Soon a comprehensive database of the 2016 Obamacare plans and prices will be released. As expected, the prices will rise in 2016. But, that’s not all Obamacare recipients have to worry about. The government’s system is rife with security problems. But, even those who don’t have Obamacare are at high risk of being hacked. Healthcare records, in general, have been under malicious attack.
Identity theft, for instance, which has long been an issue, occurs most often by way of accessing medical records. Hence, most identity theft in the U.S. is related to medical records.
And, identity theft is the largest consumer crime reported to the Federal Trade Commission, leaving millions of victims in its wake.
HealthCare.Gov, which has experienced a myriad of issues since its inception, has never been a secure site. Upon accessing the website, visitors’ personal identities are placed at a significant risk. Additionally, as you may recall, the federal government has allowed navigators, who have not undergone background checks, to handle site visitors’ personal information. In fact, most states don’t conduct background checks on exchange navigators–though they have access to a whole host of private information, including Social Security numbers, financial records and health information.
As an example of the danger of the government’s negligent hiring practices, a National Review report in 2014 found that at least 43 navigators, approved by California’s health exchange, had prior convictions, including convictions for welfare fraud and forgery.
The Obama administration wouldn’t even admit to the absence of background checks until coerced into doing so via a Senate Finance hearing:
“At a November 6, 2014, Senate Finance Committee hearing, Kathleen Sebelius admitted to Senator John Cornyn (R-TX) that the federal government conducted no background checks on Obamacare navigators, and it was ‘possible’ that they could be convicted criminals. The exchange went as follows:
Cornyn: ‘So I want to ask you about the navigators … Isn’t it true that there is no federal requirement for navigators to undergo a criminal background check, even though they will receive sensitive personal information from the individuals they help to sign-up for the Affordable Care Act?
Sebelius: That is true ….
Cornyn: So a convicted felon could be a navigator and could acquire sensitive personal information from an individual unbeknownst to them?
Sebelius: That is possible.’”
Adding to the likelihood of Obamacare recipients getting hacked, HealthCare.gov still has numerous security issues. This is according to a recent federal audit conducted by the inspector general of the Department of Health and Human Services (HHS). The Hill has noted that:
- “HealthCare.gov relies on a $110 million digital repository called MIDAS to store the information it collects.
- MIDAS doesn’t handle medical records, but it does store names, Social Security numbers, passport numbers, addresses, financial information and employment information.
- MIDAS doesn’t encrypt user sessions, which is common policy for most online financial transactions.
- The Centers for Medicare and Medicaid Services (CMS), which oversees the site, has been negligent in performing vulnerability scans that might have revealed weaknesses in the website’s servers.
- The HHS audit found 135 database vulnerabilities — such as software bugs — 22 of which were classified as ‘high risk.’”
Healthcare providers in the U.S. are projected to lose $305 billion in the next five years due to cyberattacks. Yet another way for attacks to take place is through the practice of BYOD (Bring Your Own Device) in which you share your healthcare info with doctors and other medical employees directly from your own device, which is typically a phone, tablet or laptop. Your information is downloaded to their personal devices.
This is a serious potential problem because most organizations do not require their employees to install antivirus/antimalware software on their personal devices or remove all mobile apps that may present a security risk. ABC News reports that, “even at organizations that do have some kind of protocol regarding BYOD and antivirus or antimalware software, self-policing tends to be the rule. There is no way of knowing whether a given employee has downloaded every update, so protection against malware may be very spotty, even if on the surface it appears to be an issue on an organization’s radar.”
Again, this would open up your private records to cyber criminals who could gain access to your Social Security number and other sensitive data. ABC News warns:
“In addition to these financial risks, your medical records provide information that can be used in other ways. For instance, once a criminal has your personal information and insurance details, he or she can use it, or enable another person to use it, to gain access to the healthcare system in your name, and the result could be the contamination of your medical records with his or her co-mingled information. Nothing is more dangerous than going to a hospital and having “your” medical records, as used by an identity thief or his/her customer, reflect an inaccurate blood type, medical history or the existence or absence of certain allergies as you are trying to access care, particularly in an emergency situation.”
What happens if an impostor uses your insurance to gain access to healthcare? That could affect your ability to access care because many insurance plans have annual caps on certain procedures and treatments. At any rate, no insurance company is going to pay for someone to have an appendectomy twice. An identity thief with access to your insurance could drain your coverage before you are aware it has happened. And, that could lead to life-threatening results. The same goes for prescription drug coverage. Any controlled substance prescribed by your physician would be fair game to digital thieves with access to your medical records.
In an attempt, purportedly, to help resolve these issues, the Cybersecurity Information Sharing Act (CISA) was advanced in the Senate, by a vote of 83-14, last week. A final vote is anticipated this week. The Electronic Frontier Foundation (EFF) opposes the bill, cautioning that it aims, “to facilitate information sharing between companies and the government, but their broad immunity clauses for companies, vague definitions, and aggressive spying powers make them secret surveillance bills.”
Some disturbing aspects of the bill:
- “Sharing Information with NSA – Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies—like the NSA—’in real-time.’
- Overbroad Use of Information – Once the information is sent to any government agency (including local law enforcement), it can use the information for reasons other than for cybersecurity purposes. The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes.
- Near-Blanket Immunity – The bill also retains near-blanket immunity for companies to monitor information systems and to share the information as long as it’s conducted according to the act.”
If passed, CISA would only add to the number of people who can access your personal data. It’s a surveillance bill, not a cybersecurity bill. Tellingly, with the massive amount of surveillance already in place, its impact on terrorism and cybercrime is almost non-existent.