Hackers Fire Warning Shot at Healthcare.gov

Source: Department of Health and Human Services.

It seems a new challenge threatens the Affordable Care Act's marketplace every month, but this time, the challenge isn't website down-time or political grandstanding; it's hackers.

According to reports, hackers broke into part of the healthcare.gov insurance exchange in July and uploaded a malicious virus to a server used to test software code. The hackers failed to breach servers that secure exchange participants information, and the uploaded virus was pretty tame by hacker standards. But the fact that it happened opens up debate over whether or not the virus' intent to nab exchange participants' private data could be implanted on healthcare.gov servers, too.

It's an eye-opening question given that personal data remains one of the most sought-after targets of black-market profiteers. It also serves as a sobering acknowledgment that hackers are increasingly targeting healthcare information in a bid to build more complete (and valuable) dossiers.

Privacy at risk?
There are few things more private than personal healthcare records, yet the healthcare industry appears to remain well behind banking and retailing in implementing security measures to prevent thefts.

The healthcare sector's delay in putting in place airtight software security may be because the industry has a different mission.

While banks and retailers are laser-focused on walling off private information in a bid to prevent data sharing, healthcare is attempting to build share-friendly systems that allow personal health records to travel between patients, insurers, doctors, specialists, and hospitals.

That's a big and bold difference that creates windows of opportunity for hackers.

Source: Community Health Systems.

For example, hospital operator Community Health Systems (CYH 2.88%) admitted last month that hackers had broke into its servers and walked away with 4.5 million records, including names, addresses, and social security numbers of patients treated at its 200 hospitals.

Conceivably, that data could be combined with data mined from other breaches, such as the ones at Target and Home Depot, to build more complete data profiles.

Since those profiles would include health information, they could potentially be used to obtain illegal prescriptions for drugs, including opiates, and that makes these profiles far more valuable on the black market than run-of-the-mill credit card information. According to Dell SecureWorks, cyber criminals were getting just $1 to $2 for credit card numbers last year, but they were getting closer to $20 for health insurance credentials.

Fighting back
The Department of Health and Human Services says that it has found and removed the malicious software from the server and that it's instituting additional security measures in a bid to prevent future attacks.

That's good news given that more than 5 million people used the federal healthcare.gov website in the past year during its first open enrollment. 

Then again, the malicious software implanted on the healthcare.gov server wasn't very sophisticated. Instead, it was common denial-of-service, or DNS, code that has infected countless public and private servers in the past and is used to help knock websites offline. And it's not like security measures used on the server that got breached were intense. The server was only protected by a default password because it had never been intended to be brought online. That combination has some wondering if the news of the breach would have even been reported by most private companies.

The war rages on
The fact that an unsecured server tied to healthcare.gov was online and broken into suggests that HHS will be looking carefully at all of its servers to make sure each one has the proper security in place.

The agency reports that it already hires outside contractors to try to break into, monitor, and make security enhancements to healthcare.gov, and it wouldn't be shocking to see efforts redoubled from here. However, that doesn't guarantee personal data won't be at risk. Regardless of whether it's a bank, retailer, hospital, or insurance marketplace, as long as there is data locked in servers, there will be hackers trying to steal it.