The Register is reporting that Anthem refused to allow U.S. government auditors to audit their systems as required as part of a contract that Anthem has with the U.S. government. This news is coming out after Anthem was hacked of some 88 million customer records.
The Office Of Personnel Management Inspector General audits insurers who provide insurance to government employees under the Federal Employees Health Benefits Program.
OPM has a particular audit protocol that is somewhat intrusive but not out of the ordinary and Anthem told them no, they could not do that.
I have been a vendor to several of the world’s largest banks and they used to audit my firms on a regular basis. If we told them to go away, they would have told us to go away as well.
It is not at all clear why OPM allowed Anthem to continue to do business with the government under these circumstances. It is the difference between private industry and government.
OPM wrote a report on Wellpoint (now Anthem) that said, in part:
Wellpoint has not implemented technical controls to prevent rogue devices from connecting to its network. Also, several specific servers containing Federal data are not subject to routine vulnerability scanning, and we could not obtain evidence indicating that these servers have ever been subject to a vulnerability scan.
In addition, WellPoint limited our ability to perform adequate testing in this area of the audit. As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.
Given this report, it is totally unimaginable that, in private industry, they would have been allowed to continue as a supplier.
After the breach, OPM again tried to audit Anthem and they again said no.
And, they continue to collect checks from the government.
This should be interesting fodder for the lawsuit machine.
According to Washington Technology, hackers have gone after Keypoint Systems, a contractor for The Office of Personnel Management that does background investigations for security clearances. If anyone has ever had a Department of Defense or other government security clearance, the information that you provide is extremely detailed. For example, for the DoD, the SF-86 form can be well over 100 pages when completed. OPM is notifying almost 50,000 people that their information may have been taken. May have because they don’t really know. I assume they don’t know because Keypoint did not have sufficient controls in place to tell what the hackers took. OPM says thay Keypoint is adding more controls as a result of the breach, but beyond that, they are saying very little.
Curiously, USIS, the contractor that OPM used to use and most famous for having performed Edward Snowden’s background investigation, was hacked this year also and the OPM cancelled their contract, causing them to lay off 3,000 employees. The fact that OPM is handling these two breaches very differently will no doubt get some attention on Capitol Hill.
It is more than a little disconcerting that two different contractors who handle security clearance investigations for the government this year were hacked. It says something about the (lack of) security requirements in the contracts that OPM is issuing for vendors.
They are the government so they can get away with a lot more than you or I can.
While it is fun to beat up the government, it is, unfortunately, like taking advantage of someone who is not very good at what they do.
The lesson to be learned here is that you should review whether or not you are effectively vetting the security of subcontractors and vendors that you use. Do your contracts have specifics regarding security practices, policies and technology? If what happened to Keypoint and USIS happened to you, it would likely have a large effect on your business. USIS had to shut down an entire division.