At Anthem: Where There’s Fire, There’s Smoke
After losing 80 million patient records, Anthem Healthcare is refusing to have its network scanned for vulnerabilities by a federal auditor, raising questions about the health insurer’s internal practices.
The saying goes “where there’s smoke, there’s fire.” But in the case of Indiana-based Anthem Inc., you might need to flip that adage around: “where there’s fire, there’s smoke.”
That, after a federal auditor responsible for monitoring health insurers’ information security controls revealed this week that Anthem refused to allow it to scan its network for vulnerabilities, configuration problems and other issues in the wake of the breach.
As reported by Healthcareinfosecurity, the Office of Personnel Management's (OPM) Office of Inspector General, issued a statement saying that Anthem refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. Worse: Anthem refused a similar request in 2013. In each case, Anthem cited “internal policies” that forbid outside access to its network as the reason for refusing to allow the vulnerability scans.
OPM has the authority to conduct the audits on Anthem because that health insurer provides health plans to federal employees under the Federal Employee Health Benefits Program (FEHBP). Insurers are not required to submit to the audits, though OPM can use federal contracting to make full audits a condition of providing benefits to federal employees. According to the Healthcareinfosecurity story, OPM is pursuing that course in the wake of Anthem’s reluctance to have its IT infrastructure scanned.
The reports are a worrying sign for Anthem, which runs the Blue Cross Blue Shield plans in California, New York and other states. The firm acknowledged in February that unnamed attackers made off with data on some 80 million customers. The incident is being investigated by the FBI, and Anthem says it has hired the firm Mandiant (a division of FireEye) to investigate the breach.
In a statement to customers, Anthem CEO Joseph Swedish said that the attackers gained “unauthorized access to Anthem’s IT system” and made off with “personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”
Anthem has maintained that credit card or medical information, such as claims, test results or diagnostic codes were not targeted or compromised. But the company’s investigation isn’t complete.
The OPM report suggests that the company’s problems may be longer-lived and more serious than was believed. An OPM report filed in September 2013 and based on only limited access to Anthem’s network identified a number of concerns, from porous vulnerability scans that failed to include desktop systems to a loose configuration management program. In each case, Anthem (then Wellpoint) responded by arguing that its current processes were adequate.
But those responses suggest that Anthem/Wellpoint policy may have left the organization vulnerable to attack. For example, in response to a recommendation from OPM that Anthem/Wellpoint implement a Configuration Compliance Monitoring program, the company responded that its “Vulnerability Management Program includes ongoing patching.” And that “security patches for high severity vulnerabilities are applied within 90 days on DMZ servers and 180 days on internal servers.” So – 3 months for “high severity vulnerabilities” in the DMZ? That’s a wide- wide window for even unskilled attackers to slip through. And early reports on Anthem pointed to sophisticated attackers working out of China – not script kiddies operating out of their parents’ basements.
The data breach at Anthem is the largest of 2015, following a year that brought a seemingly endless stream of news of a string of attacks on large retailers. If poor patch management for high value, public-facing IT assets ends up playing a role in the lead up to the breach, it will match a pattern.
A lack of proper IT management is a common problem. A 2014 survey by the firm Trustwave found that 58 percent of businesses do not have a fully mature patch management process in place, and 12 percent do not have a patch management process in place at all.
About Paul Roberts
More from the Digital Guardian Data Security Knowledge Base: