A year or so before American health insurer Anthem admitted it had been ruthlessly ransacked by hackers, a US federal watchdog had offered to audit the giant's computer security – but was rebuffed.
"We do not know why Anthem refuses to cooperate," government officials told The Register today.
The Office of the Inspector General (OIG) for the US Office of Personnel Management (OPM) told us it wanted to audit Anthem's information security protections back in 2013, but was snubbed by the insurer.
According to the agency, Anthem participates in the US Federal Employees Health Benefits Program, which requires regular audits from the OIG, audits that Anthem allegedly thwarted. Other health insurers submit to Uncle Sam's audits "without incident," we're told.
"In January of 2013, we initiated an IT security audit where Anthem imposed restrictions that prevented us from adequately testing whether it appropriately secured its computer information systems," the OIG explained in a statement.
"One of our standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organization’s computer servers. These scans are designed to identify security vulnerabilities and mis-configurations that could be exploited in a malicious cyber-attack."
According to OIG, Anthem declined to allow auditors to connect to its network, citing a corporate policy against allowing external entities to access its computer systems. Instead, the OIG said it requested information about Anthem's internal practices, but received "conflicting statements" from the insurer.
Although it was apparently frustrated by the insurer in 2013, the watchdog pressed ahead with a report on security at Anthem, then known as Wellpoint. The OIG noted:
Wellpoint has not implemented technical controls to prevent rogue devices from connecting to its network. Also, several specific servers containing Federal data are not subject to routine vulnerability scanning, and we could not obtain evidence indicating that these servers have ever been subject to a vulnerability scan.
In addition, WellPoint limited our ability to perform adequate testing in this area of the audit. As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.
Fast forward to February of 2015, and Anthem revealed that miscreants had breached its network defenses and stolen personal information on at least 70 million Americans – information from names, dates of birth, and addresses to social security numbers and salary records.
Again, the OIG said it asked Anthem if it could perform an audit to find out what went wrong. Again, the office says it was rebuffed by the insurance giant.
"After the recent breach was announced, we attempted to schedule a new IT audit of Anthem for this summer," the OIG added.
"Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy'.”
It appears nobody told the hackers about that "corporate policy."
Anthem had yet to respond with comment at the time of publishing. ®