Why the HealthCare.gov breach matters

As you've heard by now, an attacker broke into a server used to test code for HealthCare.gov and uploaded malicious software. While there's no evidence that consumers' personal information was swiped, this is a very significant incident.

Like many of the other breaches that have made headlines over the past few months, this was the result of simple, compounded mistakes. A basic security flaw went overlooked, and it was assumed that because the system in question wasn't supposed to be connected to the internet, it wasn't high priority and didn't warrant continuous monitoring. But that's not a fair assumption accidently connecting a system like this to the internet is an easy mistake to make in a complex environment. That sort of thing happens all the time.

[Healthcare.gov: Proceed at your own risk]

The HHS knows there is a target on its back. And when that's the case, you can't afford to ignore anything on your network. In fact, Federal Government security standards now require continuous monitoring of systems for vulnerabilities, possible attacks and possible exploits. It's unclear to what degree HealthCare.gov has adopted continuous monitoring, although the length of time it took to detect the breach suggests there is room for improvement in this area.

Will this be a wakeup call for the healthcare industry? Most large hospital systems invested significant resources into electronic medical record systems around the same time HealthCare.gov was being built. This event may force them to consider whether they're also big targets for cybercriminals, and what they can do to stay a step ahead of these adversaries.

This security event will be in the news for some time, and it will impact how consumers and patients perceive security and privacy. For many consumers, this will reinforce the idea that HealthCare.gov is a poorly planned and executed system, regardless of whether or not that's true. While we haven't seen a major backlash from consumers affected by recent retail breaches, I would argue that those handing over healthcare information have more skin in the game. Credit card fraud costs largely fall on banks instead of individuals. When extremely personal and sensitive health data is leaked, the public pays the price. If we see more events like Community Health Systems and HealthCare.gov, it seems likely that consumers will start paying attention and demanding changes.

What will change look like? At the moment, many security teams are struggling with data overload. They can't patch all the vulnerable systems, so they're playing whack-a-mole, addressing them at random or based on which ones are the easiest to fix. When they're this overwhelmed, regular and consistent network monitoring is next to impossible. Solutions and strategies that help them prioritize remediation efforts and shorten response times will break this vicious cycle and advance their vulnerability management program.

[Healthcare organizations still too lax on security]

A senior DHS official said, "If this happened anywhere other than HealthCare.gov, it wouldn't be news." I actually agree with that statement, but it doesn't mean we should stop talking about this breach. This is a controversial, complex, central system that holds a lot of very sensitive data if you build it, the attackers will come. High profile organizations with the resources necessary to continuously monitor these systems can't afford to miss a problem like this.

Eric Cowperthwaite is Vice President of Advanced Security & Strategy with Core Security and the former CSO of Providence Health & Services, a healthcare delivery organization with 32 hospitals and more than 65,000 employees, headquartered in Seattle, WA.

Join the CSO newsletter!

Error: Please check your email address.

Tags breachapplicationsHealthcare.govsoftwaredata protection

More about AdvancedCSOFederal Government

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Eric Cowperthwaite

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts