Politics & Policy

Cybersecurity Incompetence Pervaded Obamacare’s Rollout, Long Before China’s Recent Cyberattack

(Maxkabakov/Dreamstime)

The recent Chinese cyberattack that compromised the data of as many as 4.2 million public employees — one of the biggest thefts of federal data in U.S. history — has given new urgency to longstanding concerns over the cybersecurity of HealthCare.gov and several state exchanges. Public records obtained by National Review over the past two years, as well as reports from inspectors general and news outlets, detail myriad health-sector breaches that have already occurred.

Probing the security breach at the Office of Personnel Management, the House Oversight Committee concluded Tuesday that “state sponsored and non-state sponsored hackers are aggressive, motivated, persistent, and well-funded in their attempt to breach government and commercial systems.”

Growing revelations about the Obama administration’s tech-security shortcomings could have major implications for the millions of Americans who bought health coverage online, trusting the federal government to safeguard their personal data, including Social Security numbers and financial and health information.

RELATED: Why Are We Ignoring a Cyber Pearl Harbor?

Already, the incentives are ample to hack the health exchanges. As Reuters reported last year, simple stolen health information goes for around $10 on the black market, “about 10 or 20 times the value of a U.S. credit card number.” And a full health-identity profile can go for as much as $500, Politico reported. The stolen data can be used for anything from obtaining prescriptions to submitting fraudulent insurance claims. Cyberattacks targeting health-care data have doubled in the past 15 years, according to the Ponemon Institute.

The cybersecurity records of both HealthCare.gov and several state exchanges are spotty, plagued by numerous glitches that might have put the personal information of enrollees at risk.

Yet the cybersecurity records of both HealthCare.gov and several state exchanges are spotty, plagued by numerous glitches that might have put the personal information of enrollees at risk.

Shortly before the latest enrollment period, the Government Accountability Office released a report detailing myriad security vulnerabilities on the federal exchange. It discovered that password controls and Internet-access restrictions were lacking, in addition to other problems. The GAO wrote:

Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternative processing site to avoid major service disruptions. While CMS [Centers for Medicaid and Medicare Services] has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them. In addition, GAO identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the [federal exchange].

Likewise, the HHS inspector general reported last September that it had found one critical vulnerability in HealthCare.gov and two critical vulnerabilities on the servers. CMS said it was working on fixing all of these, but the inspector general’s report noted that “these critical vulnerabilities placed the confidentiality, integrity, and availability of [personally identifying information] at risk and could have allowed unauthorized access to consumer [personally identifying information].”

RELATED: The Obamacare Security Nightmare: It Gets Worse

There’s strong indication that agency leaders knew about these vulnerabilities and the risks posed by them before HealthCare.gov launched. A memo from the Medicare chief, obtained by The Associated Press, reported that scant testing before the rollout “exposed a level of uncertainty that could be deemed as a high risk.”

In July 2014, hackers actually broke into a HealthCare.gov server and uploaded malicious software. Disturbingly, the Department of Health and Human Services didn’t discover the breach until late August.

Though HHS said it did not believe hackers had accessed enrollees’ personal information during that breach, it’s unlikely the public would be notified if private data had been compromised. As Watchdog.org reported, no law requires HHS to notify the public of a breach, and the department declined to include a provision guaranteeing disclosure.

RELATED: Hiding the Hacking at Healthcare.gov

Security vulnerabilities also have abounded on the state health exchanges.

Public records obtained by National Review revealed that in December 2013, Romanian hackers gained access to Vermont’s health-exchange development server at least 15 times, going undetected for a month. While the health exchange said it had stored no personal information on that server, a cybersecurity expert said it was possible that enrollees’ records could have been jeopardized.

In California, navigators sent consumers’ confidential data through unencrypted, insecure e-mails, potentially jeopardizing the personal information of at least 378 Obamacare enrollees, public records showed.

RELATED: Another Security Breach for Obamacare: Bureaucrats Try to Reassure Vermont Residents

The navigators had not abided by Covered California’s own policies, but a spokesman for the health exchange said these violations constituted “a very minimal risk.” But two cybersecurity experts interviewed by National Review at the time assessed the risk as significantly higher.

In April 2015, the HHS inspector general released a report on Covered California, concluding that the health exchange “could improve protection of personally identifiable information.”

Though Covered California had some safeguards in place, the inspector general found, it had neither completed the required vulnerability scans nor met minimum federal requirements for protections of its systems. Furthermore, some of the user accounts lacked secure settings.

