The recent Chinese cyberattack that compromised the data of as many as 4.2 million public employees — one of the biggest thefts of federal data in U.S. history — has given new urgency to longstanding concerns over the cybersecurity of HealthCare.gov and several state exchanges. Public records obtained by National Review over the past two years, as well as reports from inspectors general and news outlets, detail myriad health-sector breaches that have already occurred.
Probing the security breach at the Office of Personnel Management, the House Oversight Committee concluded Tuesday that “state sponsored and non-state sponsored hackers are aggressive, motivated, persistent, and well-funded in their attempt to breach government and commercial systems.”
Growing revelations about the Obama administration’s tech-security shortcomings could have major implications for the millions of Americans who bought health coverage online, trusting the federal government to safeguard their personal data, including Social Security numbers and financial and health information.
Already, the incentives are ample to hack the health exchanges. As Reuters reported last year, simple stolen health information goes for around $10 on the black market, “about 10 or 20 times the value of a U.S. credit card number.” And a full health-identity profile can go for as much as $500, Politico reported. The stolen data can be used for anything from obtaining prescriptions to submitting fraudulent insurance claims. Cyberattacks targeting health-care data have doubled in the past 15 years, according to the Ponemon Institute.
The cybersecurity records of both HealthCare.gov and several state exchanges are spotty, plagued by numerous glitches that might have put the personal information of enrollees at risk.
Yet the cybersecurity records of both HealthCare.gov and several state exchanges are spotty, plagued by numerous glitches that might have put the personal information of enrollees at risk.
Shortly before the latest enrollment period, the Government Accountability Office released a report detailing myriad security vulnerabilities on the federal exchange. It discovered that password controls and Internet-access restrictions were lacking, in addition to other problems. The GAO wrote:
Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternative processing site to avoid major service disruptions. While CMS [Centers for Medicaid and Medicare Services] has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them. In addition, GAO identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the [federal exchange].
Likewise, the HHS inspector general reported last September that it had found one critical vulnerability in HealthCare.gov and two critical vulnerabilities on the servers. CMS said it was working on fixing all of these, but the inspector general’s report noted that “these critical vulnerabilities placed the confidentiality, integrity, and availability of [personally identifying information] at risk and could have allowed unauthorized access to consumer [personally identifying information].”
There’s strong indication that agency leaders knew about these vulnerabilities and the risks posed by them before HealthCare.gov launched. A memo from the Medicare chief, obtained by The Associated Press, reported that scant testing before the rollout “exposed a level of uncertainty that could be deemed as a high risk.”
In July 2014, hackers actually broke into a HealthCare.gov server and uploaded malicious software. Disturbingly, the Department of Health and Human Services didn’t discover the breach until late August.
Though HHS said it did not believe hackers had accessed enrollees’ personal information during that breach, it’s unlikely the public would be notified if private data had been compromised. As Watchdog.org reported, no law requires HHS to notify the public of a breach, and the department declined to include a provision guaranteeing disclosure.
RELATED: Hiding the Hacking at Healthcare.gov
Security vulnerabilities also have abounded on the state health exchanges.
Public records obtained by National Review revealed that in December 2013, Romanian hackers gained access to Vermont’s health-exchange development server at least 15 times, going undetected for a month. While the health exchange said it had stored no personal information on that server, a cybersecurity expert said it was possible that enrollees’ records could have been jeopardized.
In California, navigators sent consumers’ confidential data through unencrypted, insecure e-mails, potentially jeopardizing the personal information of at least 378 Obamacare enrollees, public records showed.
The navigators had not abided by Covered California’s own policies, but a spokesman for the health exchange said these violations constituted “a very minimal risk.” But two cybersecurity experts interviewed by National Review at the time assessed the risk as significantly higher.
In April 2015, the HHS inspector general released a report on Covered California, concluding that the health exchange “could improve protection of personally identifiable information.”
Though Covered California had some safeguards in place, the inspector general found, it had neither completed the required vulnerability scans nor met minimum federal requirements for protections of its systems. Furthermore, some of the user accounts lacked secure settings.
“Although we did not find evidence that the weaknesses had been exploited, exploitation could result in unauthorized access to and disclosure of [personally identifying information], as well as disruption of critical marketplace operations,” the inspector general wrote. “As a result, the weaknesses were collectively, and in some cases, individually significant and could have potentially compromised the integrity of the marketplace.”
Last July, the interim CEO of New Mexico’s health exchange told NR that a federal audit had found “some high and critical issues that need to be addressed.”
HHS’s report on the New Mexico health exchange, released in September, said it had found 64 vulnerabilities in total on the website, two of which were critical. A scan of the health exchange’s database that stores personal information of enrollees also found 74 vulnerabilities, including one classified as high risk.
“The vulnerabilities we identified placed the confidentiality, integrity, and availability of NMHIX information at risk and could have allowed unauthorized access to sensitive consumer data,” HHS’s inspector general concluded.
A March 25, 2014, letter from the House Oversight Committee to Governor Brian Sandoval and obtained by NR also addressed security concerns pertaining to Nevada’s health exchange. It referenced a Deloitte security assessment, which found, among other vulnerabilities, that when Nevada’s health exchange launched on Oct. 1, 2013, fewer than 60 percent of the security controls had been fully implemented.
Though CMS knew of Nevada’s high-risk vulnerabilities, it allowed the health exchange to connect to the federal data hub anyway, the Oversight Committee letter said.
Allowing state exchanges to connect without the proper safeguards “in turn puts the [personally identifying information] of potentially millions of users at risk of identity theft and fraud to the CMS marketplace health-care subsidy program,” CMS’s chief information-security officer cautioned at the time, according to the Oversight Committee letter.
Health exchanges in Oregon, Minnesota, Kentucky, Washington, Massachusetts, and the District of Columbia would not provide NR with records on vulnerability scans, cybersecurity threats, and breaches. Several said the release of this information could create additional risks to the security of the health exchanges.
Before the Obama administration proceeds with making government even more tech-centric, it should focus on making sure existing systems operate properly and securely.
A Minnesota health exchange spokesperson told NR last summer that a Deloitte audit had found that “from a security and privacy perspective, the State has been very focused on its compliance efforts and no major issues or risks were identified.” Around the same time, a general counsel for the Massachusetts health exchange also said he was unaware of any cybersecurity breaches, attacks, or consumer fraud that had occurred in the state.
Despite the health exchanges’ rocky record on cybersecurity, the Obama administration has done little to publicly address its shortfalls. FastCompany this week published “an exclusive and wide-ranging conversation” with Robert Safian in which “the President explains his take on Washington’s technology problems – and his solutions.”
Yet the interview never once addressed, or even mentioned, the recent OPM breach. And the president discussed only in passing the problems accompanying HealthCare.gov, which Obama said had occurred largely because “you couldn’t use traditional procurement mechanisms in order to build something that had never been built before and was pretty complicated.”
Before the Obama administration proceeds with making government even more tech-centric — a goal the president describes at length in the FastCompany interview — it should focus on making sure existing systems operate properly and securely. Cybersecurity incompetence pervaded Obamacare’s rollout and its first two years — not a promising sign, especially as hackers grow more ambitious.
— Jillian Kay Melchior writes for National Review as a Thomas L. Rhodes Fellow for the Franklin Center. She is also a senior fellow at the Independent Women’s Forum.