CMS: HealthCare.gov Security BolsteredAgency 'Strengthening Defenses' as Open Enrollment Nears
The Centers for Medicare and Medicaid Services says it has implemented a number of security improvements to the HealthCare.gov website and systems as the agency gears up to launch the second annual open enrollment period for the Affordable Care Act.
The steps to bolster HealthCare.gov security come in the wake of intense Congressional scrutiny following the rocky launch of the Obamacare site on Oct. 1, 2013. While HealthCare.gov opened on Nov. 10 for "window shopping" of healthcare coverage, consumer can't sign up for insurance until Nov. 15.
CMS is the unit of the Department of Health and Human Services responsible for implementing the Affordable Care Act, including its HealthCare.gov website that supports a federally facilitated marketplace for health insurance on behalf of about 37 states.
"We have a responsibility to do everything we can to ensure consumers' privacy and security - and we will be vigilant," CMS says in a statement provided to Information Security Media Group. "We know that no website is invulnerable, so in addition to strengthening our defenses, we have invested in new detection tools and in improving our ability to respond to cybersecurity events quickly and effectively at all times."
In addition to implementing new monitoring and breach detection tools, CMS says it has also taken a number of other steps to bolster protection of consumer data. That includes:
- Daily security scans to help determine if malware or other signs of unauthorized access exist;
- Weekly penetration testing by security experts focused on finding vulnerabilities that can be exploited in the system;
- Quarterly security control assessments by independent, private-sector third parties to determine if vulnerabilities exist;
- Remediation of vulnerabilities and mitigation plans for open findings; and
- Regular incident response exercises simulating a range of scenarios.
In addition to those steps, a CMS spokesman says CMS will implement by Nov. 15 the 22 technical recommendations in a recent Government Accountability Office report, as promised by CMS Administrator Marilyn Tavenner during testimony at a Sept. 18 Congressional hearing about HealthCare.gov security (see HealthCare.gov Security Fixes Promised).
GAO noted in the report that specifics of the 22 technical recommendations were not widely disclosed because of concerns about adversely affecting security. In addition to the technical recommendations, GAO also made six executive recommendations to improve HealthCare.gov security, including performing a comprehensive security assessment of the federally facilitated marketplace's infrastructure, platform and all deployed software elements.
During her testimony at the September hearing, Tavenner said that CMS was "in the process" of implementing all six executive recommendations made by GAO.
Also in September, HHS disclosed a hacking attack on a HealthCare.gov test server that involved malware being uploaded. HHS officials say the malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information. No consumer data was exposed in the incident, officials said.
In addition to the Sept. 18 hearing where Tavenner testified, the security of HealthCare.gov has been the focus of numerous other Congressional hearings in the last year and continues to be a topic for scrutiny, especially by the GOP. In addition to those previous Congressional probes, another hearing is slated on Nov. 19 by the House Science, Space and Technology Committee's oversight subcommittee. Committee Chair Lamar Smith, R-Texas, last month issued a subpoena to Todd Park, former U.S. chief technology officer, to testify about his role in developing and evaluating the operations and security of Healthcare.gov (see New GOP HealthCare.gov Security Probe).
Work in Progress
While CMS has been taking measures to bolster security, as well as iron out other technical issues that caused havoc during last year's open enrollment season, HHS officials have also been trying to prepare the public for potential hiccups this time around.
"We will have things that won't go right. We will have outages; we will have downtime," said HHS Secretary Sylvia Mathews Burwell on Nov. 10 during a discussion hosted by the Center for American Progress, according to a news report by the The Hill. "Something will happen. What we need to do is be transparent, be fast and get it fixed."
One security expert says that HealthCare.gov data protection, while improved, may need more work.
"It looks like CMS is taking many of the appropriate steps necessary for improving the security of HealthCare.gov," says Dan Berger, CEO of security consulting firm Redspin. However, Berger says he remains concerned about two issues.
"First, I assume Web application security testing has been done on the website. However, these are not 'one and done' types of assessments," he says. "They should be conducted at least two to three times per year and certainly after any new major release of the application."
Second, "I don't see social engineering testing or security awareness training on the [CMS] list" of security enhancements, he says. "The most likely breach of the HealthCare.gov website will be a targeted attack vector that uses social engineering tactics to get HealthCare.gov employees to disclose their credentials," he contends.
With credentialed access, "hackers can frequently leverage their presence on the network to obtain sensitive information," he warns.
But Mac McMillan, CEO of the security consultancy CynergisTek, argues that the steps CMS is taking to improve HealthCare.gov security "far exceed the ... best practice in healthcare in general, so you'd be hard pressed to say they are not taking security seriously. The level of discipline described here, and the periodicity of activities, suggests that they would detect any anomalies in the system quickly, which contributes to mitigating incidents."
The most important step CMS is taking, McMillan says, is "the regular testing of both the controls and the technical environment. Half of winning the battle with would-be attackers is understanding and addressing your own weaknesses. They're doing that."