11:20 AM

Obamacare Website Suffers Few Hack Attacks

Affordable Care Act site has faced a relatively low volume of attacks, compared with other federal websites.

The beleaguered website has scored a victory -- of sorts -- on the information security front: It's been targeted by online attackers only a small number of times -- far fewer than most US government websites.

Those attack-volume details became public Wednesday, when Roberta Stempfley, acting assistant secretary of the Department of Homeland Security's Office of Cybersecurity and Communications, told a House committee that based on reports -- largely from the Department of Health and Human Services, which under the Affordable Care Act (ACA) is in charge of implementing and managing the federal website -- there have been just over a dozen cyber-attacks against

"We received about 16 reports from HHS that are under investigation and one open source report about a denial of service," said Stempfley. The open source report was apparently referring to an attack tool named "Destroy Obama Care!" that promised to launch distributed-denial-of-service (DDoS) attacks against, and which had been offered for download through some social media sites.

[ What do companies do when they think passwords have been compromised? Read Facebook Forces Some Users To Reset Passwords. ]

Stempfley said that DDoS attack effort had failed.

For comparison's sake, how do the attacks against stack up against other sites? One unnamed DHS official told that the DHS website saw "228,700 cyber incidents" during 2012, which if averaged out equals about 626 attacks per day "involving federal agencies, critical infrastructure, and the department's industry partners."

The attack volume aside, members of the House Homeland Security Committee continued to ask: Is secure?

In his opening remarks, Rep. Michael McCaul (R-Texas), the committee chair, called for the ACA to be halted until the kinks were ironed out of "We have a website that doesn't work," he said. "It seems to me that it ought to be delayed until that website is functional ... [and] we can receive assurances from the administration that these websites are secure, because of the personal data that's being put into them, into the exchanges."

Furthermore, asked McCaul, why wasn't Centers for Medicare and Medicaid Services (CMS), which is part of HHS and directly responsible for implementing, working closely with DHS to protect the healthcare portal? "DHS has not participated in any meaningful way in developing, monitoring or ensuring the security of, the Health Exchanges, or the Federal Data Services Hub," McCaul said. "The only contact between DHS and CMS consisted of two emails and one phone call."

But Stempfley disagreed, saying that's not how government security efforts unfold. "It is not typical for a department or agency as they're building a specific application to involve DHS," she said. Furthermore, she noted, DHS shares extensive information security information with a number of agencies' CIOs and CISOs via the US government's CIO Council and CISO Advisory Councils. "We regularly communicate about threats in those forums," she said.

Even so, more advanced discussions are now underway, Stempfley told McCaul, including DHS detailing which of its "portfolio of capabilities and services" CMS might want to use for She said those discussions commenced on August 28 -- just one month before the healthcare portal's launch -- when the CISO of CMS approached DHS. Since then, however, the agency "has not yet received a specific request from CMS relative to the ACA systems, and has not provided technical assistance to CMS relative to ACA systems."

After the hearing, McCaul continued to question whether the site was securely storing users' email addresses, phone numbers, birthdates, social security numbers, and personal health information. "This is a goldmine for hackers," McCaul told Reuters.

Metrics, data classification, governance, compliance, and your vendors, are all part of the risk management equation. The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make them fit and work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio