A hacker successfully breached a server used by the U.S. government insurance exchange site, serving as yet another example of the growing cybersecurity worries for the healthcare industry.
As has been widely reported, the HealthCare.gov insurance exchange portal was hacked in July. An initial investigation revealed that no sensitive personal data has been stolen by the hacker, according to the Department of Health and Human Services (HHS).
HHS is being aided by the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and the National Security Agency (NSA) in its ongoing investigation.
“There is no indication that any data was compromised at this time,”
DHS spokesman S.Y. Lee said in a statement cited by the Wall Street Journal (WSJ).
“DHS will continue to monitor the situation and help develop and implement precautionary mitigation strategies as necessary.”
During a routine security check on August 25, officials discovered that an offline test server protected by a default password was breached six weeks ago—after logs showed the server was tapped from an Internet source, the WSJ reported.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,”
HHS said in its statement, clarifying that the hacker appeared to scan many websites to target at random.
“We have taken measures to further strengthen security.”
The site still may not be in the clear, since the hacker was able to install malware on the server that could be used in future cyber attacks against the HealthCare.gov site, and other websites which store vast amounts of demographic data from customers and patients. However, officials said the involved server does not connect to the critical sections of the insurance portal.
HealthCare.gov - created under the Patient Protection and Affordable Care Act - stores a wealth of personal and protected health information of insurance members and their families.
Valuable data such as social security numbers, financial information, addresses, medical history and other personal data are included - which hackers and criminals can use for nefarious purposes.
The breach is yet another wake-up call to the U.S. government, which has been derided as being lax in its approach to cybersecurity.
Critics weighed in on the issue:
“Today’s news that HealthCare.gov was hacked should come as a surprise to no one,”
Sen. Orrin Hatch (R-Utah), said in an article in Politico.
“Despite numerous warnings from myself and other lawmakers that security breaches were possible, HealthCare.gov underwent virtually no independent security testing. It’s yet another deeply disturbing failure of the president’s health law, and once again it is the American people who are bearing the brunt of the law’s failures.”
U.S. Rep. Diane Black (R-Tenn.) said in a written statement cited by the Washington Post
“IT experts have long warned about the lack of security built into the federal Obamacare website. The vast amount of personal information that Americans are required to put into this site is an open invitation for hackers"
The HealthCare.gov site has been plagued by glitches since its launch on October 1, 2013, with many unable to access the site or being forced to submit multiple times amid a rush to beat deadlines that could cancel their insurance plans.
The cyber attack against HealthCare.gov follows the recent data breach and theft of data of some 4.5 million patients of Community Health Systems in the U.S. In April of 2014, Boston Children’s Hospital was also the target of a massive cyber attack, though the organization reported that no breach actually occurred.
These intrusions are occurring amid a spate of recent hacking attempts against other organizations and individuals outside the healthcare industry—such as JPMorgan, Home Depot, and Apple’s iCloud service. What’s even more worrisome is that industry watchers feel that healthcare is ill-prepared to deal with increasing cyber risks. Even the FBI recently issued a “flash alert” warning to healthcare organizations:
"The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII)…These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data."
Experts say health IT security cannot be overemphasized, especially with the explosion of data generated not only in the formal clinical setting, but from the burgeoning patient-generated health data emanating from sensors and wearables, and wellness apps.
Fortunately, there is a growing awareness of the need to ramp up cyber security efforts in healthcare, as evidenced by new initiatives - like the newly formed Association for Executives in Health Information Security (AEHIS), which has been created to fill a need in the industry.
Hopefully such efforts will continue proactively, and not just in response to yet another healthcare security breach.