Privacy & Security Standards
Anthem, Inc. and its affiliates (”Anthem”) are committed to safeguarding the confidential information we receive from our consumers, clients and associates. We impose strict standards to maintain the confidentiality of personal information, and we use physical, technological and administrative safeguards to protect it.
Anthem maintains comprehensive enterprise-wide Privacy, Information Security and Corporate Security programs and policies. These efforts are led by its Chief Privacy Officer, Chief Information Security Officer and Chief Security Officer respectively.
At the heart of these programs are teams of seasoned privacy and security professionals that manage and execute Anthem’s well-established, and dedicated Privacy, Information Security and Corporate Security programs. Privacy and information security reports are provided to the Anthem Board of Directors and the Audit Committee has responsibility for the oversight of compliance activities and the Standards of Ethical Business Conduct.
Anthem has continually evaluated and matured these programs, employing processes and procedures that are well-documented and repeatable. Anthem’s Privacy, Information Security and Corporate Security departments:
- Maintain a cross-functional incident response program to detect and respond to suspected privacy and security events
- Monitor and routinely assess its programs against both current and pending laws and regulations to ensure that we remain aligned with applicable law including HIPAA, HITECH, GLBA and other state and federal privacy and information security laws
- Manage a robust and comprehensive suite of policies and procedures to ensure that all Anthem associates (including affiliates and subsidiaries) are informed of and equipped for compliance
- Partner with relevant business areas to ensure alignment with applicable requirements
- Deliver periodic associate communications and reminders to provide education and reinforce awareness
At Anthem, our commitment to being a trusted resource for the consumers we serve is at the cornerstone of all we do. Additional aspects of our Privacy, Information Security and Physical Security programs are outlined below.
Anthem operates in a highly regulated industry; federal and state laws and contractual commitments regulate the collection, use and disclosure of confidential information such as protected health information and personally identifiable information. Our success depends on maintaining a high level of trust among consumers, clients, providers, regulators and our associates. Protecting this information is crucial; this is reflected in our Standards of Ethical Business Conduct and privacy policies.
Our Privacy Office formulates Anthem’s privacy policies, reviews proposed laws and helps business leaders implement new privacy requirements. Each affiliate or subsidiary of Anthem follows privacy policies. We also provide annual privacy training and communications and identify and monitor risks.
We are focused on continuous improvement. Our policies are updated at least annually. We explore new ways of training and communicating with our associates to make sure they have the information and tools they need. For example, our interactive decision-making guides for call-center associates provide real-time counsel.
Our comprehensive privacy-incident response and prevention program educates associates on the importance of reporting all incidents immediately. Each incident is reviewed, and action is taken to address issues identified, mitigate any potenital impact and assess our obligations to notify consumers, clients, regulators, the media and others.
Information Security Program
The Information Security Department strives to mitigate the risk related to the security of confidential information, with guiding principles derived from both the HITRUST Common Security Framework (CSF) and the NIST Cybersecurity Framework. This includes but is not limited to:
- Minimize the Attack Surface. Identifying assets, business context, risks, governance, security awareness, application security and vulnerability detection and remediation in an effort to reduce adversarials opportunities to attack us.
- Complicate Unauthorized Access. Deploying safeguards to protect resources and data, identity and access controls, expanded protection and management of privileged access accounts and encryption of confidential information for the purpose of making it as difficult as reasonably possible for misuse to occur.
- Rapidly Detect, Respond to, and Contain Potential Threats. Holistic Cyber Security Operations Center (CSOC) monitoring and response, enhanced analytical capabilities and incident response readiness to identify and respond to threats faced by Anthem.
Our comprehensive program of information security procedures, programs and protocols are focused on:
- Safeguarding of our consumers’ and clients’ confidential information;
- The security of Anthem’s computer resources, infrastructure, data, and information assets;
- The training and education of Anthem associates on our security program and relevant industry trends;
- Oversight of our relevant vendors observance of Anthem’s security requirements ; and
- Alignment with regulatory and statutory requirements.
Anthem uses the Health Information Trust Alliance (HITRUST), an industry-leading common security framework (CSF) as the foundation of our Information Security Program. The HITRUST CSF is reviewed annually and provides coverage across multiple standards and leverages nationally and internationally accepted standards, including International Organization of Standards (ISO), National Institute of Standards and Technology (NIST) cybersecurity standards, Payment Card Industry (PCI), and International Electrotechnical Commission (IEC) standards.
The HITRUST CSF is regularly updated to incorporate new and revised information security-related regulations, standards and frameworks, including those of federal and state regulators, as well as industry standards, to provide current, comprehensive and prescriptive coverage. Anthem utilizes regular reviews by trusted third parties to provide independent evaluation of the maturity of our cybersecurity program and leverages these evaluations to enhance our program governance, security processes and technical controls.
