Imagery Majestic - Fotolia

Why did Anthem resist government vulnerability assessments?

Vulnerability assessments are often a requirement for organizations that have suffered a data breach and the assessors' results can be invaluable to protect a business.

I'm confused by Anthem's refusal to agree to a vulnerability assessment by the OMP's Office of the Inspector General following its recent data breach incident. What's your take on the situation? For other organizations that experience a breach, is there any reason not to cooperate with the government?

In 2013 and again in 2014, the Office of Management and Policy (OMP) in the U.S. Department of Health and Human Services was unable to convince Anthem to allow it to perform a vulnerability assessment. After the data breach, this raised some interesting questions. If OMP cannot perform such vulnerability assessments, what organization can?

No enterprise will subject its IT environment to an outside security assessment if it's not required. However, a prudent enterprise will engage competent independent assessors to attest to the effectiveness of information security controls. Internal assessors can provide adequate assessments from risk, internal audits or information security groups, but continuous and independent reviews by external assessors may prove more valuable.

Whenever there is a major breach at a healthcare institution such as Anthem that involves medical information, the Office of the Inspector General performs an investigation. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.

The Anthem breach affected as many as 80 million customers, but because the information exposed was PII rather than medical information, the breach does not come under HIPAA rules or the OMP. Consequently, when the breach was discovered Anthem contacted the FBI.

But is there any reason not to cooperate with the government? Not cooperating with the government is typically a losing proposition, but disclosing information that's subject to a government review may depend on whether the breach and its aftereffects -- such as penalties and fees -- are more severe. Decisions for implementing controls and complying with regulatory security requirements should not be primarily based on compliance or cost. They should be based on ensuring proper protection of corporate and customer information.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

First learn the difference between security audits, vulnerability assessments and penetration tests, and then check out how to successfully run a vulnerability assessment.

Learn more about electronic protected health information.

Dig Deeper on Security operations and management