Why the HealthCare.gov breach matters

As you've heard by now, an attacker broke into a server used to test code for HealthCare.gov and uploaded malicious software. While there's no evidence that consumers' personal information was swiped, this is a very significant incident.

Like many of the other breaches that have made headlines over the past few months, this was the result of simple, compounded mistakes. A basic security flaw went overlooked, and it was assumed that because the system in question wasn't supposed to be connected to the internet, it wasn't high priority and didn't warrant continuous monitoring. But that's not a fair assumption accidently connecting a system like this to the internet is an easy mistake to make in a complex environment. That sort of thing happens all the time.

[Healthcare.gov: Proceed at your own risk]

The HHS knows there is a target on its back. And when that's the case, you can't afford to ignore anything on your network. In fact, Federal Government security standards now require continuous monitoring of systems for vulnerabilities, possible attacks and possible exploits. It's unclear to what degree HealthCare.gov has adopted continuous monitoring, although the length of time it took to detect the breach suggests there is room for improvement in this area.

Will this be a wakeup call for the healthcare industry? Most large hospital systems invested significant resources into electronic medical record systems around the same time HealthCare.gov was being built. This event may force them to consider whether they're also big targets for cybercriminals, and what they can do to stay a step ahead of these adversaries.

This security event will be in the news for some time, and it will impact how consumers and patients perceive security and privacy. For many consumers, this will reinforce the idea that HealthCare.gov is a poorly planned and executed system, regardless of whether or not that's true. While we haven't seen a major backlash from consumers affected by recent retail breaches, I would argue that those handing over healthcare information have more skin in the game. Credit card fraud costs largely fall on banks instead of individuals. When extremely personal and sensitive health data is leaked, the public pays the price. If we see more events like Community Health Systems and HealthCare.gov, it seems likely that consumers will start paying attention and demanding changes.

What will change look like? At the moment, many security teams are struggling with data overload. They can't patch all the vulnerable systems, so they're playing whack-a-mole, addressing them at random or based on which ones are the easiest to fix. When they're this overwhelmed, regular and consistent network monitoring is next to impossible. Solutions and strategies that help them prioritize remediation efforts and shorten response times will break this vicious cycle and advance their vulnerability management program.

[Healthcare organizations still too lax on security]

A senior DHS official said, "If this happened anywhere other than HealthCare.gov, it wouldn't be news." I actually agree with that statement, but it doesn't mean we should stop talking about this breach. This is a controversial, complex, central system that holds a lot of very sensitive data if you build it, the attackers will come. High profile organizations with the resources necessary to continuously monitor these systems can't afford to miss a problem like this.

Eric Cowperthwaite is Vice President of Advanced Security & Strategy with Core Security and the former CSO of Providence Health & Services, a healthcare delivery organization with 32 hospitals and more than 65,000 employees, headquartered in Seattle, WA.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags breachsoftwaredata protectionapplicationsHealthcare.gov

More about AdvancedCSOFederal Government

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Eric Cowperthwaite

Latest Videos

More videos

Blog Posts

Market Place