Report Spotlights HealthCare.gov Security WeaknessesGAO Cites More than 300 Security Incidents Involving Obamacare Marketplace
The Centers for Medicare and Medicaid Services reported more than 300 security incidents involving Obamacare's HealthCare.gov website over an 18-month period, according to a new Government Accountability Office report. But the study notes: "None of the incidents included evidence that an outside attacker had successfully compromised sensitive data, such as personally identifiable information."
The report, which recommends numerous security and privacy control enhancements for the federal health insurance marketplace, says that between October 2013 and March 2015, CMS reported 316 security-related incidents affecting the Obamacare Web portal and its supporting systems. CMS is the unit of the Department of Health and Human Services responsible for overseeing HealthCare.gov.
"The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient," the report notes.
Only one incident, the GAO reports, "involved a confirmed instance of an attacker gaining access to a HealthCare.gov-related server. In that incident, the attacker installed malware on a test server that held no PII." (See: HealthCare.gov Hack: How Serious?).
Reacting to the report, eight GOP Senate and House committee chairmen sent a letter on March 23 to HHS Secretary Sylvia Mathews Burwell and CMS Acting Administrator Andy Slavitt seeking more details about each of the 316 HealthCare.gov security incidents reported by CMS.
Dan Berger, CEO of security consulting firm Redspin, says it's not surprising that there have been multiple attempts to break into HealthCare.gov "given this is a website with a large 'bullseye' painted on it. In addition to the amount of [personal information] it stores and processes, many hackers are motivated by the infamy that would result from hacking HealthCare.gov."
This is not the first time that a government watchdog agency has spotlighted HealthCare.gov security weaknesses. Previous reports by the GAO and HHS Office of Inspector General in 2014 and 2015 have also noted a variety of security shortcomings.
HealthCare.gov Security Shortcomings
In its latest report, the GAO says CMS has taken steps to protect the security and privacy of data processed and maintained by the systems and connections supporting Healthcare.gov, including the Federal Data Services Hub, which is a portal for exchanging information between the federal marketplace and other federal agencies.
But the GAO says it identified weaknesses in technical controls protecting the data flowing through the data hub. These included:
- Insufficiently restricted administrator privileges for data hub systems;
- Inconsistent application of security patches; and
- Insecure configuration of an administrative network.
The GAO also says it identified additional weaknesses in technical controls "that could place sensitive information at risk of unauthorized disclosure, modification or loss."
To address the various shortcomings, the GAO recommends that CMS:
- Define procedures for overseeing state-based Obamacare insurance marketplaces, including day-to-day activities of the relevant offices and staff;
- Require continuous monitoring of the privacy and security controls of state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities;
- Develop and document procedures for reviewing the State Based Marketplace Annual Reporting Tool, or SMART, including specific follow-up timelines and identifying corrective actions to be performed if deficiencies are identified. SMART is intended to collect information to be used as the basis for evaluating a state-based Obamacare marketplace's compliance with regulations and CMS standards.
In a separate report with limited distribution, the GAO says its recommended 27 actions to mitigate the various identified security and privacy weaknesses.
Also, the GAO notes that it separately "identified significant weaknesses in the controls at three selected state-based marketplaces" that were reported to the three states in September 2015. These included insufficient encryption and inadequately configured firewalls, among others. The GAO says the three states "generally agreed [to the agency's recommendations] and have plans in place to address the weaknesses."
HHS concurred with all of the GAO's recommendations, the report notes. "Further, it also provided information regarding specific actions the agency has taken or plans on taking to address these recommendations," the GAO states. "We also received technical comments from HHS, which have been incorporated into the final report as appropriate."
The HealthCare.gov security weaknesses the GAO identified are common problems faced by many private sector organizations, says Mac McMillan, CEO of security consulting firm CynergisTek. And if not addressed, these flaws can put data at risk, he contends.
"These are absolutely consistent with the challenges that other healthcare entities are dealing with, and more importantly creating a high percentage of our risk today," he says. "Studies by several organizations showed that many of the attacks last year took advantage of missing patches, for instance, for vulnerabilities that were well known."
McMillan says the 316 security incidents, which included attempted hacker attacks, highlight the urgency for the assorted weaknesses to be addressed.
"Given that this number represents the incidents that CMS reported officially, likely not the total number of events they experienced, it is significant and demonstrates a concerted interest in these sites by potential cybercriminals," he says. "Most concerning to me is the lack of active oversight and the periodicity of testing. In this environment, testing is a must to identify the very kinds of problems that they discovered - lack of patching, configuration errors - to resolve them before they can be exploited."
Lack of Oversight?
Jay Trinckes, senior practice lead at the security consulting firm Coalfire, says that of the weaknesses identified, the most concerning is the lack of oversight CMS has for the state-based insurance marketplaces. "In the report, GAO indicated that three of these marketplaces were identified with 'significant weaknesses that placed the data they contained at risk of compromise.' As more health information is digitized, it is more important than ever that these systems are maintained in a secure manner," he says.
It is important that Healthcare.gov "stays vigilant in its monitoring efforts and ensure they maintain a multitude of layers of defenses. Ensuring that they are capable of responding to security incidences immediately and mitigate identified issues will go a long way in keeping the site secure," he adds.
HHS did not immediately respond to Information Security Media Group's request for comment.