Hope folks have credit monitoring that covers ID theft...
Audit finds slipshod cyber-security at HealthCare.gov
WASHINGTON – The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.
The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general's office. But the episode raises questions about the government's ability to protect a vast new database at a time when cyberattacks are becoming bolder.
Known as MIDAS, the $110-million system is the central electronic storehouse for information collected under President Barack Obama's health care law.
It doesn't handle medical records, but it does include names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts of customers on HealthCare.gov and state insurance marketplaces.
"It sounds like a gold mine for ID thieves," said Jeremy Gillula, staff technologist for the Electronic Frontier Foundation, a civil liberties group focused on technology. "I'm kind of surprised that this information was never compromised."
The flaws uncovered by auditors included issues of security policy -- where mistakes can have bigger consequences -- as well as 135 database vulnerabilities, of which nearly two dozen were classified as potentially severe or catastrophic.
Among the policy mistakes: User sessions were not encrypted, contrary to standard practice on financial websites. "Not doing so is inexcusable for such sensitive data," said Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, an Internet rights group.
MIDAS is an internal system operated by the federal Centers for Medicare and Medicaid Services, the agency that administers the health care law. The acronym stands for Multidimensional Insurance Data Analytics System. Officials say it's an electronic backbone, essential to the smooth operation of the health care law's insurance markets.
Currently about 10 million people are covered through HealthCare.gov and state marketplaces offering taxpayer-subsidized private policies. But MIDAS also keeps information on many others, including former customers. Their data is retained for years.
Among the technical problems uncovered by the audit:
--Using a shared read-only account for access to the database that contained individuals' personal information. Gillula said such a shared account creates a serious vulnerability because if data is stolen, it's much more difficult to tell who was looking at what information, and when.
--Failure to disable "generic accounts" used for maintenance or other special access during testing, an oversight that can foster complacency about security practices when a system becomes operational.
--Failure to conduct certain automated vulnerability scans that mimic known cyberattacks and could reveal weaknesses in MIDAS and the systems supporting it.
--Database weaknesses. A total of 135 such vulnerabilities -- oftentimes software bugs-- were discovered by the inspector general's vulnerability scans. Of these, 22 were classified as high risk, meaning they could have potentially severe or catastrophic fallout, and 62 as medium risk.
The Medicare agency is conducting weekly vulnerability assessments of MIDAS, and an annual security review, Slavitt said.
However, the episode indicates how some technical and security issues from the program's chaotic rollout in 2013 may still linger. Back then, the consumer-facing side of HealthCare.gov went live without a completed security certification.
Audit finds slipshod cyber-security at HealthCare.gov
WASHINGTON – The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.
The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general's office. But the episode raises questions about the government's ability to protect a vast new database at a time when cyberattacks are becoming bolder.
Known as MIDAS, the $110-million system is the central electronic storehouse for information collected under President Barack Obama's health care law.
It doesn't handle medical records, but it does include names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts of customers on HealthCare.gov and state insurance marketplaces.
"It sounds like a gold mine for ID thieves," said Jeremy Gillula, staff technologist for the Electronic Frontier Foundation, a civil liberties group focused on technology. "I'm kind of surprised that this information was never compromised."
The flaws uncovered by auditors included issues of security policy -- where mistakes can have bigger consequences -- as well as 135 database vulnerabilities, of which nearly two dozen were classified as potentially severe or catastrophic.
Among the policy mistakes: User sessions were not encrypted, contrary to standard practice on financial websites. "Not doing so is inexcusable for such sensitive data," said Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, an Internet rights group.
MIDAS is an internal system operated by the federal Centers for Medicare and Medicaid Services, the agency that administers the health care law. The acronym stands for Multidimensional Insurance Data Analytics System. Officials say it's an electronic backbone, essential to the smooth operation of the health care law's insurance markets.
Currently about 10 million people are covered through HealthCare.gov and state marketplaces offering taxpayer-subsidized private policies. But MIDAS also keeps information on many others, including former customers. Their data is retained for years.
Among the technical problems uncovered by the audit:
--Using a shared read-only account for access to the database that contained individuals' personal information. Gillula said such a shared account creates a serious vulnerability because if data is stolen, it's much more difficult to tell who was looking at what information, and when.
--Failure to disable "generic accounts" used for maintenance or other special access during testing, an oversight that can foster complacency about security practices when a system becomes operational.
--Failure to conduct certain automated vulnerability scans that mimic known cyberattacks and could reveal weaknesses in MIDAS and the systems supporting it.
--Database weaknesses. A total of 135 such vulnerabilities -- oftentimes software bugs-- were discovered by the inspector general's vulnerability scans. Of these, 22 were classified as high risk, meaning they could have potentially severe or catastrophic fallout, and 62 as medium risk.
The Medicare agency is conducting weekly vulnerability assessments of MIDAS, and an annual security review, Slavitt said.
However, the episode indicates how some technical and security issues from the program's chaotic rollout in 2013 may still linger. Back then, the consumer-facing side of HealthCare.gov went live without a completed security certification.
