Shoring Up HealthCare.gov SecurityWith Obamacare's Future Solidified, Privacy Fears in Spotlight
The future of Obamacare seems more certain now that the Supreme Court has upheld subsidies for consumers who purchase policies on the federal health insurance exchange. As a result, it's more critical than ever for the federal government to ensure that personally identifiable information is adequately safeguarded on the HealthCare.gov website for the program, as well as state insurance exchanges, as they gear up for open enrollment in the fall.
See Also: The 5 Foundational DevOps Practices
In recent months, hackers have increasingly focused their attacks on government and healthcare systems. Targets of attacks have included the U.S. Office of Personnel Management and the Internal Revenue Service, as well as health insurers Anthem Inc. and Premera Blue Cross
That's why many security experts are calling attention to the need to make certain that systems supporting the Affordable Care Act, or Obamacare, programs are secure.
"Affordable Care Act insurance exchanges are a hodgepodge of programs operated by states and the federal governments," notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "With the recent news of discovery of coordinated, highly sophisticated attacks on large government operated databases, as well as incidents involving large health insurers, it stands to reason that the information systems serving as the backbone to the health insurance marketplaces are an attractive target because of their size and the sensitivity of the information they hold."
Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, notes: "All large collections of sensitive personal data are at risk." When it comes to potential fraud, "healthcare data is considered more valuable on the open market," he says. "Obviously it matters how well they're protected."
Certainly, security of the federal HealthCare.gov health insurance exchange, which facilitates the electronic health insurance marketplaces for 34 states, has been under intense scrutiny since its rollout in the fall of 2013 during the first open enrollment season for Obamacare.
Congress, as well as government watchdog agencies, including the Government Accountability Office and the Department of Health and Human Services' Office of Inspector General, have examined whether the federal health insurance exchanges - and the 16 state-operated health insurance exchanges - have in place the processes and technology to prevent breaches involving consumers' personal information, including Social Security numbers.
For instance, in April, the OIG issued a report reviewing California's health insurance exchange - Covered California - and the security controls that were in place as of June 2014. The OIG found that California had implemented security controls for its website and databases for its health insurance exchange, but the watchdog agency said more improvements were needed.
OIG determined that California had not performed a vulnerability scan in accordance with federal requirements. Also, the GAO said that Covered California's security plan did not meet some of the Centers for Medicare and Medicaid Services' minimum requirements for protection of marketplace systems, and that Covered California did not have security settings for some user accounts. California officials, in their response to the report, said they planned to implement the OIG's recommendations related to vulnerability scans, security plans and user account settings.
A September 2014 GAO report examining HealthCare.gov security found that CMS - the Department of Health and Human Services unit responsible for the federal insurance exchange - had not always required or enforced strong password controls, adequately restricted systems supporting HealthCare.gov from accessing the Internet, consistently implemented software patches and properly configured an administrative network (see GAO: HealthCare.gov Has Security Flaws).
In addition to the HealthCare.gov exchange, another related potential target for hackers is HHS' Multidimensional Insurance Data Analytics System, or MIDAS, which a federal IT budget planning document describes as a "perpetual central repository for capturing, aggregating and analyzing information on health insurance coverage."
The GAO noted in its September 2014 report that MIDAS is intended to create summary reporting and performance metrics related to the federally facilitated marketplace and other HealthCare.gov-related systems by aggregating data, including PII, collected during the plan enrollment process. GAO found, however, that at the time of its review, CMS hadn't yet approved an impact analysis of MIDAS privacy risks "to demonstrate that it has assessed the potential for PII to be displayed to users, among other risks, and taken steps to ensure that the privacy of that data is protected."
In a recent report, the Associated Press noted a variety of concerns about MIDAS, including current plans for data to be retained indefinitely. "Despite [a] poor track record on protecting the private information of Americans, [the Obama administration] continues to use systems without adequately assessing these critical components," said Sen. Orrin Hatch, R-Utah.
CMS did not immediately respond to an Information Security Media Group request for an update on the security of the MIDAS system.
Health insurers, as well as health insurance exchanges and their related databases, are a potential target for hackers because "any collection of data that includes Social Security numbers is particularly vulnerable," notes security expert Tom Walsh, founder of the consulting firm tw-Security.
"Healthcare was doing a good job of eliminating Social Security numbers from our systems. In the old days, the SSN was a person's member number for their insurance. It was finally getting to the point where SSNs were less frequently collected and used in healthcare," he says.
However, under Obamacare, sensitive consumer data, including Social Security numbers and income information, is used on the insurance exchanges to help individuals enroll in insurance plans and qualify for subsidies, Walsh notes. "So healthcare is back in the SSN game again - especially insurance companies."
Ray Biondo, chief information security officer at insurer Health Care Services Corp. says that the federal government has been taking action to address cyberthreats.
"We have been partnering with the Department of Homeland Security and the FBI and sharing threat information," Biondo says. "They've been collaborative and cooperative and helping us in that space."
Still, all players in the healthcare arena are anxious about potential attacks, he admits. "Everyone is worried about being next."
Holtzman, the consultant, says it's important that politics don't get in the way of government agencies making the investments that are needed to shore up the security of health insurance exchange data.
"Everyone agrees that the federal and state governments should take decisive action to test existing information security safeguards on the systems that support the health insurance marketplace, and to take appropriate measures to ensure that the data, wherever it is held, is secured from the cybersecurity threat," he says.
"What concerns me is that in the long-running political debate over ACA, Congress has said that the HHS may not spend federal funds to support the development and implementation of the ACA. Perhaps it would be in the public interest to ensure that the fight over whether ACA is good policy does not prevent critical funds needed for investment in protecting the government information systems holding the personal information of millions of Americans from the cybersecurity threat."
Walsh says that protecting the health insurance exchanges also comes down to basics. "I was surprised when I read that the OPM did not encrypt data at rest. The government should lead by example and implement better security practices."
Tien of the Electronic Frontier Foundation, sums up his concerns: "The OPM example shows how pathetically lax information security can be. [The government] needs to make defense a priority and spend money on it."