Anthem Blocking Federal Auditor From Doing Vulnerability Scans

chicksdaddy writes Anthem Inc., the Indiana-based health insurer, has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do. This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.

no need

[turkeydance]

Anthem already knows its vulnerability.

The industry needs more regulation

[mysidia]

We need regulation....

Insurers aren't mandated to comply — though most do.

They should be required to pass their audit or pass an audit by a 3rd party auditor who is approved by the OIG.

Failure to comply should result in fines and bar them from writing or acquiring any more insurance policies, until they do.

Also, in the event of a breach at this juncture, there should be a financial penalty for their negligence.

Re:The industry needs more regulation

[Mr.+Shotgun]

This is hilarious. Every day slashdotters either complain that it's *obvious* we need less regulation. And in a separate thread, it's *obvious* we need more regulation.

*protip* slashdotters as you so put is is not a hive mind, people post here from all walks of life and have differing opinions. In fact I have seen opinions from both sides of the political spectrum that have been rated +5 insightful in the same thread. And they were both right, it was insightful and made you think. The last thing this site needs is to become an echo chamber of samethought and goodthink. If you are looking for that there are plenty of other websites out there, may I recommend Tumblr or yahoo news?

Anthem is normal here

[dave562]

I work for an organization that hosts PII for a number of large public companies. We are constantly asked about vulnerability scans and about 50% of the clients want to scan our networks themselves. We do not allow that.

The compromise is that we conduct bi-weekly scans with Rapid7, and hire from a rotating list of third parties to conduct yearly vulnerability assessments of our applications and infrastructure. We make the high level results of those scans (number of vulnerabilities found) available to the clients. We also have to put up with the occasional fire drill like Heartbleed. During those situations, we deploy the patches as soon as we can test them, and then provide letters of attestation to any client who wants / needs one.

While some clients complain, they eventually come around when we explain to them that it is for their own safety and the protection of their information. We are in a situation where we retain data for companies who are in direct competition with each other. When push comes to shove, we sometimes have to explain that, "Just like we will not let you scan our network for vulnerability, we will also not allow your direct competitor to scan our networks either."

Re:Anthem is normal here

[bouldin]

That sounds reasonable to me. If were running a security group, I would take care of as much in-house as I possibly could. I especially wouldn't allow business partners to scan my gear.. There is just too much risk there.

There are a couple differences with Anthem, though.

1. 1. They are being audited by regulators, and your business-to-business relationships are different.
2. 2. Anthem was not able to document its internal vulnerability scans, while it seems like your company is diligent about this.

Here's a quote from the OIG:

"However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."

That sounds more like a company with shoddy security trying to hide its failings behind a specious policy.

simple answer

[ihtoit]

STOP THEM FROM OPERATING. Prohibit them from carrying out a single transaction until they comply with Federal requirements. Fuck them, if they don't want to abide by the rules, we'll take their fucking marbles off them and kick them out of the playground.

Re:LOL!

[ihtoit]

Anthem need to learn the rules of the playground and start abiding by them, if I were the Fed I'd be shutting their arses down until they comply. No? You're telling me "NO"?? Fuck you. Get the fuck out of my playground.

Two scenarios.

[140Mandak262Jamuna]

Scenario 1:

Dear Investigator,

We understand you suspect our CEO was doing insider trading and want access to our server logs to find evidence of guilt or innocence. While we appreciate your conscientiousness, we regret, we do not allow third party access to our servers. We thank you for your understanding. Hoping this would buy us enough time to sanitize our server logs, Yours, Gofly Akite, for Dewy Chetham and Howe.

SEC investigator: eh? well, OK, Guess I tried, so I have covered my ass

Scenario 2:

"Hey Police officer, you want to search my car for pot? I know you are just doing your job, but sorry buddy, my policy is not to allow any third parties into my car. Hope you understand"

Police Officer: "Keep your hands visible, and slowly exit your vehicle, turn around put your hands on the hood and bend over..."