HealthCare.gov Breach: The Ripple Effect - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy

HealthCare.gov Breach: The Ripple Effect

Hackers breached a HealthCare.gov test server, reportedly affecting no records, but the repercussions could spread across many medical organizations.

10 Ways To Strengthen Healthcare Security
10 Ways To Strengthen Healthcare Security
(Click image for larger view and slideshow.)

Thursday's disclosure that hackers breached a HealthCare.gov test server this summer sparked more concern about the overall vulnerability of healthcare organizations and hope that the growing number of publicly disclosed hacks will encourage those organizations to expend more resources on securing data, networks, and systems.

A hacker installed malicious code on a device that had kept its default manufacturer's password. As a test server, it was not supposed to be hooked to the Internet, said Patrick Peterson, founder and CEO of security developer Agari in an interview. Either keeping the server unconnected or using tools that automatically change pre-set passwords would have prevented this vulnerability, he said. Because it shared the breach, HealthCare.gov should be lauded for its transparency, said Peterson.

This type of error is easily preventable, but is the kind of mistake that can occur at most organizations without proper training and IT management, said Ashley Leonard, president and CEO of Verismic Software:

I am sure it is unnerving for the public when our government's own systems get compromised by hacking. This, on top of the recent celebrity hacking, creates a distrust in cloud. However, if you look more closely at what has actually happened, systems are being penetrated by a combination of bad IT management and poor end-user training. I believe IT managers and software vendors need a better way to share information on vulnerabilities and how to patch them. The second concern is passwords; though passwords are set to protect our most sensitive data, we have a real issue today of using technology much older than most of us. At the very least we should be moving to pass phrases, two-factor authentication, or biometrics to protect our data.

Although federal officials were quick to reassure the public that no personal, financial, or health data was stolen, a chorus of dissent arose immediately given the amount of information HealthCare.gov houses and the number of alarms raised about the site's security weaknesses.

[Is your organization losing money on outdated storage techniques? Read Healthcare Storage Makeovers: Execs Share Secrets.]

"IT experts have long warned about the lack of security built into the federal Obamacare website," said Congressman Diane Black (R-Tenn.), in a statement. "The vast amount of personal information that Americans are required to put into this site is an open invitation for hackers. That is why designing a secure website should have been a top priority for this Administration."

HealthCare.gov
HealthCare.gov

While politicians battle it out in Washington, D.C., CIOs and chief security officers might find it easier to wrest security funds from reluctant boards and CEOs. That can't happen soon enough, based on the industry's ongoing poor performance when compared with other sectors.

Last year, there were 276 breaches in healthcare, the largest number from five verticals that the Identity Theft Resource Center reviewed, said John Pescatore, director of Emerging Security Trends at SANS. "Driven both by attempts to reduce cost and rushing to meet deadlines to meet federal requirements, the healthcare industry has failed to sufficiently build security into their systems -- the healthcare exchange websites are just one example," he said. "Security has been seen as increasing cost and slowing down schedule. CISOs' recommendations have been ignored, or postponed in attempts to "sprinkle security on," post deployment. This has largely been the case over the past several years, leading to this growing trend of breaches in healthcare systems."

In light of recent hacking attacks at HealthCare.gov, JP Morgan & Chase, Home Depot, and Community Health Systems, business leaders are more aware of risks -- and the impact that breaches could have on their organizations, many security executives agreed. To date, many have spent more on electronic medical records (EMRs) and meeting Meaningful Use mandates than on security, but that must change, they noted.

"Healthcare needs to re-evaluate the resources they've allocated to EMR security. The last few years have seen most hospital systems deploy significant technology for EMRs, consumer technology to support clinical staff, patient portals, and much more," Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, said via email. "In fact, for large hospital systems, an EMR project can be on par with HealthCare.gov in terms of cost, resources, and project scope and scale. They will need to look at whether they have done at least as well as [the Department of Health and Human Services] on security, if not better."

This latest incident at HealthCare.gov could give IT executives more ammunition in their quest for better funding and resources.

"It is too early to tell specifically about HealthCare.gov, but when seen as part of the overall trend, this is without a doubt raising awareness and forcing a reordering of priorities and budgets," Gilad Parann-Nissany, CEO and co-founder of  cloud developer Porticor, told InformationWeek.

Added Todd Feinman, CEO of Identity Finder: "CIOs should be using this as justification for much higher budgets to manage sensitive information and prevent data breaches proactively. Their job is at risk and this is a difficult problem to solve. They can now point to real evidence, instead of fear/uncertainty/doubt, that shows there is a need within their organization. We are seeing an increase in spend around sensitive data management due to the recent wave of data breaches."

The goal, however, is not perfection. No technology, no team or individual can assure total security, cautioned Agari's Peterson. Rather, CSOs and CIOs must improve healthcare security, reduce risk, and work together, just as financial institutions do, he said.

Many healthcare organizations already have implemented many standards and tight security capabilities, said Wes Wright, senior vice president and CIO of Seattle Children's, via email. "Most good healthcare organizations have been concentrating on security since the beginning of HIPAA back in the early 2000s and then with the HITECH act. I think the HIT community is running as hard as they can to catch up, keep up with security," he said. "We may see more emphasis and interest, from the CEO and board levels, on an organization's security posture [although] not necessarily more activity, since I think we've actually reached a human resource-limited pace."

Consumers might not yet be as quick to switch doctors as they are to switch retailers (think Wal-Mart instead of Target), but that day could come if healthcare providers are complacent about security, executives warned. Patients also are becoming more critical of how and to whom they hand over their data, said Feinman.

Ultimately consumers will vote with their pocketbooks, even in healthcare, said Peterson. "At the end of the day, if you cross the consumer enough, you will not win the marketplace," he said.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
PaulS681
0%
100%
PaulS681,
User Rank: Ninja
9/6/2014 | 1:28:45 PM
healthcare breaches

It's alarming how many breaches there continues to be. It's a good point about people not being so quick to switch doctors due to a breach. I can't imagine picking a doctor by how few breaches an office has had.

 

PaulS681
50%
50%
PaulS681,
User Rank: Ninja
9/6/2014 | 1:31:48 PM
276 Breaches

There were 276 beaches last year but how many go unreported? I thought I read somewhere that it depended on the severity of the breach if it needed to be reported or not. I could be wrong but if there is any truth to that that is ridiculous.

Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 9:41:45 AM
Re: 276 Breaches
You are correct, @PaulS681: Breaches don't have to be reported unless they affect more than 500 people. So if your doctor's office loses a drive that, say, contains records of 467 people, s/he doesn't need to report that... even if it happens 10 times in a month.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 9:47:12 AM
Re: healthcare breaches
I agree, @Paul, that it's not the first -- or fifth or sixth -- consideration many of us have when choosing a doctor! But I think, at some point, it could well make the list when people select a hospital. Sure, many experts say consumers are getting numb to breaches but I believe anger will occur after numbness, and that anger could well crop up with healthcare providers since we sometimes have so little choice in their selection once you go through the insurance hoops. 
progman2000
50%
50%
progman2000,
User Rank: Ninja
9/8/2014 | 10:41:21 AM
Re: 276 Breaches
Ew, that's disturbing.  I have never heard that before (a breach doesn't need to be reported unless it affects more than 500 people).  Is that a Healthcare thing?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 11:02:00 AM
Re: 276 Breaches
Yes. It is a healthcare rule, which can be found under the HHS website. You can copy/paste the link, below, to see the so-called Wall of Shame and rules surrounding reporting of healthcare breaches. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

 
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
9/8/2014 | 12:29:07 PM
Just a test server, but ...
The one reason I can see why the hacking of a test server should be of concern is that it potentially gives an attacker insight into the technical architecture that would also be used on live servers, providing a roadmap for attacks on them.

Otherwise, I can't see this as much of a hair on fire moment. It's not really a "breach" at all, just a garden variety dumb mistake.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
9/8/2014 | 12:35:58 PM
Re: 276 Breaches
Actually that is not quite accurate.  Breaches of over 500 must be reported quickly to the HHS and no later than 60 days after it's discovery.  But breaches of under 500 are still required to be reported, the difference is that is must be reported within 60 days after the end of the calendar year in which it is discovered.  They simply have more time to report, and if there are a series of them they would be reported in a batch together.  So it does have to be reported but it is not in a timely manner, it is after the end of the calendar year.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 4:54:42 PM
Re: 276 Breaches
Thanks for clarifying, Ed. You're right. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 4:56:43 PM
Re: Just a test server, but ...
One thing that concerned one exec is that, in the future, IT folk may not fess up but will instead conceal these mistakes because they don't want to deal with all the furor. In turn, that will weaken the system further, making it easier for breaches to occur -- and data to actually get stolen. Not sure of the legalities at play here but if there are situations when IT is voluntarily disclosing mistakes, I don't think they should be excoriated for it. 
Page 1 / 2   >   >>
Commentary
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Commentary
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
Slideshows
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll