Anthem,
Inc. which is headquartered in Indianapolis,
Indiana, is an independent licensee of the Blue Cross and Blue Shield
Association serving members in California, Colorado, Connecticut, Georgia,
Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio,
Virginia and Wisconsin; and specialty plan members in other states.
Unfortunately, a recent cyber attack
has exposed personal information on more
than 80 million Anthem customers. This personal information included names,
birthdays, medical IDs/social security numbers, street addresses, email
addresses and employment information, including income data.
In
responding to this cyber attack the CEO, Joseph R. Swedish, said,
“Safeguarding your personal, financial
and medical information is one of our top priorities, and because of that, we
have state-of-the-art information security systems to protect your data.
However, despite our efforts, Anthem was the target of a very sophisticated
external cyber attack.”
This is what you would expect a CEO
to say in defense of his company. "We were state-of-the-art, but we still got
beat!”
But, was Anthem really state-of-the-art
when it came to cyber security?
To be state-of-the-art, appropriate
controls would need to be in place, reassessed periodically and tested
frequently to be sure the controls were working as intended.
Here are some questions an auditor
would ask:
- What role did the Board of Directors play in assessing technology risks that confront Anthem?
- Did the Chief Information Officer formally assess the security risks that exist in protecting customer data?
- If so, how frequently was that risk assessment updated?
- Why did the CIO decide not to encrypt sensitive data that Anthem was maintaining in its database?
- How frequently did the CIO do penetration testing seeking to see if outsiders are able to gain access to sensitive data?
- How many staff were assigned to monitoring security alerts?
- How many security alerts occurred each day?
- How long does it take to respond to a security alert and resolve the issue?
These are just some of the many
questions that Anthem management should address. But, no control system is
infallible and it can only provide reasonable assurance. The reasonable
assurance though should be supported by a systematic, on-going process to
assure “state-of-the-art
information security systems [are in place] to protect your data.” as the CEO
claims.
On its web site, the company says,
“The
Anthem brand is built on a foundation of trust – it’s the name consumers are
most familiar with as a trusted health care partner through our affiliated
health plans.”
That trust is being tested today.
