This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
ACCG358: IS Audit Report
Word Count: 2056
Executive Summary & Introduction
This report was created in order to analyse the security issue that occurred at Anthem Inc. in 2015 when their data centre was breached and a large amount of customer information was stolen (Mathews and Yardon, 2015). This report will explore the manner in which Anthem’s security system can improved to prevent further data intrusions as well as enhance security in the aftermath of the breach that compromised 80 million accounts which contained a large number of sensitive data and healthcare details.
With such a high amount of stolen information from Anthem’s databases it is imperative that the business reorganize their security systems and in relation to their databases and networking systems.
In order to solve these problems, the report will address the following points
- IS Risks: A number of risks Anthem faces in this security breach will be identified, while analysing the likelihood of risks such as loss of customer information, problems with publicity, legal and commercial risks.
- Audit plans and objectives: A proposed plan will be put in place that deals with the security breach at hand and how to plan for the future to avoid potential breaches and keep customer integrity.
- Interview questions and documents: This section will include a series of questioned aimed at gathering information including documents that will be reviewed upon audit.
- Recommendation: In the final section we will give a recommendation to mitigate each of the IS risks that have been previously identified as well as explaining what this means for the company and the potential benefits that are provided as a result.
Background to Case
Anthem Inc. is an American managed health care service located in Indiana. It is the largest for profit health care organization in the Blue Cross and Blue Shield association currently, and was formed when WellPoint Health Networks Inc. combined with Anthem insurance company. This report deals specifically with the recent security breach that Anthem experienced on the 4th of February 2015 that resulted in a large loss of customer information.
Anthem uses a centralized database, containing aggregated customer and employee information. This database branches out across a number of states in America. Their database is HIPAA (Health Insurance portability and accountability act) compliant which is essentially designed to aid consumers in tracking costs and outcomes of various clinical practices as well as giving consumers various options to treat medical conditions. This is also designed to aid healthcare employees so they can better aid consumers in giving patients their best option (Anthem, 2006). The security breach was discovered due to one IT employee noticing that he was not the only user currently controlling his account (Gomez et al.).
The problem that Anthem faces is considered one of the largest health care security breaches in history with the possibility of more than 80 million people’s information being compromised (Nelson, 2015). The hackers that breached Anthem’s database gained access to a large range of customer information including names, birth dates, Social security numbers, healthcare ID numbers, emails, home addresses, employee information and employee income data (Anthem, 2015). This has led to a potential loss of up to $100-$200, not including penalties (Nelson, 2015). With the recent talk of Anthem refusing to audit their systems prior to and after the attack (Ragan, 2015), this highlights the need for auditing to improve IT security for Anthem’s database, as well as a way of effectively restoring data. Since Anthem is not entirely sure how access was made into their systems, it’s important that a broad area of their security, and network access be audited to cover all possible areas of intrusion.
Information System Risks
Risk One: Theft of Data
Since this is an aggregation of information, the risk increases, as it is unknown whether or not the loss of this information is permanent. While credit cards and such can be replaced names, date of birth and home addresses cannot simply be re-issued. The result is, this could cause a lot of long-lasting problems for individuals effected.
This risk could end up being considerably more expensive for Anthem as they may not be able to rey on insurance, as rumours suggest their stored data was not encrypted (Gomez et al.), making their data an easy target.
Risk Two: Back door Virus
The implications this could cause Anthem in the future are quite high considering the sensitive nature of medical information. Leaked employee information risks further attacks through administrative accounts. This can lead to an inability to provide necessary patient care due to poor integrity and availability as well as malware damage to medical devices (such as ultrasounds) (Fu and Blum, 2013).
In the case of Anthem, this appears to be part of the reason hackers gained access to their database. Initial attacks involved phishing of employees, allowing depository of malware into the system. This allowed for network and database traffic to be monitored (Gomez et al.). The way Gomez et al. describes it “Just imagine attackers installing malware on all security cameras, then watching as someone punches in an access code for your most secure areas” (Gomez et al.).
Risk Three: Loss of Data or Manipulation of data
This is the risk of data being deleted or manipulated from Anthem’s database, risking data anomalies and the logical integrity of Anthem’s database.
The risk for Anthem here is again quite high but depends on the intentions of the attacker. This puts at risk data accessed by consumers and employees rendering them unsure if the data they are accessing is accurate. The implications of this have the potential to be catastrophic in terms of medical management. The result can cause incorrect prescriptions of medications, incorrect medical conditions and treatments for patients and thus the initial goal of providing consumers with their best healthcare options is lost.
Audit Plan & Objectives
In relation to theft of data
The first area that requires auditing is the security of Anthem’s database, as is evident by the recent breach that their security system is not on par with what would be expected of a health insurance organization. Especially with the recent news and rumour that some of their data was not encrypted, rendering Anthem negligible for insurance (Gomez et al.).
The audit procedure involves observing how the database interacts when an access attempt is made. The audit objective is to ensure that the database has been secured so that consumer and employee information will not be leaked in the future. This will confirm current procedures in place and provide an overview of the security level Anthem currently has.
In relation to threat of Back door Virus
The second area of auditing requires viewing how the system protects itself against software attacks, malware attacks and viruses. This could potentially lead to loss of data, and damage of medical equipment.
The audit procedure requires verification that the files on all employee systems be physically controlled. Secondly we must verify the training personnel have received in terms of the effects of malware as well as reviewing the anti-virus software used by Anthem and how often it is updated. Since the remote access was made from China using an employee’s account, user log in times must be reviewed to locate unusual database accessions. The audit objective then in this case, is to ensure that necessary anti-virus software is installed and that systems are free of malware.
