Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Obamacare Website Suffers Few Hack Attacks

Affordable Care Act site has faced a relatively low volume of attacks, compared with other federal websites.

The beleaguered healthcare.gov website has scored a victory -- of sorts -- on the information security front: It's been targeted by online attackers only a small number of times -- far fewer than most US government websites.

Those attack-volume details became public Wednesday, when Roberta Stempfley, acting assistant secretary of the Department of Homeland Security's Office of Cybersecurity and Communications, told a House committee that based on reports -- largely from the Department of Health and Human Services, which under the Affordable Care Act (ACA) is in charge of implementing and managing the federal healthcare.gov website -- there have been just over a dozen cyber-attacks against healthcare.gov.

"We received about 16 reports from HHS that are under investigation and one open source report about a denial of service," said Stempfley. The open source report was apparently referring to an attack tool named "Destroy Obama Care!" that promised to launch distributed-denial-of-service (DDoS) attacks against healthcare.gov, and which had been offered for download through some social media sites.

[ What do companies do when they think passwords have been compromised? Read Facebook Forces Some Users To Reset Passwords. ]

Stempfley said that DDoS attack effort had failed.

For comparison's sake, how do the attacks against healthcare.gov stack up against other sites? One unnamed DHS official told ABCNews.com that the DHS website saw "228,700 cyber incidents" during 2012, which if averaged out equals about 626 attacks per day "involving federal agencies, critical infrastructure, and the department's industry partners."

The attack volume aside, members of the House Homeland Security Committee continued to ask: Is healthcare.gov secure?

In his opening remarks, Rep. Michael McCaul (R-Texas), the committee chair, called for the ACA to be halted until the kinks were ironed out of healthcare.gov. "We have a website that doesn't work," he said. "It seems to me that it ought to be delayed until that website is functional ... [and] we can receive assurances from the administration that these websites are secure, because of the personal data that's being put into them, into the exchanges."

Furthermore, asked McCaul, why wasn't Centers for Medicare and Medicaid Services (CMS), which is part of HHS and directly responsible for implementing healthcare.gov, working closely with DHS to protect the healthcare portal? "DHS has not participated in any meaningful way in developing, monitoring or ensuring the security of healthcare.gov, the Health Exchanges, or the Federal Data Services Hub," McCaul said. "The only contact between DHS and CMS consisted of two emails and one phone call."

But Stempfley disagreed, saying that's not how government security efforts unfold. "It is not typical for a department or agency as they're building a specific application to involve DHS," she said. Furthermore, she noted, DHS shares extensive information security information with a number of agencies' CIOs and CISOs via the US government's CIO Council and CISO Advisory Councils. "We regularly communicate about threats in those forums," she said.

Even so, more advanced discussions are now underway, Stempfley told McCaul, including DHS detailing which of its "portfolio of capabilities and services" CMS might want to use for healthcare.gov. She said those discussions commenced on August 28 -- just one month before the healthcare portal's launch -- when the CISO of CMS approached DHS. Since then, however, the agency "has not yet received a specific request from CMS relative to the ACA systems, and has not provided technical assistance to CMS relative to ACA systems."

After the hearing, McCaul continued to question whether the healthcare.gov site was securely storing users' email addresses, phone numbers, birthdates, social security numbers, and personal health information. "This is a goldmine for hackers," McCaul told Reuters.

Metrics, data classification, governance, compliance, and your vendors, are all part of the risk management equation. The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make them fit and work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.