The San Diego Union Tribune posted a report this week about how Department of Health and Human Services employed white-hat hackers to test the vulnerability of HealthCare.gov, and found critical security flaws that could enable a huge breach by black hats.
The vulnerability scan revealed that the security hole could authorize data downloads, information modification, and command execution. They also found database vulnerabilities that could be exploited.
Based on the test results, officials say they have “taken actions to lower the security risks associated with the HealthCare.gov systems and consumer (personal information),” but “remain concerned about certain aspects of its security, such as the use of encryption technology that does not meet government standards” (Alonso-Zaldivar, AP/U-T San Diego, 9/22).
This begs the question: if this huge government website containing a nation’s valuable PHI is hacked, and the government knows it does not meet HIPAA requirements, will the government fine itself $1.5 million annually until it measures up to its own standards? Will we get credit report monitoring for free? What about all of the entities and exchanges connected to this website? (See Mike Walls’ blog regarding partner security and HIPAA fines)
The Identity Theft Resource Center (ITRC) reports that in 2014 18,953,443 records have been exposed so far this year in 546 breaches, 37% of which are from the healthcare vertical. Healthcare is required to live up to a higher standard than other sectors, and is the most targeted because the information is more lucrative to thieves. Medicare fraud, identity theft, and pharmaceutical abuse are among the money makers for hackers, and health records can’t be cancelled and reissued as credit cards are after a breach. Security is of utmost importance in this sector.
EdgeWave’s award-winning edge-protection suite of internet and data security solutions is ideal for healthcare entities of all sizes. Affordable, easy to setup and deploy, EdgeWave’s ePrism Email Gateway and iPrism Web Gateway security suites provide end-to-end encryption, with Military-Grade automated and human analysis around the clock.