Which health insurance exchange sites are real? "The health insurance exchange isn't made up of a single, authoritative site where people can go and register for coverage," said Christopher Budd, threat communications manager for Trend Micro, in a blog post. "In addition to the federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage," he said.
Although the federal site does use SSL to verify its authenticity, "a survey of state and third-party sites also shows that official sites aren't required to provide the ability to verify the site using SSL" -- and many don't. "As people look for health care exchanges, they're going to be faced with potentially hundreds or thousands of sites that claim to be legitimate, but [they] won't be able to easily verify that claim," except based on how a site looks, said Budd.
Accordingly, many security experts have recommended that -- just as with banking sites and PayPal, among other sites -- people never, ever click a link to the site that's in an email they've received, or use an online search to find the site. Instead, type the URL into the address bar, to avoid poisoned search results or phishing attacks. Or for healthcare, simply call one of the exchange phone numbers, or visit an office in person, recommended Budd.
5. Scam Psychology
How many people would willingly divulge not just their own social security number, but the numbers for everyone in their family? For health exchanges, that's essential information, which means consumers might soon find themselves being targeted by scammers posing as health insurance exchange brokers.
"Most of us won't give our social security numbers out willingly. But when it comes to healthcare, the industry uses that information so regularly that we've come to accept handing that information over as a matter of course -- even if we don't like it," said Budd. Accordingly, consumers should beware parting with that information, unless they've first verified the identity of the caller or website with which they're planning to share it.
Expect Marketplaces To Be Targeted
Just how risky are all these threats? In the case of the code-level flaws found by HP's Shah, she characterized the information security risks not as vulnerabilities, but rather "red flags." Budd's warnings center on scam psychology and the threat of fake websites, which already threaten numerous types of sites.
But given the high profile of healthcare.gov and other portals, as well as the sensitive information they handle, it wouldn't be surprising if identity thieves, at least, do begin probing healthcare.gov and other sites weaknesses. "The site handles the sensitive information of millions of Americans: health history, identity, tax records and more," Shah said. In short, consumers will need all the security they can get.