recommended reading

Network Security Drill Could Probe HealthCare.gov

Olivier Le Queinec/Shutterstock.com

An upcoming drill aimed at testing the ability of the health sector to communicate with the government in the face of a debilitating cyberattack might just end up infiltrating HealthCare.gov, the top network security official at the Health and Human Services Department told Nextgov

Intertwined systems that shuttle personal health information, such as the Obamacare website, can create headaches for entities trying to exchange threat intelligence while protecting privacy. So, in anticipation of a sector-wide hack someday, hospitals, insurers, HHS and other health-related organizations will rehearse real-time information sharing during a live, simulated attack.  

"HealthCare.gov is one of the systems that connect these players to the government," HHS Chief Information Security Officer Kevin Charest said in an interview. That being the case, testers may exploit that connection during the exercise, he said.

Separately, security testers routinely try to penetrate HealthCare.gov to identify weaknesses, he added. 

Charest spoke on Monday amid allegations by House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., and other Republicans that data is less secure in the online hub than officials have claimed.

This spring’s simulated attack, scheduled for March, will not target a specific website, network or facility, but rather execute an assault that touches on all segments of the industry. The storyline is still in development.

Peripherally, in the course of this exercise, HealthCare.gov might be drawn into the attack. “We want to get as many folks playing as we can,” Charest said.

Complicating security matters that arise from the interconnected networks, health care officials also must comply with medical privacy laws and be attuned to liability issues. 

In an industry where information sharing can break the law, leaders are still trying to figure out how to communicate, HHS officials said.

"We may create a different way of speaking about incidents -- maybe we can find a way to genericize them such that they are non-attributable," Charest said. "Let’s get the information out, and let’s let folks know what’s happening, but do it in a way that protects the entity doing the sharing."

The results of the March exercise might prompt entities to change their business practices, not just technology operations.

"We don’t necessarily need a lot about the context if we’re looking at a particular campaign by some would-be attacker,” Charest said. “What we need to understand is the M.O.: How is this attacker going about doing what they are doing? And if we can do that in a way that takes the attribution -- Who might be being attacked and what’s happening in their particular networks? -- out of the equation, I think we [enable] the sharing."

Get the Nextgov iPhone app to keep up with government technology news.

(Image via Olivier Le Queinec/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.