The Office of Personnel Management’s (OPM) Office of the Inspector General (OIG) conducts security audits on healthcare organizations participating in the Federal Employees Health Benefits Program (FEHBP). Following the massive HIPAA breach at Anthem., Inc last month, the OIG decided to conduct a new information technology security audit on the insurer.
The OIG Information Technology security audits set out to determine if security vulnerabilities exist that could potentially be used by hackers to gain access to servers and internal computer systems. The audits are not comprehensive, instead that samples a small proportion of the organizations servers to help build an overall picture of data security and whether sufficient steps have been taken to prevent hackers from conducting malicious cyber attacks.
The audits consist of automated vulnerability scans and accompanying configuration compliance audits; however according to a HealthITSecurity report, Anthem refused to cooperate fully with OIG auditors and restricted access to its servers, claiming that the provision of access would violate corporate security policies.
Last year the OIG had similar issues with Anthem when the company was operating under the name of Wellpoint. A routine IT security audit was similarly hampered when the company refused to give auditors access to its servers.
According to Susan L. Ruge, associate counsel to the Inspector General at OIG, “We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” she went on to say “We do not know why Anthem refuses to cooperate with the OIG.”
The OIG reworded the FEHBP contract after the last attempted audit to ensure its auditors would be given the appropriate access rights to conduct audits, but Anthem has again interpreted the language in such a way that it is able to refuse.
The audits are not voluntary and organizations are required under FEHBP rules to cooperate with IT security audits. In response, the OIG is working with the OPM to rectify the issue and is likely to alter the contract to allow its auditors to gain access to conduct an IT security audit.
According to Ruge, after the recent access refusal, “we attempted to obtain additional information about Anthem’s own internal practices for performing this type of work. However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers.”
The security report from last year’s audits found that while the insurer had configured its servers to record the activity of system administrators, those access logs were not being reviewed. It was only in the event of a known data breach that the logs would be checked for inappropriate access. The OIG noted that a “failure to routinely review elevated user activity increases the risk that malicious activity could go undetected and sensitive information could be compromised.”
Anthem may have been able to prevent OIG auditors from accessing its servers – for now – but it also has to contend with the Office for Civil Rights. Anthem is clearly on the OCRs radar. Only last year the insurer (Wellpoint) had to settle for $1.7 million for HIPAA violations resulting from an unsecured server which potentially exposed the data of over 600,000 members between 2009 and 2010.
The OCR has stated that it considers the 80 million-record data breach to fall under HIPAA due to the nature of the data exposed. It will be looking at the breach to determine if HIPAA Privacy Rules have been breached, and if there is sufficient cause, may trigger a full compliance audit.
Content provided by HIPAA Journal