Lessons Learned: Major Security Vulnerabilities and Flaws Uncovered During Audit of HealthCare.gov

by Sarah Harvey / October 26th, 2015

Last month, an audit of HealthCare.gov uncovered some basic flaws in the security of the government’s healthcare website. The Personally Identifiable Information (PII) of millions of health insurance customers was being stored in a database that, fortunately, was never compromised by way of cyberattack.

Medical records are not stored in the system, however, names, Social Security numbers, birth dates, addresses, and phone numbers of customers were left vulnerable to attacks. Among the vulnerabilities found by the ethical hacker were information security control issues, as well as 135 database vulnerabilities in which 22 were classified as severe or catastrophic.

The major vulnerabilities that were found have led us to a few key takeaways that are important to be aware of when securing your own PII for which you are responsible:

1. Unencrypted user sessions

Not encrypting user sessions goes against standard practices. If your Session ID allows access to PII, it should never be left unencrypted. This can lead to a session being hijacked by an attacker, compromising the confidentiality of PII.

2. Shared read-only account for access to the database that contained PII

This is a MAJOR vulnerability. If any data was stolen, it would be impossible to determine who was accessing what information at what time. Shared accounts are typically reserved for a “guest” or “temporary” account, one that does not have access to a database containing PII. These accounts should be privileged, secured with strong passwords and/or two-factor authentication.

3. Failure to disable “generic accounts”

These are the types of accounts that are anonymous and used for maintenance during testing. After the testing phase is over, generic accounts should be disabled and default passwords changed. This eliminates vulnerabilities by using the principle of least privilege. If it’s not needed for securing the data, it should be disabled or removed.

4. Failure to conduct regular vulnerability scans

We are learning quickly that performing regular Penetration Tests and Vulnerability Scans is a great way to prevent against a data breach. It’s the most consistent and efficient way to learn about the holes in your security before someone else does. The process uncovers and exploits vulnerabilities, giving you a chance for remediation.

There are certainly lessons to be learned from the vulnerabilities found in HealthCare.gov’s security. You will never know what gaps lie in your security unless you test it. Train your employees to be aware of the importance of security in the workplace. Don’t let a data breach be a surprise to you – be proactive about your security.