Tuesday, February 10, 2015

80 Million Customers' Personal Information at Risk – What Controls were in Place?

Anthem, Inc. which is headquartered in Indianapolis, Indiana, is an independent licensee of the Blue Cross and Blue Shield Association serving members in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin; and specialty plan members in other states.

Unfortunately, a recent cyber attack has exposed personal information on more than 80 million Anthem customers. This personal information included names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

In responding to this cyber attack the CEO, Joseph R. Swedish, said,

“Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack.”

This is what you would expect a CEO to say in defense of his company. "We were state-of-the-art, but we still got beat!”

But, was Anthem really state-of-the-art when it came to cyber security?

To be state-of-the-art, appropriate controls would need to be in place, reassessed periodically and tested frequently to be sure the controls were working as intended.

Here are some questions an auditor would ask:
  • What role did the Board of Directors play in assessing technology risks that confront Anthem?
  • Did the Chief Information Officer formally assess the security risks that exist in protecting customer data?
  • If so, how frequently was that risk assessment updated?
  • Why did the CIO decide not to encrypt sensitive data that Anthem was maintaining in its database?
  • How frequently did the CIO do penetration testing seeking to see if outsiders are able to gain access to sensitive data?
  • How many staff were assigned to monitoring security alerts?
  • How many security alerts occurred each day?
  • How long does it take to respond to a security alert and resolve the issue?

These are just some of the many questions that Anthem management should address. But, no control system is infallible and it can only provide reasonable assurance. The reasonable assurance though should be supported by a systematic, on-going process to assure “state-of-the-art information security systems [are in place] to protect your data.” as the CEO claims.

On its web site, the company says,

“The Anthem brand is built on a foundation of trust – it’s the name consumers are most familiar with as a trusted health care partner through our affiliated health plans.” 

That trust is being tested today.