BOSTON -- The rocky rollout of the Affordable Care Act's health insurance marketplaces included a number of potential security risks, but one expert believes that healthcare data can remain secure with the right controls.
A key function of the Affordable Care Act (ACA), commonly referred to as "Obamacare," was to provide U.S. citizens with access to digital marketplaces to shop for healthcare coverage, either through state-based exchanges or federally facilitated exchanges.
While the concept doesn't sound overly complex on the surface, the number of complex systems that must interoperate for the exchanges to function is staggering, according to Scott Margolis, founder and managing partner for Wakefield, Mass.-based healthcare infosec consultancy SolutionLab LLC, which played a part in the implementation of the Massachusetts health insurance exchange.
Speaking Tuesday at the SecureWorld 2014 conference, Margolis said the Centers for Medicare and Medicaid (CMS), the government agency overseeing the ACA rollout, laid out a number of requirements for state-based healthcare exchanges to meet before Oct. 1, 2013, the first day consumers were allowed to peruse the exchanges. Without approval from the CMS, the exchanges would be unable to access the necessary data from the federal hub, which accesses information from numerous government agencies, including the Department of Health and Human Services, the Internal Revenue Service and the Social Security Administration, to check Social Security numbers, incarceration records and annual household incomes, all of which needed to establish a consumer's eligibility for healthcare plans.
Among the most important CMS checkboxes states needed to tick before launching the sites, according to Margolis, were completing an IRS safeguard procedures report and an infosec risk assessment, establishing a contingency and recovery plan, and performing a number of site inspections.
Margolis indicated access to the federal data hub is just one side of a complicated coin, with states still liable for integrating any relevant legacy systems. In such instances, he recommended that states eliminate as many unneeded systems as possible and destroy any unnecessary data.
"Systems are always managed and maintained and enhanced. All of this has to happen immediately at the speed of light," Margolis said. "People are doing a lot of things, and that's when accidents happen. Interoperability can lead to increased risk."
ACA security threats and countermeasures
By necessity, the ACA exchanges deal with a high volume of sensitive personal data, a fact that Margolis warned will not be ignored by attackers.
He pointed to recent numbers from the Ponemon Institute's fourth annual Patient Privacy and Data Security study -- in which Ponemon claimed healthcare organizations are losing $5.6 billion a year in costs related to data breaches -- to show the severity of the situation, in which even one slip-up could be costly for an organization. Ponemon indicated in the report that the ACA will only worsen an already bad situation, even going as far as describing the new online exchanges as a "smorgasbord" for criminals.
"This stuff is in the news every day, and we all know that," Margolis said. "If there's a glitch, it'll show up."
Healthcare organizations and exchanges face a wide variety of threats, according to Margolis, which necessitates implementing a number of security strategies. First, Margolis said users at every level should receive security training, which, though not a perfect solution, will hopefully eliminate some of the accidents that lead to easy opportunities for criminals.
Organizations, Margolis noted, also need a firm grasp on network activity. Closely monitoring the network may either enable an organization to stop an attack as it is happening, he said, or at least give security professionals the ability to respond to incidents more quickly, minimizing the exposure of data.
"Every organization has a profile of where their systems are and how they normally operate," Margolis said. "And if you have deviation from that profile, that may indicate something is wrong."
Though a long-discussed topic in the infosec community, threat information sharing is now a reality among healthcare organizations, according to Margolis, who advocated that attendees look to both healthcare-specific sharing models and more general threat info from organizations like MITRE.
The lack of proper access controls is another issue Margolis indicated, and one which attendee Anna L., an IT consultant for a Boston-area consulting firm who requested anonymity because she isn't authorized to speak on behalf of her company, agreed wholeheartedly.
Having performed audits for a number of healthcare organizations, Anna L. said that poorly managed user access is the most prevalent data security-related problem she has encountered; many outfits seemingly lose track of users as they either leave the company or even switch between roles or departments. "There simply aren't robust enough controls in place," she said.
Perhaps most importantly, Margolis emphasized that the process of securing ACA-related data is not a process that ended as the exchanges rolled out. He advised healthcare organizations to regularly schedule a number of security activities, including a triennial audit program and quarterly vulnerability assessments, in order to maintain the processes that have been put in place.
"The takeaway is you went live," Margolis said, "but you continue to do the work."