Opinions vary widely on the merits of the Affordable Care Act. There is little doubt, however, that the roll-out of the Affordable Care Act's website Healthcare.gov leaves something to be desired. Since its launch, there have been hundreds of bugs as well as hacking attempts and security warnings. There are lessons, here, for enterprises as they consider a move to the cloud.
Certainly, Healthcare.gov was set up for individual healthcare consumers, and healthcare consumers have no other viable options for signing up to healthcare exchanges. Still, there are enough parallels for enterprises to take note. The debacle illustrates that enterprises cannot move sensitive data to the cloud while relying blindly on cloud service provider security and assuming that the data is safe.
Since enterprises have multiple options, they need to assess the service provider’s security commitments, understand the risks they are assuming before moving sensitive data to the cloud, while identifying the data that needs to be independently secured.
Here are 5 major cloud data governance and ownership concerns surfaced by the issues Healthcare.gov website:
1. Assuming Affordable Care Act continues as planned, the Healthcare.gov website is set to become the largest database of Americans and their personal information--including names, birth dates, social security numbers, and email information--in recorded history.
A database populated with such a wealth of personal information will by definition be a major target for hackers, other governments and organized crime. As such, the website requires extreme security and controls in place prior to collecting such a vast amount of personal information.
* Cloud service providers can provide and maintain higher levels of security than many individual enterprises. But as more data moves into their environment, the more enticing it becomes as a target for financially motivated attackers. Enterprises must be cognizant of the risk -- especially where a data breach could result in compliance penalties. The standard for data security outlined by the HIPAA-HITECH Omnibus Rule is now risk-based, with the implication that enterprises cannot outsource accountability for cloud service provider breaches -- even with a BAA in place.
2. In November 2013, four experts in cyber security testified in front of Congress, citing numerous security flaws with the Healthcare.gov website. They attributed the risks to the complexity of its 500 million lines of code (more code than Facebook) and a rushed rollout that failed to properly test the website. They advised Americans to refrain from using the website. The recommended course of action was to take down the website until the security of the website could be achieved and properly tested.
* Enterprises should look to cloud service providers to demonstrate their commitment to secure coding practices. Microsoft’s Security Development Lifecycle is a specific example of a commitment to secure coding practices.
3. Lack of transparency: In the event of a breach to the Healthcare.gov site, federal government is not required to notify the public or the specific users who were impacted of the breach. If there is a breach, users will be unaware; analogous to the PRISM program where users were not aware that their information was shared with the NSA until Snowden leaked to the press.
David Kennedy, one of the security experts on the panel felt that the team working on Healthcare.gov is more likely to hide its security flaws than address them. Case in point: when a security breach was exposed with the auto-populate in the search -- where malicious code was populating search results -- rather than securing the tool, it was simply removed.
*Enterprises must demand visibility from their cloud service providers as part of their contractual agreements. Increasingly, end users are turning to the Cloud Security Alliance’s Cloud Control Matrix and STAR Registry as an independent benchmark to assess the level of reporting and incident response processes to which cloud service providers commit.
4. Back in November, when experts identified numerous security risks to Healthcare.gov, they expressed concern that the personal information of millions of Americans was at risk. They recommended taking down the site while working to fix the bugs. However, the site has not been taken down. The developers are attempting to fix the website while it is up and running, which can ultimately cause the problems to get worse.
Morgan Wright, a cyber terrorism expert and the CEO of Crowd Sourced Investigations, LLC, expressed concerns. "You create an unintended series of cascading events you have no control over because you don’t have a grasp of what the code is actually doing,” he said. “You think you’ve changed one thing, by doing that you’ve opened up a Pandora’s box of vulnerabilities on the other side.”
5. A system such as Healthcare.gov that aggregates and stores such a vast collection of personal data, especially one with the vulnerabilities pointed out by the many IT experts requires assurance from the President that the data is secure. The President should provide a list of the security measures in place to ensure that citizens’ personal data is safe and not at risk. However, no such assurance has been provided by the White House.
“Unfortunately, the personal information that has already been entered into Healthcare.gov is vulnerable to online criminals and identity thieves,” said Rep. Lamar Smith (R-Tex.) Chairman of the Science, Space, and Technology Committee. “President Obama has a responsibility to ensure that the personal and financial data collected as part of Obamacare is secure. It is clear this is not the case.”
* Enterprises that move sensitive data -- especially data covered by HIPAA-HITECH -- can no longer rely on service provider assurances. If they are taking a risk-based approach, they must independently secure their cloud data through encryption, and practice sound key management processes.
See also:
5 cloud lessons learned from federal agencies
Commentary: Why data privacy and security in the cloud are imperative
