Privacy & Security Standards
Anthem, Inc. and its affiliates (“Anthem”) are committed to safeguarding the confidential information we receive from our consumers, clients and associates. We impose strict standards to maintain the confidentiality of personal information, and we use physical, technological and administrative safeguards to protect it.
Anthem maintains comprehensive enterprise-wide Privacy, Information Security and Corporate Security programs and policies. These efforts are led by its Chief Privacy Officer, Chief Information Security Officer and Chief Security Officer respectively.
At the heart of these programs are teams of seasoned privacy and security professionals that manage and execute Anthem’s well-established, and dedicated Privacy, Information Security and Corporate Security programs. Privacy and information security reports are provided to the Anthem Board of Directors and the Audit Committee has responsibility for the oversight of compliance activities and the Code of Conduct.
Anthem has continually evaluated and matured these programs, employing processes and procedures that are well-documented and repeatable. Anthem’s Privacy, Information Security and Corporate Security departments:
- Maintain a cross-functional incident response program to detect and respond to suspected privacy and security events
- Monitor and routinely assess its programs against both current and pending laws and regulations to ensure that we remain aligned with applicable law including HIPAA, HITECH, GLBA and other state and federal privacy and information security laws
- Manage a robust and comprehensive suite of policies and procedures to ensure that all Anthem associates (including affiliates and subsidiaries) are informed of and equipped for compliance
- Partner with relevant business areas to ensure alignment with applicable requirements
- Deliver periodic associate communications and reminders to provide education and reinforce awareness
At Anthem, our commitment to being a trusted resource for the consumers we serve is at the cornerstone of all we do. Additional aspects of our Privacy, Information Security and Physical Security programs are outlined below.
Anthem operates in a highly regulated industry; federal and state laws and contractual commitments regulate the collection, use and disclosure of confidential information such as protected health information and personally identifiable information. Our success depends on maintaining a high level of trust among consumers, clients, providers, regulators and our associates. Protecting this information is crucial; this is reflected in our Code of Conduct and privacy policies.
Our Privacy Office formulates Anthem’s privacy policies, reviews proposed laws and helps business leaders implement new privacy requirements. Each affiliate or subsidiary of Anthem follows privacy policies. We also provide annual privacy training and communications and identify and monitor risks.
We are focused on continuous improvement. Our policies are updated at least annually. We explore new ways of training and communicating with our associates to make sure they have the information and tools they need. For example, our interactive decision-making guides for call-center associates provide real-time counsel.
Anthem’s Records and Information Management policy and procedures support Anthem’s record retention, storage, retrieval, and disposal. Annual review of policy and procedures and training is incorporated into the program. The Records Retention Schedule requirements are informed by federal, state, contractual, and administrative requirements.
Information Security Program
The Information Security Department strives to mitigate the risk related to the security of confidential information, with guiding principles derived from both the HITRUST Common Security Framework (CSF) and the NIST Cybersecurity Framework. This includes but is not limited to:
- Minimize the Attack Surface. Identifying assets, business context, risks, governance, security awareness, application security and vulnerability detection and remediation in an effort to reduce adversaries’ opportunities to attack us.
- Complicate Unauthorized Access. Deploying safeguards to protect resources and data, identity and access controls, expanded protection and management of privileged access accounts and encryption of confidential information for the purpose of making it as difficult as reasonably possible for misuse to occur.
- Rapidly Detect, Respond to, and Contain Potential Threats. Holistic Cyber Security Operations Center (CSOC) monitoring and response, enhanced analytical capabilities and incident response readiness to identify and respond to threats faced by Anthem.
- Align Security Initiatives to Business Priorities. For Information Security to be successful, our work must enable the business, not inhibit it. As the business evolves, we evolve with it to ensure it does so securely.
- Maximize Operational Excellence. Anthem continually searches for ways to enhance our security processes and programs.
Our comprehensive program of information security procedures, programs and protocols are focused on:
- Safeguarding of our consumers’ and clients’ confidential information;
- The security of Anthem’s computer resources, infrastructure, data, and information assets;
- The training and education of Anthem associates on our security program and relevant industry trends;
- Oversight of our relevant vendors observance of Anthem’s security requirements ; and
- Alignment with regulatory and statutory requirements.
Anthem achieved HITRUST CSF Certified status from HITRUST in 2013, 2015, 2017, 2018, and 2020 for Anthem’s Commercial business environment (WGS Claims), and in 2016, 2018, and 2020 for Anthem’s Government Business Division (GBD Facets). Certification was obtained through the HITRUST CSF Assurance Program, based on the most widely used information security and privacy framework used by United States and global health care organizations.
The HITRUST CSF is an overarching security and privacy framework that incorporates and leverages the existing security requirements placed upon healthcare organizations, including federal (e.g., HIPAA and HITECH), state, third party (e.g., PCI and COBIT), and other government agencies (e.g., NIST, FTC, and CMS).
Anthem’s 2020 HITRUST CSF Assessments were performed by an independent third-party services firm who is authorized to perform HITRUST CSF Assessments. HITRUST certification is comprised of a core subset of the HITRUST CSF controls, totaling 75 controls. Of the 75 controls, Anthem was assessed on the ability to meet over 640 unique Baseline Security Requirement Statements, which were organized across 19 different domains.
