Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Obamacare Website Suffers Few Hack Attacks

Affordable Care Act site has faced a relatively low volume of attacks, compared with other federal websites.

The beleaguered healthcare.gov website has scored a victory -- of sorts -- on the information security front: It's been targeted by online attackers only a small number of times -- far fewer than most US government websites.

Those attack-volume details became public Wednesday, when Roberta Stempfley, acting assistant secretary of the Department of Homeland Security's Office of Cybersecurity and Communications, told a House committee that based on reports -- largely from the Department of Health and Human Services, which under the Affordable Care Act (ACA) is in charge of implementing and managing the federal healthcare.gov website -- there have been just over a dozen cyber-attacks against healthcare.gov.

"We received about 16 reports from HHS that are under investigation and one open source report about a denial of service," said Stempfley. The open source report was apparently referring to an attack tool named "Destroy Obama Care!" that promised to launch distributed-denial-of-service (DDoS) attacks against healthcare.gov, and which had been offered for download through some social media sites.

[ What do companies do when they think passwords have been compromised? Read Facebook Forces Some Users To Reset Passwords. ]

Stempfley said that DDoS attack effort had failed.

For comparison's sake, how do the attacks against healthcare.gov stack up against other sites? One unnamed DHS official told ABCNews.com that the DHS website saw "228,700 cyber incidents" during 2012, which if averaged out equals about 626 attacks per day "involving federal agencies, critical infrastructure, and the department's industry partners."

The attack volume aside, members of the House Homeland Security Committee continued to ask: Is healthcare.gov secure?

In his opening remarks, Rep. Michael McCaul (R-Texas), the committee chair, called for the ACA to be halted until the kinks were ironed out of healthcare.gov. "We have a website that doesn't work," he said. "It seems to me that it ought to be delayed until that website is functional ... [and] we can receive assurances from the administration that these websites are secure, because of the personal data that's being put into them, into the exchanges."

Furthermore, asked McCaul, why wasn't Centers for Medicare and Medicaid Services (CMS), which is part of HHS and directly responsible for implementing healthcare.gov, working closely with DHS to protect the healthcare portal? "DHS has not participated in any meaningful way in developing, monitoring or ensuring the security of healthcare.gov, the Health Exchanges, or the Federal Data Services Hub," McCaul said. "The only contact between DHS and CMS consisted of two emails and one phone call."

But Stempfley disagreed, saying that's not how government security efforts unfold. "It is not typical for a department or agency as they're building a specific application to involve DHS," she said. Furthermore, she noted, DHS shares extensive information security information with a number of agencies' CIOs and CISOs via the US government's CIO Council and CISO Advisory Councils. "We regularly communicate about threats in those forums," she said.

Even so, more advanced discussions are now underway, Stempfley told McCaul, including DHS detailing which of its "portfolio of capabilities and services" CMS might want to use for healthcare.gov. She said those discussions commenced on August 28 -- just one month before the healthcare portal's launch -- when the CISO of CMS approached DHS. Since then, however, the agency "has not yet received a specific request from CMS relative to the ACA systems, and has not provided technical assistance to CMS relative to ACA systems."

After the hearing, McCaul continued to question whether the healthcare.gov site was securely storing users' email addresses, phone numbers, birthdates, social security numbers, and personal health information. "This is a goldmine for hackers," McCaul told Reuters.

Metrics, data classification, governance, compliance, and your vendors, are all part of the risk management equation. The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make them fit and work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25826
PUBLISHED: 2020-09-23
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
CVE-2020-25821
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-3130
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
CVE-2020-3133
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
CVE-2020-3135
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...