Hackers breached a HealthCare.gov test server, reportedly affecting no records, but the repercussions could spread across many medical organizations.
Thursday’s disclosure that hackers breached a HealthCare.gov test server this summer sparked more concern about the overall vulnerability of healthcare organizations and hope that the growing number of publicly disclosed hacks will encourage those organizations to expend more resources on securing data, networks, and systems.
A hacker installed malicious code on a device that had kept its default manufacturer’s password. As a test server, it was not supposed to be hooked to the Internet, said Patrick Peterson, founder and CEO of security developer Agari in an interview. Either keeping the server unconnected or using tools that automatically change pre-set passwords would have prevented this vulnerability, he said. Because it shared the breach, HealthCare.gov should be lauded for its transparency, said Peterson.
This type of error is easily preventable, but is the kind of mistake that can occur at most organizations without proper training and IT management, said Ashley Leonard, president and CEO of Verismic Software:
I am sure it is unnerving for the public when our government’s own systems get compromised by hacking. This, on top of the recent celebrity hacking, creates a distrust in cloud. However, if you look more closely at what has actually happened, systems are being penetrated by a combination of bad IT management and poor end-user training. I believe IT managers and software vendors need a better way to share information on vulnerabilities and how to patch them. The second concern is passwords; though passwords are set to protect our most sensitive data, we have a real issue today of using technology much older than most of us. At the very least we should be moving to pass phrases, two-factor authentication, or biometrics to protect our data.
Although federal officials were quick to reassure the public that no personal, financial, or health data was stolen, a chorus of dissent arose immediately given the amount of information HealthCare.gov houses and the number of alarms raised about the site’s security weaknesses.
“IT experts have long warned about the lack of security built into the federal Obamacare website,” said Congressman Diane Black (R-Tenn.), in a statement. “The vast amount of personal information that Americans are required to put into this site is an open invitation for hackers. That is why designing a secure website should have been a top priority for this Administration.”
While politicians battle it out in Washington, D.C., CIOs and chief security officers might find it easier to wrest security funds from reluctant boards and CEOs. That can’t happen soon enough, based on the industry’s ongoing poor performance when compared with other sectors.