HealthCare.Gov Hack: How Serious?InfoSec Experts, Politicians Dissect What Went Wrong
In the aftermath of news of the hacking of a HealthCare.gov test server, security experts and politicians are assessing the seriousness of the attack and lessons that can be learned from it.
See Also: HIPAA Audits: A Revised Game Plan
The Department of Health and Human Services disclosed on Sept. 4 that malware had been uploaded on the Obamacare test server back in July. HHS officials say the malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information. No consumer data was exposed in the incident, officials say (see HealthCare.Gov Server Hacked).
The attack is refueling political scrutiny of the Obamacare insurance exchange website and systems. House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., announced on Sept. 4 that HHS' Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner "must testify" at a Sept. 18 committee hearing about HealthCare.gov "woes".
"The committee will continue to push for answers from the administration and Administrator Tavenner must testify on the subject of transparency, accountability and information security, alongside the Government Accountability Office," Issa said.
On Sept. 17, the GAO plans to issue a report on HealthCare.gov security issues, as was requested "by numerous members of Congress," a GAO spokesman tells Information Security Media Group (see Expanded HealthCare.gov Scrutiny Sought).
HealthCare.gov has become a political football in the debate over Obamacare. Purdue University Computer Science Professor Gene Spafford, who has testified about IT security before Congress, says many lawmakers seem to care more about scoring political points than solving the problem of fixing the website. "Healthcare.gov is one of the bits of collateral damage in this kind of struggle," he says.
While politicians move quickly to dissect the recent incident and overall HealthCare.gov security, HHS continues to evaluate the attack and lessons that can be learned.
"Forensic analysis continues to determine how the incident occurred," a CMS spokesman tells ISMG. "A variety of actions have been taken to prevent future incidents, including blocking the IPs and domains identified as hostile and disconnecting and decommissioning the affected server. The public-facing systems at the data center currently have the malware identification/protection tool installed."
In addition, the CMS spokesman says "an agency-wide review of all Internet-connected machines, including all test servers at the Terremark data center, was initiated after the incident was contained." Terremark, a unit of Verizon, hosts the HealthCare.gov website.
"A review of the systems and documentation will follow as part of the lessons learned to ensure improved detection capabilities and incident management practices," the CMS spokesman says.
Also, the CMS spokesman says Verizon has provided information to the agency, including images for servers that were potentially impacted, a network topology map, and updated IP and subnet list. The vendor is also working with CMS and HHS to increase storage capacity of a security appliance, and is working with other agencies to implement additional network monitoring devices for the site.
The hacking of the HealthCare.gov test server could be an indicator of a new trend of hackers conducting careful reconnaissance of a network they intend to attack at a later date, says Samuel Visner, senior vice president and general manager for cybersecurity at ICF International, a technology and management advisory firm. "The exploiter burns some calories to characterize the network they tend to attack," he says. "That they went after a test server on a preproduction system gives me a sense that these people are serious and that they're disciplined. That's what we find in the most significant attacks today. This is part of the trend of attacks moving from the purely opportunistic to highly tailored, and that tailoring includes good reconnaissance."
Samuel Visner discusses upping the security of test servers.
The fact that the hacker intrusion was discovered is good news, Visner says, suggesting that someone in the government was doing their job.
Still, valuable code could have been exposed to the hackers because the point of a test server is to test code. "While it's fortunate that no PII was exposed, [the server likely] did expose the code for the application, configuration data and other details that could enable an attacker to find and exploit another vulnerability," says Jeff Williams, chief technology officer at Contrast Security, which provides application testing services. "Who knows whether the attacker was savvy enough to steal the code? But if they did, then you can be sure that they are scouring the binaries for weaknesses."
David Shaw, chief technology officer at security consulting firm Redspin, says that, for example, internal source code and staff usernames and passwords could have been on the server. "It depends what they were using the test server for," he says.
Common Targets for Attack
Other security experts say that hacking of non-production systems or test servers is common. "High-profile, complex, central systems that hold a lot of very sensitive data are going to be a target because they potentially have a lot of frailties and vulnerabilities that can be exploited," says Eric Cowperthwaite, vice president of advanced security and strategy at Core Security and a former healthcare system CISO. It appears that in the HealthCare.gov incident, "a test server that wasn't supposed to be connected to the Internet was exposed," he adds.
A lesson from hacker attacks, Cowperthwaite says, is that "in large, complex networks, there are many vulnerabilities, and we've got to do a better job in identifying these and monitoring for changes."
Mike Lloyd, chief technology officer at RedSeal Networks, a security and risk management consulting firm, says the HealthCare.gov incident "shows how easily mistakes can occur. In this case, the mistake had mild consequences, but could have been much worse - in that sense, it's a strong wake-up call."
"When a new host goes 'live' on the Internet, it will generally be found via scanning, and very likely attacked, within a matter of a few minutes," Lloyd says. "This means that an operational error can cause problems, even if quite quickly found and fixed. It very clearly shows how easily vulnerabilities can be 'added' - meaning that even if a network is clean today, it is still fragile, and can easily develop a new vulnerability tomorrow. Operators make mistakes, and new vulnerabilities are continuously being discovered."
Value of Risk Assessments
To avoid similar hacking incidents, government agencies and other organizations need to conduct regular risk assessments as well as perform continuous monitoring, security experts advise.
"Attackers are using automation routinely. Defenders must do the same - automate the hunt for weaknesses," Lloyd says. "Organizations need to understand that network exposure is a serious problem - it's hard for people to map out their network attack surface, to find unexpected exposures. Fortunately, automated network analytics can make this near-impossible task quite easy."
With so many unanswered questions about the hack against the HealthCare.gov test server, it's difficult to discern what lessons can be learned, says Purdue's Spafford. "And that's a problem with a lot of these breaches and incidents. We don't know their extent ... we don't know the perpetrators. And that makes it much, much more difficult to assess damages and [know] what to do afterward to clean up."