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Third-Party Assurance
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
Information Security and Risk
Information security threats and risks are managed by a team of skilled professionals with experience from nationally recognized cybersecurity organizations. This extensive group of professionals is divided into teams that focus on key disciplines including:
- Information Security Policy
- Information Security Engineering
- Software Development Security
- Security Operations
- Identity and Access Management
- Information Security Risk Management
These seasoned professionals address all aspects of our information security program. Examples of key team activities and competencies, include:
- Information Security Policy and Technical Configuration Standards considers best practices and industry trends in an effort to evolve our program’s policy, standards and oversight.
- Information Security Engineering provides direct and actionable security guidance in the use and adoption of technology solutions. Our architecture professionals examine business requirements and systems rules, usage and configurations against related risks and threats (e.g., disabling local administrator accounts, encryption and tokenization), providing support to detail how teams can better mitigate security risk and optimize the performance of security devices.
- Software Development Security focuses on implementing measures to enhance the security of our application by working to identify and eliminate the potential introduction of vulnerabilities within those applications using a variety of internal and external tools and resources.
- Security Operations is committed to safeguarding our consumers’ and clients’ confidential
information from internal and external cyber security threats 24x7x365 through:
- An array of technologies on desktop, laptops and servers to defend against known threats such as malware and identified vulnerabilities.
- Dedicated security monitoring and threat intelligence capabilities which includes capabilities to detect, analyze, respond and escalate potential security events.
- Adversary simulation capability to model malicious attacks, provide original research and continually improve the security of systems and processes.
- Data monitoring which restricts sensitive data from leaving Anthem's boundaries for unauthorized use.
- Data loss prevention and protection capabilities to detect potential loss or unauthorized transfer of data (e.g., protected health information and social security numbers).
- Identity and access management programs to manage authorized individuals that have access to confidential data including password requirements, privileged access management, and multi-factor authentication.
- Information Security Risk Management focuses on understanding and managing the potential risk landscape of Anthem’s enterprise, subsidiaries and affiliates including:
- Vendor security risk management
- Security certifications and external assessment programs
- Client relations
- Industry relations
- Vendor and client contracting
The world of information security is ever evolving. Anthem has a strong commitment to train and enhance the knowledge of our associates. With a dynamic landscape, change is the only constant. How do we keep up with it? Anthem works to keep security training on each associate’s radar.Security Awareness and Training
Providing security awareness training is one of the ways Anthem helps to educate associates about everyday threats.
- Our information security program awareness training is reviewed at least annually and covers timely and relevant topics which can include social engineering, phishing, password protection, confidential data protection, acceptable asset use, and mobile security, among others.
- Content can include policy statements, videos, and interactive activities.
- Content is periodically updated to remain current with the landscape.
- Associates must pass a knowledge test to demonstrate understanding.
One of the more common ways systems can be compromised involves attackers trying to convince someone to hand over access credentials. One way this is done is through phishing. What is phishing?
According to the U.S. Cybersecurity & Infrastructure Security Agency...
“Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”1
Anthem routinely conducts phishing awareness campaigns to help associates effectively identify and report potential phishing attempts.Data Use & Release Policy
Our success depends on maintaining a high level of trust among consumers, clients, providers, regulators and our associates. Protecting this information is crucial; this is reflected in our Code of Conduct, Data Use and Release Policy, and Corporate Privacy Policies and Procedures. Anthem maintains a Data Use & Release Policy and reinforces awareness through periodic campaigns. This training helps our associates understand their role and to be diligent to help prevent inappropriate data disclosures. More in-depth Data Use & Release Policy training is offered to associates in data-related roles.
At Anthem, training is highly valued and encouraged. It is one of the key ways our team stays up to date with knowledge and defensive techniques to protect the data you trust us with on a daily basis.
Vendor Oversight Programs
Anthem’s commitment to safeguarding our consumers’ confidential information extends to our vendor relationships as well. Vendor oversight is a key component to our operations as we look to engage leading and/or differentiating capabilities, operational discipline, compliance rigor with applicable laws and regulations and mitigating vendor related risk to the enterprise.
Corporate Security’s mission is to foster a safe and secure work environment for all Anthem associates, visitors and guests, and for the safeguarding of Anthem’s assets. The Corporate Security department focuses on the following areas:
- Security Operations;
- Employee Health & Safety;
- Risk & Intelligence;
- Security Technology; and
- Support Operations.
To accomplish its mission, Corporate Security performs the following key functions:
- Conducting site security assessments for Anthem-controlled office locations, using a risk-based approach to identify site-specific threats and vulnerabilities and ensuring sites remain compliant with enterprise standards.
- Leading and directing the contract security guard force.
- Operating a 24/7 security center which provides continuous monitoring of Anthem people and applicable sites.
- Managing a threat management program, which utilizes a multi-disciplinary approach to investigate, assess, respond to, and mitigate potentially concerning communications and behavior, potential threats and apparent acts of violence.
- Providing safety and security training to Anthem associates, covering topics such as hostile intruder situations, safety in the workplace, workplace violence prevention, business travel, de-escalation training and safety tips for in-home workers.