Healthcare.gov full of holes

February 27, 2014

Security pros say the federal site is wide open to breaches, malware and theft of personal information



My local Target store still has a sign posted reminding customers that they can receive free credit monitoring and identity theft protection. It’s a make-good after the retailer’s

massive data breach a few months ago.
Should Target hang its head in shame or should other businesses feel empathy because no system is 100% secure? It can happen to anyone? It’s probably all of the above.
But at least Target-with 2,000 locations-can patch its system and help the 110 million affected customers recover. In fact, the store was bustling during my Saturday morning visit, as if nothing had happened.


Gateway to trouble


If there were a security breach to healthcare.gov, the fallout  would be far worse than anything Target has experienced. A breach could spread well beyond the core marketplace platform and into much larger and far-reaching systems, such as IT interfaces for nearly all the nation’s health insurers, state Medicaid agencies and the ubiquitous Internal Revenue Service, just to name a few.
According to Kevin Johnson, CEO of Secure Ideas, a security professional who testified before Congress recently about healthcare.gov, exposures on the site have been identified that leave the door open for cyber attacks. In the months since the 20 or more weaknesses were first documented, none of them have been fully remedied.
I called Johnson, and he told me there are generally two categories of vulnerabilities: hackers’ access to sensitive personal data; and hackers’ ability to launch malware through a site. Healthcare.gov has both of these problems, and federal officials were aware of them months ago.
A vulnerability report was presented by David Kennedy of TrustedSec, who is also known as the “white hat hacker” in IT circles. He engaged Johnson and five other experts to review his report in late 2013 and verify for lawmakers that he wasn’t kidding about the faults.
“Their initial reaction was that security is fine,” Johnson told me. “When more information was brought forward, the answer was that it wasn’t as bad as it seems.”
Healthcare.gov isn’t a typical site, in that it’s a gateway to so many other businesses and government entities. A breach could be disastrous.
“If you want to attack American citizens, this is the site to do it,” according to Johnson.
In fact, when the Department of Health and Human Services changed tech vendors for healthcare.gov recently, it gave me the illusion that better security was forthcoming at last. Johnson, however, believes the new vendor has an even worse track record and anticipates the site will be just as weak as it ever was.


Best practice


One of your best practices is to treat every interaction with healthcare.gov-or any state exchange site for that matter-as potentially dangerous to your security. Johnson says too many insurers will consider the exchanges to be trusted sources, with an assumption that what comes through a state or federal government channel must be secure.
“It’s critical that organizations start to embed this type of process into their development and purchasing,” he says. “Security is important, yet so many have treated it like something we can bolt on.”


Read the blog by David Kennedy here