U.S. Intelligence, HHS Fail to Locate Foreign Malware Inside Obamacare Networks

Healthcare.gov network was vulnerable to Heartbleed encryption bug

BY:

U.S. intelligence agencies and the Department of Health and Human Services investigated the software used by Obamacare computer networks but did not discover malicious code from Belarus, the HHS’ top information official said on Monday.

“Yes we have done a thorough review and we have worked with the intelligence community on that,” said Kevin Charest, HHS chief information security officer.

Charest, speaking to reporters following a recent cyber attack drill held by HHS and several healthcare companies, also said the department has urged the millions of new subscribers to Obamacare to change passwords to avoid losing personal data to the Heartbleed security software vulnerability.

There are no indications so far that Heartbleed has been used by hackers to steal encrypted data, Charest said.

The Heartbleed vulnerability was discovered earlier this month as a flaw in encryption software called OpenSSL. Healthcare.gov networks could be affected by the bug because some elements use the content delivery network operated by Akamai Technologies, Inc., which uses OpenSSL.

As a result, “we’ve put in new encryption keys, we’ve invalidated passwords and are now forcing folks to come in and reset their passwords,” Charest said.

“Again, it’s all just to ensure that we don’t have any compromise, and there is no evidence that there has been,” Charest said.

Meanwhile, the FBI warned last week that hackers are continuing to step up cyber attacks against health care networks.

“Cyber actors will likely increase cyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market,” the FBI said in a notice to private industry dated April 17.

The cyber attack exercise called CyberRX was conducted April 1. One of its scenarios included a simulated cyber attacks that resulted in a major news network posting large numbers of usernames and passwords for patients, doctors, and nurses in the U.S. healthcare industry. This exercise scenario stated that “Healthcare.gov has been compromised,” affecting government offices, hospitals and insurance companies, according to a report on the exercise.

The report concluded that companies that practice sharing information can better respond to real cyber strikes.

Jim Koenig, a cyber security expert with Booz Allen Hamilton who took part in the exercise said one of its findings was that the current model of the national cyber security framework for critical infrastructure cannot protect healthcare organizations from current cyber threats.

“The growing adoption of new and connected health information technologies and widespread use of mobile devices continue to increase the industry’s exposure to potential attacks,” Koenig said.

Regarding the search for malware within Obamacare networks, Charest, the HHS information security chief, declined to comment on the role played by U.S. spy agencies in the investigation into whether there was software that originated in Belarus, a repressive dictatorship closely aligned with Moscow.

However, regarding an intelligence report from late January that warned that malicious foreign was likely inserted in Healthcare.gov network that could allow hackers to break and steal important data, Charest said: “We found no evidence of those claims being a reality.”

The Washington Free Beacon first reported the warning by U.S. intelligence agencies in late January urging the Obama administration to check the large-scale healthcare computer networks based on reports that software developers in Belarus helped produce the software.

The report raised new security concerns about the software and networks that connect millions of Americans to the federal government and more than 300 medical institutions and healthcare providers.

The report said that the use of software developers in Belarus had made the network a potential target for cyber attacks.

The warning followed the remarks of a Belarusian official, Valery Tsepkalo, director of a government-backed High-Technology Park in Minsk, during a radio interview. Tsepkalo said one of the technology park’s clients was “helping Obama complete his insurance reform” and that “our programmers wrote the program that appears on the monitors in all hospitals and all insurance companies.”

Following disclosure of the warning, the White House announced that an intelligence report outlining the potential security compromise had been withdrawn from circulation.

A senior Belarusian official, Alexander Martinkevich, deputy director of the High Technology Park, stated in an email that software developed in Belarus is now part of networks used by U.S. medical and insurance companies that are involved in Obamacare. However, Martinkevich said no Belarusian software firms directly took part in developing Healthcare.gov. “If we did, it would work from the first day of its launch,” he said.

U.S. intelligence officials feared the use of Belarusian software developers would allow secret “backdoors” to be installed within the network that would permit the theft of data that could be used for financial crime or intelligence gathering.

Shawn Turner, an intelligence community spokesman, said the report on the healthcare network security vulnerability was pulled from circulation because it had not been properly vetted.

Critics have charged that withdrawing the report was an example of the “politicization” of intelligence—suppressing intelligence data that presents unpopular information that upset policymakers.

Obamacare computer problems have plagued the controversial government healthcare program since its beginning.

The FBI, in its notice to industry, said the shift to electronic health records must be completed by January 2015 and “will create an influx of new [electronic health records] coupled with more medical devices being connected to the Internet, generating a rich new environment for cyber criminals to exploit.”

The health care industry “is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures, much less against more advanced persistent threats,” the notice states.

“The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”

According to the FBI, the health care industry is “poorly protected and ill-equipped to handle new cyber threats exposing patient medical records, billing and payment organizations, and intellectual property.”

“Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g., Virtual Private Networks (VPN), firewalls, and routers) were compromised,” the notice said. “Once medical devices are compromised, malicious traffic is transmitted through VPNs and firewalls.”

Compared to stolen Social Security numbers or credit card numbers, which cost as little as $1 each on the black market, electronic health records can fetch as much as $50 for one partial record, the FBI said.

Stolen health records can be used by cyber criminals to file fraudulent insurance claims, to acquire prescription medicine, and as part of identity theft.