HealthCare.Gov Hack: How Serious?
Source: Marianne Kolbasuk
In the aftermath of news of the hacking of a HealthCare.gov test server, security experts and politicians are assessing the seriousness of the attack and lessons that can be learned from it.
The Department of Health and Human Services disclosed on Sept. 4 that malware had been uploaded on the Obamacare test server back in July. HHS officials say the malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information. No consumer data was exposed in the incident, officials say (see HealthCare.Gov Server Hacked).
The attack is refueling political scrutiny of the Obamacare insurance exchange website and systems. House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., announced on Sept. 4 that HHS' Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner "must testify" at a Sept. 18 committee hearing about HealthCare.gov "woes".
"The committee will continue to push for answers from the administration and Administrator Tavenner must testify on the subject of transparency, accountability and information security, alongside the Government Accountability Office," Issa said.
On Sept. 17, the GAO plans to issue a report on HealthCare.gov security issues, as was requested "by numerous members of Congress," a GAO spokesman tells Information Security Media Group (see Expanded HealthCare.gov Scrutiny Sought).
HealthCare.gov has become a political football in the debate over Obamacare. Purdue University Computer Science Professor Gene Spafford, who has testified about IT security before Congress, says many lawmakers seem to care more about scoring political points than solving the problem of fixing the website. "Healthcare.gov is one of the bits of collateral damage in this kind of struggle," he says.
The Investigation
While politicians move quickly to dissect the recent incident and overall HealthCare.gov security, HHS continues to evaluate the attack and lessons that can be learned.
"Forensic analysis continues to determine how the incident occurred," a CMS spokesman tells ISMG. "A variety of actions have been taken to prevent future incidents, including blocking the IPs and domains identified as hostile and disconnecting and decommissioning the affected server. The public-facing systems at the data center currently have the malware identification/protection tool installed."
In addition, the CMS spokesman says "an agency-wide review of all Internet-connected machines, including all test servers at the Terremark data center, was initiated after the incident was contained." Terremark, a unit of Verizon, hosts the HealthCare.gov website.
"A review of the systems and documentation will follow as part of the lessons learned to ensure improved detection capabilities and incident management practices," the CMS spokesman says.
Also, the CMS spokesman says Verizon has provided information to the agency, including images for servers that were potentially impacted, a network topology map, and updated IP and subnet list. The vendor is also working with CMS and HHS to increase storage capacity of a security appliance, and is working with other agencies to implement additional network monitoring devices for the site.
Reconnaissance Mission?
The hacking of the HealthCare.gov test server could be an indicator of a new trend of hackers conducting careful reconnaissance of a network they intend to attack at a later date, says Samuel Visner, senior vice president and general manager for cybersecurity at ICF International, a technology and management advisory firm. "The exploiter burns some calories to characterize the network they tend to attack," he says. "That they went after a test server on a preproduction system gives me a sense that these people are serious and that they're disciplined. That's what we find in the most significant attacks today. This is part of the trend of attacks moving from the purely opportunistic to highly tailored, and that tailoring includes good reconnaissance."
| }
|