As you’ve heard by now, an attacker broke into a server used to test code for HealthCare.gov and uploaded malicious software. While there’s no evidence that consumers’ personal information was swiped, this is a very significant incident.
Like many of the other breaches that have made headlines over the past few months, this was the result of simple, compounded mistakes. A basic security flaw went overlooked, and it was assumed that because the system in question wasn’t supposed to be connected to the internet, it wasn’t high priority and didn’t warrant continuous monitoring. But that’s not a fair assumption – accidently connecting a system like this to the internet is an easy mistake to make in a complex environment. That sort of thing happens all the time.
The HHS knows there is a target on its back. And when that’s the case, you can’t afford to ignore anything on your network. In fact, Federal Government security standards now require continuous monitoring of systems for vulnerabilities, possible attacks and possible exploits. It’s unclear to what degree HealthCare.gov has adopted continuous monitoring, although the length of time it took to detect the breach suggests there is room for improvement in this area.
Will this be a wakeup call for the healthcare industry? Most large hospital systems invested significant resources into electronic medical record systems around the same time HealthCare.gov was being built. This event may force them to consider whether they’re also big targets for cybercriminals, and what they can do to stay a step ahead of these adversaries.
This security event will be in the news for some time, and it will impact how consumers and patients perceive security and privacy. For many consumers, this will reinforce the idea that HealthCare.gov is a poorly planned and executed system, regardless of whether or not that’s true. While we haven’t seen a major backlash from consumers affected by recent retail breaches, I would argue that those handing over healthcare information have more skin in the game. Credit card fraud costs largely fall on banks instead of individuals. When extremely personal and sensitive health data is leaked, the public pays the price. If we see more events like Community Health Systems and HealthCare.gov, it seems likely that consumers will start paying attention and demanding changes.
What will change look like? At the moment, many security teams are struggling with data overload. They can’t patch all the vulnerable systems, so they’re playing whack-a-mole, addressing them at random or based on which ones are the easiest to fix. When they’re this overwhelmed, regular and consistent network monitoring is next to impossible. Solutions and strategies that help them prioritize remediation efforts and shorten response times will break this vicious cycle and advance their vulnerability management program.
A senior DHS official said, "If this happened anywhere other than HealthCare.gov, it wouldn't be news." I actually agree with that statement, but it doesn’t mean we should stop talking about this breach. This is a controversial, complex, central system that holds a lot of very sensitive data – if you build it, the attackers will come. High profile organizations with the resources necessary to continuously monitor these systems can’t afford to miss a problem like this.
Eric Cowperthwaite is Vice President of Advanced Security & Strategy with Core Security and the former CSO of Providence Health & Services, a healthcare delivery organization with 32 hospitals and more than 65,000 employees, headquartered in Seattle, WA.