More Data Vulnerabilities, Cyber Breaches Detected in Healthcare Exchanges

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/more-data-vulnerabilities-cyber-82314/

Government audits continue to reveal that millions of people’s personally
identifiable information is at risk. Continuous audit reports by the Office
of the Inspector General (OIG) of The Department of Health and Human
Services (HHS) reveal that online health care insurance exchanges could be
the next juicy target for hackers looking for consumers’ personal
information. To date, the OIG has identified security vulnerabilities in
the federal exchange, and in the state exchanges in California,Kentucky,
and New Mexico. While all the audited entities have begun the necessary
bulwarking of their exchanges, there is room for improvement.

The health care exchanges are online marketplaces for subsidized insurance
set up as part of the Affordable Care Act (ACA). The ACA gives each of the
states the option to utilize the federal exchange or build their own.
Although there is a unique interface to each of the exchanges in the 12
states that have built their own, they all allow consumers to input
biographical information to determine coverage and compare rates. These
data include names, dates of birth, social security numbers, citizenship
statuses, passport numbers, financial information, employment information,
and incarceration histories. The OIG found that the audited exchanges fail
to comply with federal security requirements and thus create the potential
for hundreds of millions of users’ personal information to be compromised.
The detected vulnerabilities include bugs, un-encrypted user sessions,
inadequate authentication, and inadequate password protection. Some
exchanges – bothfederal and state – have already been targeted by overseas
hackers. The Government Accountability Office (GAO) is expected to release
a report later this year detailing multiple cybersecurity incidents
involving the federal exchange.

The rules for health care exchange cybersecurity are promulgated by the
Centers for Medicare and Medicaid Services (CMS). The rules state, “PII
[personally identifiable information] should be protected with reasonable
operational, administrative, technical, and physical safeguards to ensure
its confidentiality, integrity, and availability and to prevent
unauthorized or inappropriate access, use, or disclosure.” CMS has issued
guidance for state exchange security, listing several critical controls,
including malware protection, data loss prevention, controlled use of
administrative privileges, data recovery capability, and penetration tests.

In its audits, The OIG measured the exchanges’ security against the CMS
rules and guidance, as well as against other federal laws such as the
Health Insurance Portability and Accountability Act (HIPAA). True to its
word, the OIG has conducted additional audits on the federal and state
exchanges, and has discovered faults in other technical areas such as the
eligibility verification process. Following the Feds’ lead, state auditors
are also uncovering cybersecurity weaknesses in the exchanges.

If an exchange is targeted in a cyberattack, it is unclear whether
consumers would be notified if their information were stolen (with the
exception of exchanges where HIPAA or state law corollaries apply, as these
laws dictate specific notification procedures). While many states have laws
in place that specify protocols for consumer notification, the federal
government has no obligation to inform consumers if their personal
information is stolen.

While there are no clear indications that consumer data has been stolen
from the exchanges as of yet, observers will not know for certain until the
GAO releases its forthcoming 2015 report. In the meantime, the exchanges
remain tantalizing targets for hackers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!