APnews.com is reporting that hackers have breached the healthcare.gov system. Their report says “a government computer system that interacts with HealthCare.gov was hacked earlier this month, compromising the sensitive personal data of some 75,000 people, officials said Friday.”
ZDNet.com reports, “The system is named Federally Facilitated Exchanges (FFE), and is managed by the Centers for Medicare and Medicaid Services (CMS). Healthcare insurance agents and brokers use the FFE to enroll users into Obamacare plans made available through the official HealthCare.gov portal.”
The breach was reported on Tuesday, October 16, 2018, and the direct enrollment pathway for agents and brokers has been disabled. It is expected that direct enrollment will be back up within a week.
To give you an idea of how the security industry is responding to this breach, we are providing reaction from several of the industries top cybersecurity experts.
Michael Magrath, Director, Global Regulations & Standards, OneSpan, Inc.
“The breach of the Federally Facilitated Exchanges (FFE) reinforces the need for all insurers (private and public) to adopt the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law published in late 2017. Although written for states to adopt, there is nothing prohibiting the federal government from mandating tighter cybersecurity controls in its own programs, especially when it comes to protecting sensitive personally identifiable information (PII) such as health insurance information.
“The NAIC’s Model Law closely resembles the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) which took effect in March 2017 with multiple phases. A key provision of the regulation is the use of multi-factor authentication “to protect against unauthorized access to Nonpublic Information or Information Systems”. With Nonpublic information being the individual’s private information.
“How the breach occurred has not been made public as the investigation is likely ongoing. However, as reported in Verizon’s 2017 Date Breach Investigations Report, “81% of hacking-related breaches leverage either stolen and/or weak passwords.” With that in mind, there is a strong likelihood that if multi-factor authentication was mandated it may have prevented the FFE breach.
“In May, South Carolina became the first state to adopt the NAIC’s Model Law with the “South Carolina Insurance Data Security Act” As an FFE state, the citizens of South Carolina would benefit from the new law. However, the new law will not go into effect until January 1, 2019. “
Justin Jett, Director of Audit and Compliance for Plixer
“This is another case of third-party vendor software being vulnerable to attacks. The Federally Facilitated Exchanges (FFE) allows third-party agents the ability to enroll users into plans under the Affordable Care Act (ACA) via healthcare.gov. This means that individuals can opt to have an agent enroll them in coverage without creating a login on healthcare.gov directly. While this breach affects a small number of the millions of people that have enrolled through the exchanges, it does highlight a problem with creating third-party access systems for vendors and agents to access the main system. IT professionals should always install such systems with a zero-trust policy, and they should be monitored continuously to verify that only authorized users are gaining access to the system. Specifically, network traffic analytics should be used to baseline normal third-party access and alert when something is out of place. In the case of the Centers for Medicare & Medicaid Services (CMS), it seems that appropriate systems like this were in place to alert officials to “anomalous system activity,” which helped CMS close the back door before more information could be taken.”
Alex Calic, Strategic Technology Partnerships Officer for The Media Trust
“The hacking of healthcare.gov appears to have taken place through the accounts of third-party agents and brokers who sell individual and small business plans in the marketplace. This method of attack comes as no surprise for several reasons. First, third parties are often less secure than their clients and provide trusted connections to clients’ networks. Once in, bad actors can gather sensitive information that citizens and organizations had entered in order to access government services. Second, while the breach could have been undertaken in numerous ways, spear phishing remains a weak link among government organizations, so it’s possible the accounts were compromised in this way. Third, US agencies, like many private sector organizations, too often take a reactive approach to information security.”
Pravin Kothari, CEO of CipherCloud
“Healthcare data has remained at the center of the bullseye for cyber attackers for several years. The reason? Healthcare records provide the most comprehensive data set available for any individual. Stolen healthcare data facilitates identity theft and for this reason, is highly prized by cyber thieves. Given the assumption that attackers will get into your network, it becomes essential to use new best practices that can stop reconnaissance within your network, highly limit movement within the network using segmentation, and encrypt and protect all of your data end-to-end.”
Zohar Alon, CEO, Dome9
“Malicious actors targeted the behind-the-scenes system that insurance agents used to help customers directly enroll in new plans, and not the consumer Healthcare.gov site itself. Attackers will always target the weakest point-of-entry into networks and that’s why organizations must continuously monitor the threat landscape in real-time and enforce security discipline across all assets, including connected sites. Continuous compliance is essential to keeping sensitive information safe and secure while maintaining public trust.”
Jacob Serpa, product marketing manager, Bitglass
“Unfortunately, in this breach of 75,000 users’ records, who was affected (as well as what data was exposed) has yet to be determined. While the government is working to uncover this information and provide resources like credit protection to those affected, US citizens are essentially left with no option other than to wait and see how much of their personal details have been leaked.
Because Social Security numbers and other sensitive, personal information may have been exposed, it’s likely that affected users will be dealing with the consequences of this event for the foreseeable future. This breach should serve as yet another reminder that all organizations must ensure that their cybersecurity platforms are robust, flexible and proactive enough to detect and respond to new threats as they arise. This is particularly true for government bodies that are responsible for protecting citizen information.”
Ruchika Mishra, director of products and solutions, Balbix
“While we don’t know exactly what information was exposed in the Healthcare.gov breach, we do know citizens who sign up for healthcare plans include their names, addresses and social security numbers. If this kind of data was exposed, users could face issues of identity theft and more.
As so often happens in security breaches, it wasn’t the central consumer-facing site that was breached but an ancillary system used by insurance agents. This breach shows once again that no entity, not even the U.S. government, is immune from the dangers posed by hackers. To best combat these issues, an organization must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches.”
For users and security professionals alike, the challenge is evermore becoming how to avoid becoming desensitized to breaches like this. They come at an ever-increasing rate and so staying vigilant is increasingly more important yet more difficult at the same time.
By: Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief