Adding to the controversy surrounding the Affordable Care Act, aka Obamacare, is a new 253-page Obamacare rule that requires state, federal, local agencies, and health insurers to share protected health information (“PHI”) on any individual seeking to join the new “healthcare exchanges.” PHI includes individual medical histories, test and laboratory results, insurance information, and other personal health-related data.
Although PHI is already protected by various federal laws, the new Obamacare rule allows agencies to trade information in order to verify that applicants are receiving the appropriate level of health insurance coverage from the healthcare exchanges. The ruling, however, does not require that applicants pre-approve the release of their PHI. In fact, the Department of Health and Human Services already allows the exchange of some PHI without an individual’s pre-approval, especially when it’s for a “government program providing public benefits.” Officials state that the swapping of information is simply meant to help determine the best insurance coverage for every Obamacare user.
If enacted as written, the new Obamacare rule will result in the creation of one of the largest collections of personal data in U.S. history whereby information will be managed and shared between numerous federal, state, and local governments. This repository will undoubtedly be an irresistible “pot of gold” for every hacker and identity thief on the planet.
Nish Bhalla, CEO of Security Compass, is an ethical hacker specializing in web security for Fortune 500s, major banks, and well-known technology companies. Drawing on his unique perspective, Bhalla noted that, “Typically, state governments do not have the same level of resources as the federal government when it comes to cybersecurity. In fact, a recent study by Deloitte-NASCIO found that only 24 percent of state chief information security officers are confident they can thwart hack attacks.”
Speculating on how the vulnerable exchanges could be exploited, Bhalla believes we will “see a standard crop of web-based attacks directly targeting the state exchanges and federal data hub. We’re also sure to see a lot of spam, phishing, and ‘waterholing’ attacks that target consumers.” Aside from direct attacks on the exchanges themselves, hackers will seek softer targets, such as public computer terminals (i.e., libraries, schools, unions, small business associations, etc.) that will be made available for people to enroll in an exchange. Other vulnerable targets include various “navigator” companies responsible for helping people enroll online.
While the healthcare exchanges have conducted security audits, the testing has not been as rigorous as one might expect given the amount of PHI at risk. As with many aspects of Obamacare, security testing appears to have been rushed in order to meet specific deadlines. Numerous news stories have already reported on the “glitches” with Obamacare’s online enrollment portal, surmising the evident conclusion that rushing any large project is likely to result in errors.
While it’s too soon to determine how secure our PHI will be in the hands of various government agencies, we do know that hackers will be unable to resist the temptation to grab at such low-hanging fruit.