Why Heartbleed May be more Troubling for Healthcare.gov in the Long Run

Users of HealthCare.gov are being asked to change their passwords due to the federal exchange’s potential vulnerability to the Heartbleed security flaw, and the warning is troubling, analysts say, as medical information is hotter than ever for criminals looking to make a quick profit.

The federal insurance exchange site posted a warning on Saturday alerting users of the potential compromise. Aaron Albright, Centers for Medicare and Medicaid Services spokesperson, told FOXBusiness.com the administration is continuing to monitor and take precautions to protect consumer data.

Healthcare.gov does not store medical records or payment information.

“HealthCare.gov uses many layers of protections to secure consumers’ information. While there is no indication that the Heartbleed vulnerability has been used against HealthCare.gov or that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of abundance of caution. Consumers are being notified with instructions on how to change their passwords the next time they log on.”

Identify theft has evolved over the years, it’s not just credit card and bank account numbers scammers are after—medical records are much more valuable. These records are all encompassing and less easily replaced than credit card data. According to The Ponemon Institute’s March report, the health care and insurance industries are facing a 100% increase of criminal attacks since 2010. In 2014, 40% of health-care organizations reported attacks on their sensitive data.

Larry Ponemon, chairman and founder of the Ponemon Institute, says medical records are infinitely more valuable to criminals than personal information. “If I want to basically create a financial identity theft crime, I can do it just as easily with a health record, because it’s a collection of pieces of information that individually might be valuable,” he says.

The Heartbleed bug was found in some versions of OpenSSL, an open-source software that many websites use to encrypt communication on the web. The security flaw puts usernames, passwords, credit card numbers and anything else stored on a server’s memory at risk.

The bug was discovered at the beginning of April by researchers at Google (NASDAQ:GOOG), but has been around for nearly two years. Several major companies use OpenSSL code, including  Amazon (NASDAQ:AMZN), Yahoo (NASDAQ:YHOO), eBay (NASDAQ:EBAY) and Microsoft Outlook (NASDAQ:MSFT). Fraudsters can’t request specific user data with the Heartbleed flaw, but they can gather enough information to piece it together, according to reports.

Healthcare.gov operates in 34 states that opted not to set up their own insurance exchanges under the Affordable Care Act. The law mandates every individual in the country to have insurance or face a fine of $95 a year for failing to comply. As of April 17, the White House says 8 million people had selected plans on both state and federal exchanges.

Rob Sadowski, director, technology solutions for cyber security firm RSA, says the Heartbleed bug is particularly troubling to Healthcare.gov, because health information brings major financial returns for criminals.

“Health care is a $3 trillion industry and we are seeing a lot of fraud in there,” Sadowski says. “It can only increase as more and more of these services move online, if they aren’t protected effectively. Criminals are always really good at finding and exploiting vulnerabilities that lead to big gains."

Security and Server Transfers

Healthcare.gov is in the middle of a server transfer to move users’ information to a new contractor’s servers. Terremark (a subsidiary of Verizon) was hired to operate the data center on Healthcare.gov for its inaugural rollout, and its contract was set to expire this spring. It has been renewed to facilitate the changing of servers to Hewlett-Packard ahead of November’s 2015 open enrollment period.

“CMS is undertaking the necessary activities to transition the data center over to HP. As such, we extended Terremark’s contract term in order to ensure a successful transition between the two contractors. HP and Terremark will work together so that the site runs smoothly for consumers during the remaining weeks of open enrollment,” Albright said in an email message.

Ponemon says both Verizon and HP are top-notch when it comes to sever security, but adds security risks are always present anytime data is being transferred to a new server.

“It’s just system glitches, mistakes and human error. I don’t expect it to be a significant problem, but this is Healthcare.gov and the perception of it having significant insecurities is out there.”

While Sadowski says the specifics of the server transfer are not clear, hacking into a site like Healthcare.gov is a high-profile move for a criminal looking for access and notoriety within the underworld.

“Healthcare.gov is a clearinghouse,” he says. “Would you rather hack into 10 different sites, or go to the one with the most information on it? Heartbleed is almost a front door to gain access to user information or credentials to exploit online services.”