Risk
10/2/2013
10:41 AM
50%
50%

Online Health Exchanges: How Secure?

Is the data hub created by Obamacare a hacker's dream?

Online health insurance exchanges debuted on Tuesday, and millions of Americans visited the sites to assess their eligibility for different plans and attempt to sign up. But the demand on the exchange portal sites apparently exceeded many state officials' expectations, leading to intermittent portal outages.

Fourteen states, plus the District of Columbia, are running their own health exchanges, as is the federal government, which is operating the HealthCare.gov exchange on behalf of more than 30 other states. One lingering question, however, concerns not just the long-term uptime and availability that consumers should expect from these exchanges, but whether they can handle people's personal data in a manner that maintains privacy while keeping it safe from hackers.

Already, systems being used to facilitate the Patient Protection and Affordable Care Act (ACA) -- aka Obamacare -- have been criticized as posing a large security risk because they're designed to handle numerous people's personal information. In the wrong hands, that data could prove lucrative for identity thieves or anyone who wanted to resell personal information on the underground market.

[ The closure of the federal government has broad implications on IT. Read more at Government Shutdown: What Are IT Systems Risks? ]

One particular concern is that the system's "data hub" -- a tool for routing a health exchange applicant's information to relevant government agencies, including the Internal Revenue Service -- will put people's personal information at risk.

"This data hub is a hacker's dream," alleged Rep. Kevin Brady (R-Texas) during an August House hearing involving top IRS and health department officials, reported the Houston Chronicle. "And I'm not sure who I most fear, someone from the outside or the government," he added, referring to the scandal that erupted earlier this year, when the IRS confirmed that a top official had been subjecting Tea Party groups to extra scrutiny when they applied for tax-exempt status.

Regardless of the politics at play, can the IRS be trusted with this information? To be sure, the agency has logged more than one data breach on its watch, and earlier this year, the Government Accountability Office reported that IT security holes in IRS networks were still putting taxpayer data at risk.

Furthermore, multiple government agencies will have access to some information as it gets routed through the data hub, said Christopher Rasmussen, a healthcare and privacy policy analyst for the Center for Democracy and Technology, in a July blog post. "For example, an individual's eligibility for a federal subsidy to purchase health insurance requires verification of income and family size from the Internal Revenue Service (IRS), immigration status from the Department of Homeland Security (DHS) and incarceration status from the Social Security Administration (SSA)," he said. Insurance companies will also use a single portal -- run by the Centers for Medicare & Medicaid Services (CMS) -- that gives them access to some of that information.

But CMS administrator Marilyn Tavenner emphasized to Congress in July that the data hub, which her agency administers, has been designed to keep people's personal information secure as well as private. Notably, she said, the hub will not store or retain any data used for vetting applications, but merely route it to its appropriate destination.

"The data hub is designed to query -- and pass along to insurance marketplaces -- only the minimum amount of information necessary from each government database to facilitate applicant enrollment," Rasmussen said.

Furthermore, after some delays, the CIO of CMS last month certified that the system is safe. Tavenner, meanwhile, has said that all CMS administrators have received thorough information security and privacy training.

Those preparations aside, states are really the ones on the security hook, given that they're running the health portals that comprise the Health Insurance Marketplace. Accordingly, the concern voiced by Rep. Brady of Texas -- over IRS involvement -- doesn't get to some of the larger security questions at play, such as whether states can be trusted to secure their residents' health exchange information.

Earlier this year, government technology journalist Alex Howard -- who's lauded Healthcare.gov for its clear design and use of open source technology -- singled out states as a potential weak point in the health exchange ecosystem. "My sense is that people are very nervous [about the potential for exploitable vulnerabilities -- and hack attacks -- against one or more of the exchanges being operated]," Howard told Slate.

Indeed, what if a group such as the Syrian Electronic Army managed to find and exploit some unforeseen vulnerability?

Then again, this isn't the first foray by the IRS, CMS, DHS, SSA and other agencies into handling people's personal information. Furthermore, should any one exchange suffer a hack attack, the data hub routing and multi-state exchange model means that it's extremely unlikely that the whole system would come crashing down.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/3/2013 | 6:24:38 PM
re: Online Health Exchanges: How Secure?
Respectfully, what slant are you seeing? Are are you just trolling?
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/3/2013 | 6:22:39 PM
re: Online Health Exchanges: How Secure?
The federal portal was *just* certified by CMS last month. Also the fundamental design decisions -- as noted by Alex Howard -- appear to be sound. States, of course, have a mixed track record when it comes to protecting residents' personal data, whether for health purposes or otherwise.
VenkatS
50%
50%
VenkatS,
User Rank: Apprentice
10/2/2013 | 5:57:12 PM
re: Online Health Exchanges: How Secure?
slanted commentary, full of innuendos. Will look for a balanced reporting on this else where.
ANON1247858079649
50%
50%
ANON1247858079649,
User Rank: Apprentice
10/2/2013 | 4:52:37 PM
re: Online Health Exchanges: How Secure?
It's been 4 years since the inception of ACA. Why did the security issue not get any headline until now? Really?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.