Kevin Beaver is a consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including Hacking for Dummies, Implementation Strategies for Fulfilling and Maintaining IT Compliance, and the Security on Wheels audio books and blog (www.securityonwheels.com). Follow him on Twitter, @kevinbeaver or connect to him on LinkedIn.
You’ve heard of the law of unintended consequences. We’ve all experienced it. You change or “improve” something and suddenly you find yourself suffering through side-effects you didn’t anticipate. As we move into its initial implementation stages, we’re seeing that the poster child for unintended consequences may prove to be the Affordable Care Act, or Obamacare as it is commonly referred to.
Whether you believe Obamacare is the transformational fix American healthcare needed or, like me, see it as another means for political appeasement and control, there’s no doubting one ugly fact: improperly secured personal health information being stored and processed in the state-controlled Health Insurance Exchange (HIE) marketplaces are not being properly secured. Government officials are not even dancing around this revelation. They freely admit the security requirements have not been achieved.
Obamacare’s HIEs are supposed to be the vehicle in which more than 50 million people will be purchasing health insurance. So to say there will be a lot of sensitive electronic health information coming and going is a monumental understatement.
Part of the Obamacare infrastructure includes something called the Federal Data Services Hub. If you are like me, this was not a term I had heard previously discussed. This system will connect numerous government agencies such as DHS, DOJ, VA, IRS, HHS, individual state governments -- even the Peace Corps -- to verify eligibility for tax credits and subsidies of health insurance plans doled out through Obamacare. Nice. I can’t think of a more fertile information environment to target by those with ill intent.
The real kicker: no one really knows how secure any of these information systems are going to be, including the people in charge of pulling this off. Based on experiences I’ve had testing the security of large web application environments, I can tell you what’s going to happen in these HIEs and the Federal Data Services Hubs:
Applications and supporting systems will be deployed
Security will be discussed, but given the time sensitivity for the HIEs to be operational, security issues will not be properly addressed
A select few states and federal agencies may run some basic vulnerability scans or IT audit checks, but nothing of significance will be uncovered. Don’t be misled, if you look in the right areas, using the proper tools, you can find tons of security flaws in most application environments -- especially newly-developed applications such as these.
The cycle of information security apathy will continue. Unfortunately, it’s now impacting one of the largest repositories of personal information ever amassed in the history of the United States
External threats are not the only source of information risk. We have to consider the insider threat – especially given the vast array of moving parts associated with these marketplaces.
With all of these government agencies involved in the HIEs the sheer volume of data entry points, network exit points, the potential hands in the pie are staggering. Where’s the accountability?
It is Interesting to note that a recent Commonwealth Fund study found that nearly three-fourths of adults between the ages of 19 and 29 are unaware of Obamacare’s health insurance marketplaces. It’s difficult for the average citizen to demand that their personal health information be protected if they don’t even know where, when, and how it’s being used.
What makes this entire affair even more frustrating is that while states are getting tens of millions of tax dollars to market their HIEs, had only a fraction of this money been used to properly plan out security strategies and test for security weaknesses, I wouldn’t be writing this column.
I’m not even sure where we go from here. If your business or government agency is involved in these health insurance marketplaces, don’t be afraid to ask the tough security questions and even test the environments on your own. It’s this type of grass-roots effort that could introduce some sanity into Obamacare. In the administration’s defense, I’m sure this is an unfortunate oversight that will be quickly remediated. But will it be quick enough to avert a disastrous information breach or worse?
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 24 years of experience in the industry, Kevin specializes in performing independent IT security vulnerability assessments of networks, computers, and applications. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.