RELATED: Healthcare.gov Hack Reminiscent of Earlier Vermont Exchange Attack

“Although we did not find evidence that the weaknesses had been exploited, exploitation could result in unauthorized access to and disclosure of [personally identifying information], as well as disruption of critical marketplace operations,” the inspector general wrote. “As a result, the weaknesses were collectively, and in some cases, individually significant and could have potentially compromised the integrity of the marketplace.”

Last July, the interim CEO of New Mexico’s health exchange told NR that a federal audit had found “some high and critical issues that need to be addressed.”

HHS’s report on the New Mexico health exchange, released in September, said it had found 64 vulnerabilities in total on the website, two of which were critical. A scan of the health exchange’s database that stores personal information of enrollees also found 74 vulnerabilities, including one classified as high risk.

“The vulnerabilities we identified placed the confidentiality, integrity, and availability of NMHIX information at risk and could have allowed unauthorized access to sensitive consumer data,” HHS’s inspector general concluded.

A March 25, 2014, letter from the House Oversight Committee to Governor Brian Sandoval and obtained by NR also addressed security concerns pertaining to Nevada’s health exchange. It referenced a Deloitte security assessment, which found, among other vulnerabilities, that when Nevada’s health exchange launched on Oct. 1, 2013, fewer than 60 percent of the security controls had been fully implemented.

Though CMS knew of Nevada’s high-risk vulnerabilities, it allowed the health exchange to connect to the federal data hub anyway, the Oversight Committee letter said.

Allowing state exchanges to connect without the proper safeguards “in turn puts the [personally identifying information] of potentially millions of users at risk of identity theft and fraud to the CMS marketplace health-care subsidy program,” CMS’s chief information-security officer cautioned at the time, according to the Oversight Committee letter.

Health exchanges in Oregon, Minnesota, Kentucky, Washington, Massachusetts, and the District of Columbia would not provide NR with records on vulnerability scans, cybersecurity threats, and breaches. Several said the release of this information could create additional risks to the security of the health exchanges.

Before the Obama administration proceeds with making government even more tech-centric, it should focus on making sure existing systems operate properly and securely.

A Minnesota health exchange spokesperson told NR last summer that a Deloitte audit had found that “from a security and privacy perspective, the State has been very focused on its compliance efforts and no major issues or risks were identified.” Around the same time, a general counsel for the Massachusetts health exchange also said he was unaware of any cybersecurity breaches, attacks, or consumer fraud that had occurred in the state. 

Despite the health exchanges’ rocky record on cybersecurity, the Obama administration has done little to publicly address its shortfalls. FastCompany this week published “an exclusive and wide-ranging conversation” with Robert Safian in which “the President explains his take on Washington’s technology problems – and his solutions.”

Yet the interview never once addressed, or even mentioned, the recent OPM breach. And the president discussed only in passing the problems accompanying HealthCare.gov, which Obama said had occurred largely because “you couldn’t use traditional procurement mechanisms in order to build something that had never been built before and was pretty complicated.”

Before the Obama administration proceeds with making government even more tech-centric — a goal the president describes at length in the FastCompany interview — it should focus on making sure existing systems operate properly and securely. Cybersecurity incompetence pervaded Obamacare’s rollout and its first two years — not a promising sign, especially as hackers grow more ambitious.

Jillian Kay Melchior writes for National Review as a Thomas L. Rhodes Fellow for the Franklin Center. She is also a senior fellow at the Independent Women’s Forum.

Most Popular

World

Trump’s Disgraceful Press Conference in Helsinki

On Monday, President Trump gave a deeply disgraceful press conference with Russian dictator Vladimir Putin. The presser began with Trump announcing that although the Russia–U.S. relationship has “never been worse than it is now,” all of that “changed as of about four hours ago.” It was downhill from ... Read More
Culture

Questions for Al Franken

1)Al, as you were posting on social media a list of proposed questions for Supreme Court nominee Brett Kavanaugh, did it occur to you that your opinion on the matter is no more relevant than Harvey Weinstein’s? 2) Al, is it appropriate for a disgraced former U.S. senator to use the Twitter cognomen “U.S. ... Read More
Elections

Democrats Are Dumping Moderates

The activist base of the Democratic party is lurching left fast enough that everyone should pay attention. Activists matter because their turnout in low-turnout primaries and caucuses almost propelled leftist Bernie Sanders to victory over Hillary Clinton in 2016. Last month, Alexandria Ocasio-Cortez unseated New ... Read More
National Security & Defense

Trump’s Helsinki Discord

Donald Trump is not, and never will be, the Moscow correspondent for The Nation magazine, and he shouldn’t sound like it. The left-wing publication is prone to extend sympathetic understanding to adversaries of the United States and find some reason, any reason, to blame ourselves for their external ... Read More