Health Net Cited for Refusing a Security AuditWhy Do Some Companies Reject Security Scrutiny?
The Office of Personnel Management alleges that insurer Health Net of California, which provides health benefits to federal employees, has refused to cooperate with an OPM security audit called for under OPM's contract with the health insurer. What action OPM will take next is not yet clear.
Similar disputes often arise when healthcare organizations attempt to scrutinize the security practices of their vendors, some security experts point out.
In a Feb. 12 "flash audit alert" issued by OPM's Office of Inspector General's Office of Audit, the federal watchdog agency alleges that Health Net refused to allow OPM auditors to assess the company's security controls in "two critical areas."
OPM writes that its IT audits primarily focus on the information systems that directly process and/or store Federal Employee Health Benefit Program data. "However, almost without exception, FEHBP carriers do not segregate FEHBP data from data for its other commercial and/or federal customers. From a technical perspective, a control weakness on one system poses a threat to all other systems in the same logical and/or physical technical environment," OPM writes.
"Therefore, the scope of certain test work must include all parts of the organization's technical infrastructure that have a logical and/or physical nexus with FEHBP data."
OPM alleges that Health Net will not allow OIG to perform vulnerability and configuration management testing - and also will not provide the OIG with the documentation required to perform testing related to Health Net's ability to effectively remove information system access to terminated employees and contractors.
"Health Net's actions are in direct violation of the company's contract with OPM, and also disregard the statutory authority of the OIG," OPM writes. "Of greater concern, however, is that the auditors cannot evaluate Health Net's IT security controls in [those] two critical areas ... As a result, we are unable to attest whether Health Net is acting as a responsible custodian of critically sensitive protected health information and personally identifiable information of FEHBP members."
The alert also notes: "We perform vulnerability scan testing as part of all audits of FEHBP insurance carriers, and have done so for over 10 years in approximately 70 unique technical environments."
OPM says it takes measures to minimize any risk associated with its security testing, noting its procedures were developed in collaboration with health insurance industry CIOs and CISOs. "There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing," OPM writes.
The alert notes that an OPM contracting officer sent a letter on Feb. 12 to the director of Health Net "reiterating the necessity to comply with the audit requirements of the contract."
Health Net Reacts
Health Net, in a statement provided to Information Security Media Group, says the company "has fully cooperated in the OPM OIG's audit. In addition, we have provided much of the documentation requested and continue to work with both the OPM and the OIG on the remaining requests.
"The alert and accompanying memorandum issued by OPM contains unfounded allegations that Health Net is obstructing the OIG's audit of the information systems general and applications controls. The alert also contains grossly inaccurate statements about the security of Health Net's technical environment."
Health Net desires to do all it can to allow the OIG to fulfill its audit goals, the insurer says. "However, we have been advised by our outside ... counsel with expertise in these types of issues that were we to comply with certain of the requests from OPM, we would risk violation of contractual obligations we have to third parties to use reasonable care to protect the data of such third parties. Based on our experiences with other audits, including audits by other federal agencies, we remain convinced we can satisfy all of the objectives of the OPM and OIG requests without compromising the security of our systems. Our primary goal here is to fulfill our duty to protect the privacy and confidentiality of our members and employee data."
Not the First Time
Health Net is not the first OPM contractor to reject the agency's security audit requests.
Health insurer Anthem Inc., for instance, refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" in 2015 following the hacker attack on the company that affected 78.8 million individuals.
OPM had previously said that Anthem also refused to allow the OIG to conduct vulnerability tests in 2013 as part of an IT security audit that was performed by the agency (see Anthem's Audit Refusal: Mixed Reaction).
Some security and privacy experts say the dispute between OPM and Health Net is similar to the challenges many healthcare organizations often face when attempting to scrutinize the security controls and practices of their vendors.
"Getting business associates to cooperate with covered entities in testing security, or even just viewing the BAs' information security and privacy policies, has been a problem from when HIPAA was first enacted," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"While this situation has improved somewhat, it has always been a challenge to get most BAs to cooperate with not only vulnerability and penetration tests, and other technology-based assessments, but just with risk assessments and program audits in general," she says.
But Herold contends that Health Net's refusal "is bolder than most I've seen, but it is not unusual. BAs often offer some 'weak excuse,' such as saying that doing such an assessment would take too much time, could be disruptive to their operations, "or even pose a security threat in and of itself," she says.
"But an outright refusal to [agree to] an assessment, in violation of their contract, and in violation of HIPAA requirements for CEs to be able to obtain satisfactory assurances of their BAs' security and compliance with HIPAA, is more surprising than most," Herold says. "It seems as though they think they can refuse because, perhaps, they believe the CE is dependent upon them and cannot terminate them."
OPM's level of security scrutiny of Health Net appears to be due to its government contract and not HIPAA requirements, says Kate Borten, president of the privacy and security consulting firm The Marblehead Group.
"This level of audit goes way beyond the HIPAA intent, in my opinion," she says. Participating as a vendor in government health programs, such as Medicare, apparently "requires more explicit and stringent security controls than the HIPAA Security Rule," Borten adds.
In the private sector, "it is not common for CEs to technically test their BAs' security," she says. "Many or most CEs focus primarily on improving their own security and assuring they have BA contracts in place. The next step in oversight is for CEs to perform desk audits of their BAs, using a survey tool and perhaps reviewing policies and procedures. CEs may also ask for evidence of a clean penetration test. This approach has become more common, especially with large CEs such as health plans and pharmacy benefit managers."
Vendors sometimes have legitimate reasons for refusing various security testing or audit requests from their clients, Borten notes. "Unless the BA has a contractual obligation, as in this [OPM] case, BAs may be reluctant to permit this level of testing for good reasons. For example, there can be risks such as exposing other customers' PHI and PII," she says.
Herold notes that sometimes the timing of audit requests is a problem.
"Let's say the request is for a time when the BA was planning to implement a new enterprisewide operating system or application, or attach a newly acquired subsidiary to their network. Those are huge projects, so it is reasonable to indicate that the time requested is not a good time," she says.
Reasonable BAs, however, will offer a different time for the assessment to occur, to show their cooperation, she says.
"Flat-out refusals are not acceptable, especially when contractual requirements, and regulatory compliance requirements, indicate that the BA must have such assessments," Herold says.
Health Net's dispute with OPM isn't the company's first security controversy.
In 2014, Health Net signed a multi-million-dollar settlement in a consolidated class action lawsuit against the insurer related to a 2011 breach that affected about 2 million individuals.
The settlement, approved by a California court, required Health Net to provide certain plaintiffs with reimbursements for identity theft losses. It also required Health Net to offer credit monitoring to all 2 million affected, as well as insurance coverage. Plus, it called for Health Net to make unspecified changes to improve its physical and information security practices.