CyberScout

What the HealthCare.gov Breach Means for Health Industry Security

What the HealthCare.gov Breach Means for Health Industry Security

When the federal health insurance marketplace HealthCare.gov was launched in October 2013, IT security experts were concerned about the potential for data breaches and other security glitches. Now their fears might be realized after government officials said the site experienced a breach that was detected on Aug. 25, The New York Times reported

Hackers managed to infiltrate a test server and infect the device with malware. The site was also the target of a denial of service attack that aimed to overload its systems and take it offline.

The Centers for Medicare and Medicaid Services (CMS) operates the federal health insurance marketplace's website. The site serves residents in 36 states for health insurance coverage and began enrollment on Oct. 1, 2013. Aaron Albright, a spokesman at CMS, said an evaluation showed the test server did not store consumer personal information and data was not stolen from the agency, according to the Times.

Criticism After Breach
While the breach did not reveal sensitive information, the attack reflects common security problems that may put systems operated by the health care industry at risk, according to Information Week.

The HealthCare.gov site may have been affected by issues with password security as the test server had a default password that was not changed after it was obtained from the manufacturer, Albright said. The server that was hacked also did not have security scans. 

Although it was a test server that was affected, hackers could use the security flaw they discovered to exploit other parts of a health organization's network infrastructure, according to Infosecurity Magazine

in response to the breach, some politicians are criticizing the federal government's ability to protect consumer health information, according to the Times.

IT security professionals said the security flaws that allowed cybercriminals to hack into HealthCare.gov's test server could have been prevented. 

"If you build a high-profile, complex, central system that holds a lot of very sensitive data, it's going to be a target," said Eric Cowperthwaite, vice-president of advanced security and strategy at Core Security, in a note to Infosecurity. "There's no getting around that. When you're a known target, you can't afford to ignore anything on your network."

Lessons Learned After Breach
Despite the site being a giant target by cybercriminals, Cowperthwaite said he was surprised the government missed the chance to address known issues, according to Infosecurity Magazine. 

Although IT security experts said HealthCare.gov was lucky it did not experience a more significant breach, they do warn this should be a wake up call for organizations to put more resources toward cybersecurity, according to Information Week. 

"It is too early to tell specifically about HealthCare.gov, but when seen as part of the overall trend, this is without a doubt raising awareness and forcing a reordering of priorities and budgets," Gilad Parann-Nissany, CEO and co-founder of  cloud developer Porticor, told InformationWeek.