Anthem Healthcare lost more than 80 million patient records raising a slight question about what it does about security.
However when the federal auditor asked to scan the company’s systems, it took the bold step of telling the watchdog to sling its hook.
The Office of Personnel Management’s (OPM) Office of Inspector General, issued a statement saying that Anthem refused to allow the agency to perform “standard vulnerability scans and configuration compliance tests” this summer, as requested by the OIG. Worse: Anthem refused a similar request in 2013. In each case, Anthem cited “internal policies” that forbid outside access to its network as the reason for refusing to allow the vulnerability scans.
In other words, no you can’t look at our security because that would be a breach of security.
In its dealings with other insurers, the watchdog would have a problem, but OPM has the authority to conduct the audits on Anthem because that health insurer provides health plans to federal employees under the Federal Employee Health Benefits Program (FEHBP).
What Anthem appears to be worried about is that the watchdog might find out that its security problems go much deeper than a one off hacking.
An earlier OPM report filed in September 2013 and based on only limited access to Anthem’s network identified a number of concerns, from porous vulnerability scans that failed to include desktop systems to a loose configuration management program. In each case, Anthem (then Wellpoint) responded by arguing that its current processes were adequate.