Audits are one of life’s greatest pleasures, right up there with root canals and childbirth. Firms love them, too; alongside tax audits-- financial audits, records audits, and compliance audits make life splendid for businesses. Unfortunately, compliance is an unwieldy but necessary evil-- that is, unless you’re America’s 2nd biggest health insurer.
Anthem’s widely-publicized data breach that left nearly 80 million people with compromised personal data prompted the Office of Personnel Management’s (OPM) Inspector General to request a comprehensive IT security audit on Anthem’s systems. In response, Anthem issued a flat-out denial of the request, leading many to interpret the refusal as an effort to avoid further embarrassment. Interestingly enough, this marks the second time they’ve been uncooperative with the OPM Inspector General’s audit activities; similar audit requests were made back in 2013, to no avail. Because Anthem provides coverage to 1.3 million federal employees, they’re overseen by the OPM, which conducts audits of health insurance companies participating in the Federal Employees Health Benefits Program (FEHBH).
Granted--these aren’t SOX compliance auditors rapping on Anthem’s door. Notwithstanding, an outright refusal to cooperate on numerous occasions--with a government office responsible for oversight, no less-- can’t be good for the company’s public persona. And while cooperation with regulators is not required by law, the OPM Inspector General is working to modify healthcare insurer’s government contract, which could ultimately force them into submission.
The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?
In all fairness, Anthem may have private, justifiable reasons for refusing to cooperate-- but the simple fact is that oversight bodies like the OPM and legislation such as HIPAA and Sarbanes-Oxley exist to protect consumers from internal mismanagement-- be it of private medical data, financial information, or the like. Audits may be the bane of corporate existence, but they exist (at least in part) to prevent catastrophes like security breaches or data loss from occurring. One can imagine a happier, alternate ending for Anthem where proper control measures implemented in preparation for an audit prevent the breach from happening in the first place.
Problems that can ultimately lead to disasters like Anthem’s are in many cases hard to find-- deploying UpGuard for monitoring is the easiest and most effective way to detect issues such as configuration drift and the presence of vulnerabilities. Using it to scan the environment on a regular basis ensures that all IT resources-- servers, network devices, cloud apps,-- are configured correctly and meet expectations. Validation and testing of environments and system configurations should be a regular, ongoing activity; UpGuard’s policy creation and job scheduling makes this a trivial task. Finally, for placating auditors-- downloadable reports within UpGuard can suffice as material evidence of compliance efforts.
Anthem’s latest debacle serves as a cautionary tale for organizations transacting in today’s IT landscape. If your organization’s business arena is regulated (chances are it is), it’s for good reason: an audit-- or activity in preparation of an audit-- identifies security vulnerabilities and misconfigurations that could lead to compromised data. There’s no doubt that firms should follow stringent IT control measures anyway, just as a matter of good corporate citizenry. So unless you’re like Anthem and prefer to dance to your own dangerous tune, putting the proper IT control measures in place will keep customer data safe and position your firm favorably in the eyes of future auditors.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Blog >