Anthem Refuses To Let Inspector General Conduct Full Security Audit

  /     /     /  
Publicated : 22/11/2024   Category : security


Anthem Refuses To Let Inspector General Conduct Full Security Audit


Security industry has mixed reactions.



Anthem Healthcare initially earned brownie points with security professionals by publicly disclosing a major data breach well before they were obligated to do so. However, now its
been revealed
that Anthem refused to allow the U.S. Office of Personnel Managements Office of the Inspector General (OIG) to conduct vulnerability scans and compliance tests post-breach.  
According to a story in
 the
Financial Times
(registration required), Anthem did allow OIG to complete an audit on them in September 2013, which found that the healthcare agency did not conduct routine vulnerability scans and did not put sufficient controls in place to prevent rogue devices from connecting to the network.
After that, Anthem denied OIG access for another audit. OIG told
FT:
OIG said Anthem had told them that it was denying access because of a policy that prohibited external entities from connecting to its network. Anthem recently reiterated that auditors would not be permitted to conduct vulnerability scans.
Anthem said giving the auditors full access would have required turning off its
antivirus
software and could have caused outages in its system. Anthem provided an alternate vulnerability management programme as a substitute.
Opinions on the matter are mixed. “As with most failed security scenarios, the core problem is not technology, but is in fact a lack of leadership and culture, says Philip Lieberman, president of Lieberman Software. The refusal to allow the OIG to scan their systems should have been a warning flag that OIG should have publicly published as a public service to Anthem customers.  My hope would be that the Executive Branch will modify the rules of engagement for the OIG so as to allow them to make these failures to comply a matter of public record so that citizens could protect themselves.”
Jonathan Sander, strategy and research officer for STEALTHbits Technologies on the other hand, says, Lack of evidence is not evidence of something lacking, and all Anthem’s refusal of the [OIG] audit creates is a lack of evidence. If I were Anthem, perhaps the last thing I would want while I’m trying to rush to fix the issues revealed by their breach is to have to host strangers who will further tax my staff and create more meetings when I need action. It’s interesting that the audit performed earlier has the OIG saying Anthem didn’t have any clues about deficiencies. It only serves to show how complex security and compliance are. Theyre complex issues on their own, their relationship is complex, and their execution is extremely complex.”
As healthcare lawyer Matt Fisher tweeted:

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Anthem Refuses To Let Inspector General Conduct Full Security Audit