Anthem has maintained Common Security Framework (CSF) certified status from the Health Information Trust Alliance (HITRUST) since 2013 for its enterprise controls and primary claims systems. The most recent HITRUST certification was obtained in 2018 and is valid for two years. To maintain HITRUST certification, organizations undergo a cycle of reviews annually, in addition to maintaining compliance with the framework and its requirements.
Information Security and Risk
Information security threats and risks are managed by a team of skilled professionals with experience from nationally recognized cybersecurity organizations. This extensive group of professionals is divided into teams that focus on key disciplines including:
- Information Security Policy
- Information Security Engineering
- Software Development Security
- Security Operations
- Identity and Access Management
- Information Security Risk Management
These seasoned professionals address all aspects of our information security program. Examples of key team activities and competencies, include:
- Information Security Policy and Technical Configuration Standards considers best practices and industry trends in an effort to evolve our program’s policy, standards and oversight.
- Information Security Engineering provides direct and actionable security guidance in the use and adoption of technology solutions. Our architecture professionals examine business requirements and systems rules, usage and configurations against related risks and threats (e.g., disabling local administrator accounts, encryption and tokenization), providing support to detail how teams can better mitigate security risk and optimize the performance of security devices.
- Software Development Security focuses on implementing measures to enhance the security of our application by working to identify and eliminate the potential introduction of vulnerabilities within those applications using a variety of internal and external tools and resources.
- Security Operations is committed to safeguarding our consumers’ and clients’ confidential
information from internal and external cyber security threats 24x7x365 through:
- An array of technologies on desktop, laptops and servers to defend against known threats such as malware and identified vulnerabilities.
- Dedicated security monitoring and threat intelligence capabilities which includes capabilities to detect, analyze, respond and escalate potential security events.
- Adversary simulation capability to model malicious attacks, provide original research and continually improve the security of systems and processes.
- Data monitoring which restricts sensitive data from leaving Anthem's boundaries for unauthorized use.
- Data loss prevention and protection capabilities to detect potential loss or unauthorized transfer of data (e.g., protected health information and social security numbers).
- Identity and access management programs to manage authorized individuals that have access to confidential data including password requirements, privileged access management, and multi-factor authentication.
- Information Security Risk Management focuses on understanding and managing the potential risk landscape of Anthem’s enterprise, subsidiaries and affiliates including:
- Vendor security risk management
- Security certifications and external assessment programs
- Client relations
- Industry relations
- Vendor and client contracting
Equipping associates with the tools and skills needed to support Anthem’s Information Security Program is a priority of Anthem.
Providing annual security-awareness training is one of the ways Anthem helps to educate associates about everyday threats.
Our information security awareness training is reviewed at least annually and covers timely and relevant topics which can include social engineering, phishing, password protection, Anthem’s Information Security Program, confidential data protection, asset use, mobile security, among others.
Phishing awareness campaigns are also executed routinely in order to test associates’ ability to effectively identify and report potential phishing attempts.
Additional role-specific training is also offered which can include specialized education and training appropriate to the role/responsibilities such as secure coding techniques and how to avoid coding vulnerabilities.
Vendor Oversight Programs
Anthem’s commitment to safeguarding our consumers’ confidential information extends to our vendor relationships as well. Vendor oversight is a key component to our operations as we look to engage leading and/or differentiating capabilities, operational discipline, compliance rigor with applicable laws and regulations and mitigating vendor related risk to the enterprise.
Corporate Security’s mission is to foster a safe and secure work environment for all Anthem associates, visitors and guests, and for the safeguarding of Anthem’s assets. The Corporate Security department focuses on the following areas:
- Security Operations;
- Employee Health & Safety;
- Risk & Intelligence;
- Security Technology; and
- Support Operations.
To accomplish its mission, Corporate Security performs the following key functions:
- Conducting site security assessments for Anthem-controlled office locations, using a risk-based approach to identify site-specific threats and vulnerabilities and ensuring sites remain compliant with enterprise standards.
- Leading and directing the contract security guard force.
- Operating a 24/7 security center which provides continuous monitoring of Anthem people and applicable sites.
- Managing a threat management program, which utilizes a multi-disciplinary approach to investigate, assess, respond to, and mitigate potentially concerning communications and behavior, potential threats and apparent acts of violence.
- Providing safety and security training to Anthem associates, covering topics such as hostile intruder situations, safety in the workplace, workplace violence prevention, business travel, de-escalation training and safety tips for in-home workers.
Physical Security Training
In 2017, the Anthem Corporate Security team was honored with a United States Outstanding Security Performance Award from ASIS International. The award recognized the team’s situational awareness training initiative for Anthem associates. This training elevates associates’ awareness of physical security and the steps they can take to stay safe regardless of workspace or location. The comprehensive online training program addresses such security issues as active-shooter scenarios, safety working at home, personal safety, tips for visiting nurses, hostile-intruder situations, and domestic and international business travel.