recommended reading

Network Security Drill Could Probe HealthCare.gov

Olivier Le Queinec/Shutterstock.com

An upcoming drill aimed at testing the ability of the health sector to communicate with the government in the face of a debilitating cyberattack might just end up infiltrating HealthCare.gov, the top network security official at the Health and Human Services Department told Nextgov

Intertwined systems that shuttle personal health information, such as the Obamacare website, can create headaches for entities trying to exchange threat intelligence while protecting privacy. So, in anticipation of a sector-wide hack someday, hospitals, insurers, HHS and other health-related organizations will rehearse real-time information sharing during a live, simulated attack.  

"HealthCare.gov is one of the systems that connect these players to the government," HHS Chief Information Security Officer Kevin Charest said in an interview. That being the case, testers may exploit that connection during the exercise, he said.

Separately, security testers routinely try to penetrate HealthCare.gov to identify weaknesses, he added. 

Charest spoke on Monday amid allegations by House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., and other Republicans that data is less secure in the online hub than officials have claimed.

This spring’s simulated attack, scheduled for March, will not target a specific website, network or facility, but rather execute an assault that touches on all segments of the industry. The storyline is still in development.

Peripherally, in the course of this exercise, HealthCare.gov might be drawn into the attack. “We want to get as many folks playing as we can,” Charest said.

Complicating security matters that arise from the interconnected networks, health care officials also must comply with medical privacy laws and be attuned to liability issues. 

In an industry where information sharing can break the law, leaders are still trying to figure out how to communicate, HHS officials said.

"We may create a different way of speaking about incidents -- maybe we can find a way to genericize them such that they are non-attributable," Charest said. "Let’s get the information out, and let’s let folks know what’s happening, but do it in a way that protects the entity doing the sharing."

The results of the March exercise might prompt entities to change their business practices, not just technology operations.

"We don’t necessarily need a lot about the context if we’re looking at a particular campaign by some would-be attacker,” Charest said. “What we need to understand is the M.O.: How is this attacker going about doing what they are doing? And if we can do that in a way that takes the attribution -- Who might be being attacked and what’s happening in their particular networks? -- out of the equation, I think we [enable] the sharing."

Get the Nextgov iPhone app to keep up with government technology news.

(Image via Olivier Le Queinec/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.