This post is also available in: עברית (Hebrew)
Just as it appeared the problems of HealthCare.gov had passed, the White House announced on Sept. 4 that the national health-care portal had been hacked. No private information was taken, they said, but the hackers had managed to break in on July 8 and remain undetected until Aug. 25.
The hackers had installed malicious software that could have been used to attack other websites. The Department of Health and Human Services (HHS) reported that the point of entry was not protected by a firewall or intrusion detection software. The breach was only discovered once a manual scan was performed more than a month later.
The U.S. Department of Homeland Security reported the breach had been limited to just one server and reported no evidence that any attacks had been launched from the compromised machine. HHS Inspector General Daniel Levinson is reportedly now meeting with law enforcement agencies for continued investigation.
This breach is a reflection of the health-care industry in general, said John Pescatore, director of emerging security trends at the SANS Institute. All reports point to the attack not being targeted toward HealthCare.gov specifically, but that it was an automated scan that detected a vulnerable test server. The affected test server had insufficient security controls and there was no reason for it to be connected to the Internet, Pescatore said.
“In general, there’s been this rush to move to electronic health records. Health-care companies have been trying to reduce costs by going to online patient scheduling.” Pescatore said. “In general, the security of health-care sites is not great. These portals were rushed out there and they’re certainly not looking much better than the rest of the health-care industry.”