The full statement from the US Office of Personnel Management Office of the Inspector General
Anthem Blue Cross and Blue Shield (Anthem, previously named WellPoint Inc.) participates in the Federal Employees Health Benefits Program (FEHBP), which is administered by the U.S. Office of Personnel Management (OPM). As part of its oversight responsibilities, the OPM Office of the Inspector General (OIG) conducts audits of, among other entities, insurance carriers that participate in the FEHBP. This includes conducting information technology (IT) security audits.
In January of 2013, we initiated an IT security audit where Anthem imposed restrictions that prevented us from adequately testing whether it appropriately secured its computer information systems. The report is available on our website (PDF).
One of our standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organization’s computer servers. These scans are designed to identify security vulnerabilities and mis-configurations that could be exploited in a malicious cyber-attack. From an audit perspective, our objective is not to identify every vulnerability that exists in a technical environment, but rather to form an opinion on the organization’s overall process to securely configure its computers.
When we requested to perform this test at Anthem, we were informed that a corporate policy prohibited external entities from connecting to the Anthem network. In an effort to meet our audit objective, we attempted to obtain additional information about Anthem’s own internal practices for performing this type of work. However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.
As a result of the scope limitation on our audit work and Anthem’s inability to provide additional supporting documentation, our final audit report stated that we were unable to independently attest that Anthem’s computer servers maintain a secure configuration (see pages 8-10 of the audit report).
After this audit, we contacted OPM about our concerns regarding OIG IT auditor access to OPM’s attention. After discussions with our office, OPM amended the FEHBP contract to allow a certain degree of auditor access. Since that time, this provision alone has proven to be insufficient, and we are currently working with OPM to address the issue.
After the recent breach was announced, we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is “corporate policy.”
We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG.