As we all know, HealthCare.gov has had its struggles this past year.
The health insurance exchange website, which is operated by the federal government under President Obama’s Affordable Care Act, was hacked at least 16 times shortly after its launch in October of 2013.
Additionally, it was discovered in July of this year that a hacker had successfully uploaded malicious software to HealthCare.gov with the intention of using its systems for staging cyber attacks against other websites.
Since these attacks, however, federal officials have been working hard to enhance the site’s cybersecurity capabilities ahead of the website’s second enrollment season, which opened on November 15.
Among other things, special attention has been paid to ensuring the site’s compliance with existing governmental cloud computing standards, conducting daily scans and weekly hacking simulations, as well as improving the site’s ability to detect cyber attacks.
Challenges still remain, and federal information security professionals may find additional vulnerabilities in the website’s code. However, all reports suggest that the site has come a long way and will have a successful opening to its second enrollment season.
The progress HealthCare.gov has made over the past couple of months should be an example for the rest of us. Acknowledging this, here are a few cybersecurity lessons we can use to protect our own systems.
Know What Data to Protect
In order for information security professionals to secure a system, they must first understand the value of the data for which they’re ultimately responsible, said Brian Thomas, lead information security analyst at Hoag Hospital in Orange County, California.
In the case of HealthCare.gov, those who manage the site not only acknowledge that they are responsible for protecting patients’ medical information, but they are also aware of the risks that threaten people’s health data.
The cyber threats are many. A BitSight Insights report issued earlier this year found that the healthcare sector shares many characteristics with large retailers—namely, frequent security incidents and a slow response time.
These risks will increase as the healthcare sector continues to embrace digital information and the Internet of Things (IoT), such as by introducing more web-enabled medical devices and by creating web-hosted health insurance exchanges similar to HealthCare.gov.
On the other hand, cybercriminals are well aware of the financial rewards associated with stealing people’s medical data. According to a report by EMC Corporation, whereas a credit card goes for one dollar on the black market, health insurance credentials go for $20.
As information security professionals, it’s necessary to understand why this data is important to customers, how it continues to change our increasingly data-driven world, and what cybercriminals want with it.
Testing Is An Absolute Necessity
One of the complaints following HealthCare.gov’s release last year was that the site had not been tested enough.
But as evidenced by their investment in weekly hacking simulations, those who help protect the revamped site are now more aware of the value of testing a system on an ongoing basis.
Anders Wallgren, CTO of Electric Cloud, understands the importance of testing a system frequently:
“Automating as much of the testing process as possible and testing early and often are the keys to any software development project. Eliminating manual testing processes provides more immediate feedback to busy developers, allowing them to fix things rapidly. This accelerates cycle time and, as more features are added to the site, helps to verify the functionality of those changes and features more quickly.”
This includes protecting against well-known bugs. “Federal cybersecurity teams must verify, among other things, that they’ve mitigated against the three major vulnerabilities: Heartbleed, Bash/ShellShock, and POODLE,” explains Thomas. “It would be a dark spot on their record if any of the sites were compromised using one of these well-known attack vectors.”
Make Defense a Cooperative Effort
When a previously buggy site is relaunched, as is the case with HealthCare.gov, it is important to get as much input as possible, even if it leads to opposing opinions.
“When you’re re-launching your website after a failed first launch, there is no room for egos,” advised Thomas. “Seek advice from IT admins and programmers on all levels. They often see potential problem spots, but they won’t speak up for fear of either political retaliation or being branded as an agitator.”
After all, as rightly noted by Lori MacVittie, a security evangelist for F5 Networks, there is always the potential that new flaws and vulnerabilities will be discovered:
“Inarguably, HealthCare.gov is trying to make usable an incredibly complex system that is bound to still have flaws and vulnerabilities, especially given the number of systems that must interact with every consumer. Rather than be defensive about the discovery of inevitable flaws, it would be an improvement to see the experts accepting of the submission of those discoveries with a desire to address them, to view it as a cooperative effort united behind the task of making the systems safer. Hubris is not a winning attitude when it comes to the (mis)handling of personal data.”
High Hopes for 2.0
HealthCare.gov has indeed suffered a few mishaps over the course of this past year. However, there are lessons to be learned from its story.
In order to protect any system, we as information security professionals must come to understand the value of the data we need to protect, frequent testing and of collaboration with our peers. Just as HealthCare.gov’s previous hacks and vulnerabilities have helped strengthen that system’s security, we can use its lessons to protect our own networks well into the future.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.