Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why did Anthem resist government vulnerability assessments?

Vulnerability assessments are often a requirement for organizations that have suffered a data breach and the assessors' results can be invaluable to protect a business.

I'm confused by Anthem's refusal to agree to a vulnerability assessment by the OMP's Office of the Inspector General...

following its recent data breach incident. What's your take on the situation? For other organizations that experience a breach, is there any reason not to cooperate with the government?

In 2013 and again in 2014, the Office of Management and Policy (OMP) in the U.S. Department of Health and Human Services was unable to convince Anthem to allow it to perform a vulnerability assessment. After the data breach, this raised some interesting questions. If OMP cannot perform such vulnerability assessments, what organization can?

No enterprise will subject its IT environment to an outside security assessment if it's not required. However, a prudent enterprise will engage competent independent assessors to attest to the effectiveness of information security controls. Internal assessors can provide adequate assessments from risk, internal audits or information security groups, but continuous and independent reviews by external assessors may prove more valuable.

Whenever there is a major breach at a healthcare institution such as Anthem that involves medical information, the Office of the Inspector General performs an investigation. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.

The Anthem breach affected as many as 80 million customers, but because the information exposed was PII rather than medical information, the breach does not come under HIPAA rules or the OMP. Consequently, when the breach was discovered Anthem contacted the FBI.

But is there any reason not to cooperate with the government? Not cooperating with the government is typically a losing proposition, but disclosing information that's subject to a government review may depend on whether the breach and its aftereffects -- such as penalties and fees -- are more severe. Decisions for implementing controls and complying with regulatory security requirements should not be primarily based on compliance or cost. They should be based on ensuring proper protection of corporate and customer information.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

First learn the difference between security audits, vulnerability assessments and penetration tests, and then check out how to successfully run a vulnerability assessment.

Learn more about electronic protected health information.

This was last published in October 2015

Dig Deeper on Information Security Laws, Investigations and Ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization handle vulnerability assessments?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close