The vast amount of consolidated sensitive information passing through health information exchanges is unprecedented, and will introduce privacy and technology risks that HIX stakeholders need to be vigilant in addressing.
Questions arise as to who will have access to this information, how secure will it be from cyberattacks, and what training and clearances will be required to access and protect the data from fraud and abuse.
In many ways, the HIX will form part of what we have come to consider “critical digital infrastructure.” Critical infrastructure, which houses and processes sensitive and potentially valuable information, attracts threat agents, and is vulnerable to a wide range of security threats. So, a sophisticated attack, which seriously disrupts the HIX for a prolonged period across a wide geographic area, could devastate the health services ecosystem.
Today, a cyberspace battle is continuously being fought between attackers and defenders of critical infrastructure. For defenders, it is virtually impossible to beat opponents without understanding their attack methods. The HIX is yet another target that will need the strongest and most robust of security defenses to keep private health information secure.
[See also: 3 things consumers can do to curtail medical ID theft.]
As the HIX ecosystem is launched, and continues to evolve in its sophistication and usage, it is likely to encounter five key security threats that will, in turn, require constant monitoring, assessment, and the implementation of appropriate counter-measures.
Let’s look at these five key threats in more detail:
1. Unauthorized access to PII. The HIX will collect data from consumers on the front-end via a web portal, and exchange data with other systems on the back-end through the Federal Data Services Hub. The Hub connects multiple government agencies to create a single access and verification point to the personal health information of millions of Americans. This Hub is necessary to verify eligibility for the law’s myriad subsidies and tax credits. Employment and income verification will come from the IRS, veteran status from The Department of Veterans Affairs, and immigration status from the Department of Homeland Security. Individual state governments will also contribute and have access to the data.
Authorized and potentially unauthorized users of the system will be able to tap into a treasure trove of consolidated private information, including names, social security numbers, birth dates, employment information, gender, and ethnicity status. Unauthorized access can result from a wide range of security threats including breaches, phishing, identity theft, web and client-side attacks, targeted messaging attacks, botnets, rootkits and logic bombs, or insider or contractor negligence. These threats can have devastating results if Personally Identifiable Information (PII) and payment data is lost, stolen or abused.
2. Vulnerabilities increasing threat exposure. Several states may either choose to join hands and run a multi-state exchange, or opt out of running their own exchange, and default to a federal exchange. This flexibility will make the overall HIX ecosystem very complex. Multiple discrete systems operating together increases the attack surface, which, in turn, introduces risks due to a greater number of potentially chained vulnerabilities. For example, front-end verification portals may have inconsistencies in design that allow fraudulent, faulty, or incorrect transactions during enrollment — all of which may have processing implications on downstream systems.
As a result, security must be built into the architecture of the HIX hub at the design stage itself, in order to avoid the high cost of fixing vulnerabilities after systems are in operation. A recent report from the OIG notes that the CMS postponed certain security risk assessment and testing deadlines, leading some experts to speculate that corners may be cut and vulnerabilities may remain embedded in the system after the HIX launch date of Oct 1, 2013.
3. Identity Theft. The HIX is a prime target for identity thieves and cyber attackers. While much of the information in the federal hub is not stored, data in motion is still vulnerable to certain types of attacks, and requires the strongest possible security measures to prevent breaches. This is important because over the next decade we can expect the interconnectivity between consumer and health systems to expand dramatically. According to estimates, there will be 1.158 billion users of mobile health technology by 2020.
With the advent of Advanced Persistent Threats (APTs), adversaries are likely to take advantage of zero-day based exploits, sophisticated architectures, and malware obfuscation to launch long-running security attacks that slowly exfiltrate information from under the radar of security monitoring control systems. Cyber-attacks will continue to target critical infrastructure by abusing security gaps in interconnected systems. The 2013 Verizon Data Breach Investigation Report states that during 2012, 66 percent of data breaches remained undiscovered for months or more. In 69 percent of the cases, a third-party discovered the breach. So, it is fair to say that a breach could not only occur, but also remain undetected in the HIX ecosystem for some time before its existence and impact are fully understood.
4. Fraud. The scope of the HIX is vast, spurring the potential for fraudulent payments to go undetected. Today, health care fraud — be it billing for services not rendered, falsifying records, forging physicians’ signatures, or altering health care plans — costs the U.S. a whopping $80 billion every year. Ultimately, it is the average citizen who bears the price through expensive health plans and reduced benefits and coverage.
While the government is making efforts to combat fraud and waste, the HIX poses a fresh set of problems. For instance, unauthorized “navigators” might spring up, swindling consumers into buying fake insurance online, or promising to help them select qualified health plans, and in the process, collecting and misusing their personal data.
[See also: 5 steps toward real-time HIX analytics visibility.]
Over time, we would expect the use of big data analytics to actually reduce such fraud incidents and other security risks. Payers will be able to track and analyze information, ranging from claims to past payouts, and identify suspicious behavior and fraud.
5. Inadequate incident reporting, response, and notification. Should a security incident occur at any level — be it a business process, application layer, network, or technology infrastructure — aligned policies and processes need to be in place to rapidly respond to and contain the impact of the incident, as well as comply with data breach notification reporting standards.
The 2013 Post Breach Boom report claims that while data breaches have increased in severity and frequency, many organizations do not have the tools, personnel, and funding to prevent, quickly detect, and contain these breaches. Bringing together people, processes, and technologies to keep sensitive information secure is a challenge even for a single organization, let alone a complex network of participants such as those that comprise the HIX.
HIX stakeholders need to prepare for incidents before they happen. They also need to agree on processes to identify, classify, contain, and disclose incidents as soon as they occur, in order to prevent possible collateral damage. Effective coordination across the HIX ecosystem will be critical for effective incident and breach response.
Responsibilities and processes for notifying victims of PII breaches will need to be very well-defined. Forensic, investigative, and operational procedures to understand, eradicate, and recover systems will need to be effectively designed, tested, and implemented so that in the event of a breach, the systems would first be returned to security baselines before they are returned to operations.
Conclusion
The HIX is a double-edged sword. No doubt, it will offer people a convenient one-stop shop to access health care plans, compare benefits and prices, and choose the best-suited option for them. But in the process, millions of Americans will be potentially exposed to a range of security risks as a result of the complexity and scope of the HIX ecosystem.
A well designed set of processes, supported by a robust and resilient technology framework, will ultimately provide a more effective, efficient, and secure delivery platform for health insurance. The potential impact of security threats remains significant at all levels: society, government, and national security. That’s why it’s so important to focus on the highest level of continuous improvement in order to achieve a near real-time, agile information sharing network that provides a high level of proactive defense.
The HIX presents an opportunity to bring a new level of performance into the health insurance marketplace. Let’s continue to demand that robust security be driven into the operational fabric of the HIX, and that proactive risk management is pervasive throughout all levels of the ecosystem.
Yo Delmar is vice president of GRC (governance, risk and compliance) solutions at MetricStream.
Related articles:
Demystifying the govt's RAT-STATS tools for healthcare fraud and abuse
