an automated monitoring program for privileged user access,” detailing a number of different controls it was putting in place.

OPM’s terse reply is that WellPoint “provide OPM’s Healthcare and Insurance office (HIO) with evidence that a process to routinely review elevated user activity has been implemented.”

In other words: Trust. Gone.

OPM’s Office of the Inspector General is authorized to conduct audits of any insurer offering coverage of federal employees under the Federal Employees Health Benefits Program (FEHBP). However, those audits are not mandatory. And Anthem (then known as “Wellpoint”) has steadfastly refused to give the OIG full access to its network, citing “company policy” in blocking OIG from conducting vulnerability scans of all its IT assets, for example.

According to this report on Healthinfosecurity.com, Anthem is continuing to block OIG auditors from scanning its network – again citing company policy that prohibits third party connections to its network.

Anthem did not immediately respond to a phone request for comment.

Comments are closed.