Security pros say the federal site is wide open to breaches, malware and theft of personal information
My local Target store still has a sign posted reminding customers that they can receive free credit monitoring and identity theft protection. It’s a make-good after the retailer’s
massive data breach a few months ago.
Should Target hang its head in shame or should other businesses feel empathy because no system is 100% secure? It can happen to anyone? It’s probably all of the above.
But at least Target-with 2,000 locations-can patch its system and help the 110 million affected customers recover. In fact, the store was bustling during my Saturday morning visit, as if nothing had happened.
If there were a security breach to healthcare.gov, the fallout would be far worse than anything Target has experienced. A breach could spread well beyond the core marketplace platform and into much larger and far-reaching systems, such as IT interfaces for nearly all the nation’s health insurers, state Medicaid agencies and the ubiquitous Internal Revenue Service, just to name a few.
According to Kevin Johnson, CEO of Secure Ideas, a security professional who testified before Congress recently about healthcare.gov, exposures on the site have been identified that leave the door open for cyber attacks. In the months since the 20 or more weaknesses were first documented, none of them have been fully remedied.
I called Johnson, and he told me there are generally two categories of vulnerabilities: hackers’ access to sensitive personal data; and hackers’ ability to launch malware through a site. Healthcare.gov has both of these problems, and federal officials were aware of them months ago.
A vulnerability report was presented by David Kennedy of TrustedSec, who is also known as the “white hat hacker” in IT circles. He engaged Johnson and five other experts to review his report in late 2013 and verify for lawmakers that he wasn’t kidding about the faults.
“Their initial reaction was that security is fine,” Johnson told me. “When more information was brought forward, the answer was that it wasn’t as bad as it seems.”
Healthcare.gov isn’t a typical site, in that it’s a gateway to so many other businesses and government entities. A breach could be disastrous.
“If you want to attack American citizens, this is the site to do it,” according to Johnson.
In fact, when the Department of Health and Human Services changed tech vendors for healthcare.gov recently, it gave me the illusion that better security was forthcoming at last. Johnson, however, believes the new vendor has an even worse track record and anticipates the site will be just as weak as it ever was.
One of your best practices is to treat every interaction with healthcare.gov-or any state exchange site for that matter-as potentially dangerous to your security. Johnson says too many insurers will consider the exchanges to be trusted sources, with an assumption that what comes through a state or federal government channel must be secure.
“It’s critical that organizations start to embed this type of process into their development and purchasing,” he says. “Security is important, yet so many have treated it like something we can bolt on.”
Read the blog by David Kennedy here
Conversations With Perry and Friends: Paul Fronstin, Ph.D.
May 9th 2025Perry Cohen, Pharm.D., a longtime member of the Managed Healthcare Executive editorial advisory board, is host of the Conversations with Perry and Friends podcast. In this episode, his guest is Paul Fronstin, Ph.D., director of health benefits research at the Employee Benefit Research Institute.
Listen
ICI-Chemo Combo Delivers More Benefit Than Harm, Even for High-Risk NSCLC Patients, Study Finds
May 16th 2025Immune checkpoint inhibitors, such as Opdivo (nivolumab) and Keytruda (pembrolizumab), have been a huge advance in the treatment of non-small cell lung cancer. But it is open question whether they should be combined with traditional chemotherapy.
Read More
Conversations With Perry and Friends
April 14th 2025Perry Cohen, Pharm.D., a longtime member of the Managed Healthcare Executive editorial advisory board, is host of the Conversations with Perry and Friends podcast. His guest this episode is John Baackes, the former CEO of L.A. Care Health Plan.
Listen
FDA Approves First At-Home Cervical Cancer Screening Device
May 15th 2025Self-collected samples to test for cervical cancer are a step in the right direction when it comes to addressing healthcare barriers, according to Rahma S. Mkuu, Ph.D., M.P.H., assistant professor in the Department of Health Outcomes & Biomedical Informatics at the University of Florida College of Medicine.
Read More