The New Healthcare Exchanges Bring New Cybersecurity Concerns

Within hours of the exchanges going live, security firm McAfee warned that attackers are likely to launch phishing attacks aimed at stealing personal information. Phishing emails and other social engineering techniques are used direct users to official-looking-but-fraudulent web sites to entice them to provide sensitive information or download malicious code.

Phishing accounted for 68% of the total 153 thousand incidents reported by the US Computer Emergency Readiness Team (US-CERT) for FY 2012 and reported in the most recent Federal Information Security Management Act (FISMA) report. This continues to make them the most widely reported incident type reported by US-CERT.

US-CERT has a web site where people can report phishing, but so far the data reported under FISMA is aggregated and incomplete. Phishing attacks are reported voluntarily to US-CERT by private individuals and organizations and so the number is likely much, much higher. Compounding the issue, federal agencies are not required to report attempted phishing incidents, according to the FY 2012 FISMA report.  Federal agencies primarily report incidents of the loss or theft of laptops, mobile devices, authentication tokens or smart cards, and incidents involving the mishandling of potentially sensitive or controlled unclassified information, whether they have a cybersecurity component or if they are a non-cyber- loss of hard copy personally identifiable information (PII) records.

Implications

While there are the occasional reports of phishing attacks up federal departments, the lack of comprehensive data on the volume and success of phishing scams inside federal agencies is concerning. Phishing scams have grown in sophistication and complexity as the volume and extent of personal data stored on networks has ballooned. And this data has enormous economic value, especially when it involves identity information. This is evidenced by states selling their citizens’ personal information, including New York, Florida, Ohio, Oklahoma, and Texas, and some states using the data across agencies to reduce fraud, like Virginia. While laws are on the books against selling patient data, that data is a tasty target for scammers and thieves.

The need for data security and user protections grow as the pace and scope in which government agencies aggregate and cross-utilize greater amounts of personal information continues to increase. The connection of health insurance and tax records, etc. will raise the stakes. Some of this relates to simple secure document handling. Given US-CERT’s data that more than 25% of federal security incidents in FY 2012 were non-cyber- incidents like hard copy PII spillage it makes sense that HHS would include cautions to the new healthcare navigators not to leave PII or individual tax return information on fax machines and copiers, as reported recently.

On the phishing side, the best protection to date against such attacks has been an aware and cautious user who does not take the bait. Without data on federal phishing incidents it is unclear to what the degree federal agencies are subjected to these attacks and how successful they are. While health insurance exchange-related phishing scams will likely target consumers the most, expect phishing and other attacks to also target internal system users and administrators to obtain their credentials and gain access to PII.