Attacks/Breaches
11/15/2013
11:20 AM
50%
50%

Obamacare Website Suffers Few Hack Attacks

Affordable Care Act site has faced a relatively low volume of attacks, compared with other federal websites.

The beleaguered healthcare.gov website has scored a victory -- of sorts -- on the information security front: It's been targeted by online attackers only a small number of times -- far fewer than most US government websites.

Those attack-volume details became public Wednesday, when Roberta Stempfley, acting assistant secretary of the Department of Homeland Security's Office of Cybersecurity and Communications, told a House committee that based on reports -- largely from the Department of Health and Human Services, which under the Affordable Care Act (ACA) is in charge of implementing and managing the federal healthcare.gov website -- there have been just over a dozen cyber-attacks against healthcare.gov.

"We received about 16 reports from HHS that are under investigation and one open source report about a denial of service," said Stempfley. The open source report was apparently referring to an attack tool named "Destroy Obama Care!" that promised to launch distributed-denial-of-service (DDoS) attacks against healthcare.gov, and which had been offered for download through some social media sites.

[ What do companies do when they think passwords have been compromised? Read Facebook Forces Some Users To Reset Passwords. ]

Stempfley said that DDoS attack effort had failed.

For comparison's sake, how do the attacks against healthcare.gov stack up against other sites? One unnamed DHS official told ABCNews.com that the DHS website saw "228,700 cyber incidents" during 2012, which if averaged out equals about 626 attacks per day "involving federal agencies, critical infrastructure, and the department's industry partners."

The attack volume aside, members of the House Homeland Security Committee continued to ask: Is healthcare.gov secure?

In his opening remarks, Rep. Michael McCaul (R-Texas), the committee chair, called for the ACA to be halted until the kinks were ironed out of healthcare.gov. "We have a website that doesn't work," he said. "It seems to me that it ought to be delayed until that website is functional ... [and] we can receive assurances from the administration that these websites are secure, because of the personal data that's being put into them, into the exchanges."

Furthermore, asked McCaul, why wasn't Centers for Medicare and Medicaid Services (CMS), which is part of HHS and directly responsible for implementing healthcare.gov, working closely with DHS to protect the healthcare portal? "DHS has not participated in any meaningful way in developing, monitoring or ensuring the security of healthcare.gov, the Health Exchanges, or the Federal Data Services Hub," McCaul said. "The only contact between DHS and CMS consisted of two emails and one phone call."

But Stempfley disagreed, saying that's not how government security efforts unfold. "It is not typical for a department or agency as they're building a specific application to involve DHS," she said. Furthermore, she noted, DHS shares extensive information security information with a number of agencies' CIOs and CISOs via the US government's CIO Council and CISO Advisory Councils. "We regularly communicate about threats in those forums," she said.

Even so, more advanced discussions are now underway, Stempfley told McCaul, including DHS detailing which of its "portfolio of capabilities and services" CMS might want to use for healthcare.gov. She said those discussions commenced on August 28 -- just one month before the healthcare portal's launch -- when the CISO of CMS approached DHS. Since then, however, the agency "has not yet received a specific request from CMS relative to the ACA systems, and has not provided technical assistance to CMS relative to ACA systems."

After the hearing, McCaul continued to question whether the healthcare.gov site was securely storing users' email addresses, phone numbers, birthdates, social security numbers, and personal health information. "This is a goldmine for hackers," McCaul told Reuters.

Metrics, data classification, governance, compliance, and your vendors, are all part of the risk management equation. The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make them fit and work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1414
Published: 2015-02-27
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.

CVE-2015-2072
Published: 2015-02-27
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or...

CVE-2015-2075
Published: 2015-02-27
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.

CVE-2015-2076
Published: 2015-02-27
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.

CVE-2015-2101
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.