In relation to loss of data or manipulation of data
As it is unknown whether data was modified or lost form the database, it is necessary that the data be able to be retrieved to avoid risking the use of corrupt data, especially in the case of a health insurance organization.
The audit procedure requires verification of times the databases are copied, and the schedule for said copies. Secondly we must verify where and how the disaster recovery data is stored and if it is stored off site. Thirdly we must verify the documentation of the specified backup files with each system. The audit objective is to ensure that the risk of data being lost or manipulated is mitigated by having effective backup controls that can efficiently and fully restore any data that has been lost.
Interview Questions & Documents
Audit Objective one: Ensure that database has been effectively secured
Question One: How is sensitive information stored?
Question Two: What is the availability of access to the database, and what is the software policy of devices accessing the database?
Question Three: Are activities performed by both database users and administrators logged constantly?
Audit Objective Two: Ensure Necessary anti-viral software and system is free of malicious software
Question One: What is the current anti-viral software in place and what level of security does it provide?
Question Two: How often is this anti-viral software updated?
Question Three: What level of training to employees have in relation to anti-viral software and the effects of malware?
Audit Objective one: Ensure that effective backup controls are in place
Question One: What is the time period when the backup is made and what is the backup schedule?
Question Two: Where are backups saved to? Are they offsite?
Question Three: In the event of a disaster, do data restoration services help identify and deliver the necessary files to the right departments in a manner which is timely?
We will also require access to documentation for the database to determine how security of the database is achieved and the process of recovery actions. This includes network documentation, hardware and software documentation, security and backup policies and documentation of database access. As well as this DFDs, System flow charts, ERPs to clarify the flow of data at Anthem.
Recommendations and Controls
Mitigating theft of data
Application Security, Inc. recommends database activity monitoring in prevention against (Barnes and Director, 2011). Anthem must implement and monitor an audit trail that accounts for access attempts made to the system and changes to the database and the activity of privileged users (Barnes and Director, 2011). This gives Anthem the opportunity to monitor access and determine if there are any accesses made at unusual times or from unusual locations. This then allows IT employees to determine if any unauthorized access into the database has been made in a timely manner.
Anthem have neglected to encrypt sensitive information. Encrypting offers the prevention of unauthorized disclosure and access to the database and provides another line of security as it can prevent attackers from seeing data even if they’ve managed to gain access to an administrator’s account (Sesay et al., 2005).
To prevent initial data breaches, we recommend sharing data across networks. While these two networks may never actually interact with one another, it will in turn will reduce incentive for future breaches at Anthem. Stolen sensitive information will duplicate existing information, automatically revealing that a breach has occurred (Roberds and Schreft, 2009). This allows for data breaches to be recognized immediately, and solves Anthem’s issue of not noticing the breach for up to several months.
Mitigating back door viruses and malware
Malware protection must be implemented across the all devices used to access Anthem’s database. This is imperative as it is not required of healthcare provides or device makers to report events related to malware infections (Gomez et al.).
To counter this, we plan to employ a policy to prevent any unauthorized software on employee personal PC’s that have access to the database. It is then also mandatory anti-virus software be installed and kept up-to-date. Employee training is necessary to keep their system security up to date and appropriate documentation on anti-virus provided (Fu and Blum, 2013). In addition to this, monitoring and restriction of employee internet access helps avoid phishing and hacking (Hawkins et al., 2000). This prevents the risk of damage to medical equipment and disruption to medical procedures (Fu and Blum, 2013).
Mitigating loss or manipulation of data
Since the extent of changed, lost or manipulated data is unknown inside Anthem’s database, it is important that the database can be fully recovered. We recommend outsourcing to a vendor that can back up on a daily basis granting Anthem the benefits of data restoration, alternate office space, backup sites and emergency lease of hardware. These benefits allow Anthem to regain their data in a timely manner from a previous, usable state (Hawkins et al., 2000).
As well as backing up data, it is important that routine backups are made. An intended system in this case it to have data stored on local area network servers each evening, and then having the entire database backed up come the end of the week. This allows for data save states and helps facilitate backup and recovery procedures (Hawkins et al., 2000).
It is apparent that Anthem must cease refusal of audits and allow their system to be scanned for vulnerabilities and proper security controls put in place. As John Gomez, CEO of Sensato bluntly states in his article on “Cyber-Security in Healthcare”, “…the headlines in the media will not be about your organization’s loss of data; but about the loss of patient lives” (Gomez et al.).
The news article, “Health Insurer Anthem Hit by Hackers” published by “THE WALL STREET JOURNAL” used for this case study is linked below.
ANTHEM. 2006. Anthem Blue Cross and Blue Shield Joins Blue Plans Nationwide to Launch Largest Private Database of Health Care Information [Online]. Available: http://ir.antheminc.com/phoenix.zhtml?c=130104&p=irol-newsArticle&ID=892448 [Accessed 25/04/2015.
MATHEWS, A. W. & YARDON, D. 2015. Health Insurer Anthem Hit by Hackers [Online]. THE WALL STREET JOURNAL, BUSINESS: THE WALL STREET JOURNAL. Available: http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720 [Accessed 10/04/2015.
RAGAN, S. 2015. Anthem accused of avoiding further embarrassment by refusing audit [Online]. CSO: CSO. Available: http://www.csoonline.com/article/2893668/data-breach/anthem-accused-of-avoiding-further-embarrassment-by-refusing-audit.html [Accessed 27/04/2015.