"Trusted sites" is another consideration. How many "hacks" of major systems occur because the attackers used a system one or more removed from the eventual victim? So, healthcare.gov is trusted by...state.gov or a .mil or whoever. You use one to gain access to another. Then you use that to go elsewhere. It isn't a far fetched scenario because a vulnerability in one is a vulnerability in all.
The ACA/ Obamacare Website Fiasco Thread
- Thread starter AWP
- Start date
Scotth
Verified Military
Sooooooooo the site was hacked in July but the breach was not discovered until last week?No worries? Seems legit. :-"
http://thehill.com/policy/healthcare/216700-report-healthcaregov-was-hacked-in-july
Well first off the head lines are a whole lot different then the actual event. No the Helthcare.gov website wasn't hacked. The healthcare.gov TEST website was hacked.
If the fed is anything like us in the private sector our TEST sites aren't connected to our production servers in anyway and security related to a TEST site reflects that. Why would you even bother creating a test website enviroment if your planning on making it a production system?
Yah it got hacked but that doesn't mean one system compromised another. Maybe I'm wrong, with how the government does it, but this is hardly big news because breaching a test enviroment is hardly breaching production enviroment.
Last edited:
It is and it isn't. Without knowing the details we have a few "if's", but I still think it is noteworthy. Depending upon the mechanism(s) involved in the breach, this is a big deal. In my experience it is very rare for a test environment to have a different security level than production environments. Given that patches and software upgrades can break existing sites or functionality, it is one of those things you have to test. Plus the bad guys are seeing the code and how the servers are set up. Again, this mimics the production environment.
Outside of a honeypot or some details we don't know, this is still a big deal.
Scotth
Verified Military
I don't disagree with what you said and obviously I know about as much as you do about the particulars of this case. You would have hoped that the production versus the test system would have had the same updates/patches installed but who really knows?
The biggest issue that would happen between a test and production system access would probably revolve around the the firewall access in my first guess but then again that is a guess. If anything when the actual mechanism for the breech gets discovered they will have probably made the production system even stronger.
So lets thank the bad guys for not knowing any better and attacking the test system instead of the production system.
Last edited:
I would think that Healthcare.gov would be the gold standard and height of security and integrity of such systems existing in the world today. As "Jane Average" citizen, its a little more than worrisome that this event was not noticed for over a month. So much for your healthcare being between you and your doctor.
TLDR20
Verified SOF
- Joined
- Jan 7, 2009
- Messages
- 6,235
Your healthcare even in the case of this breach will still very much be between you and your doctor. If you understood what healthcare.gov is, which apparently you still don't, that would be apparent to you. Quotes like the above are part of the reason real problems with the ACA are not addressed.
Healthcare.gov is a marketplace where you view insurance plans. Once you have said insurance(through a private company) the relationship with healthcare.gov, or .gov in general ceases and you only deal with the insurance company.
Your snarky comment doesn't meet the mark as it only highlights your continued ignorance of facts, which almost a year into the operation of the site is rather appalling.
Last edited:
Your bank account information among other things are required to purchase your health coverage on this site? Again, (and again) I know you do not like me or my opinions, but your continued denigration of me in your posts is apparent.
In addition, I work with the ramifications of ACA every day in my job. ACA and EMR are hand in glove with physicians being paid for their services and not assessed penalties which will be coming down in 2015. So yes, ACA is a driving force in your healthcare records and financial records being totally online vs a paper chart in your Doctor's office or a chart in your local hospital, and available to a variety of outside entities at the click (or hack) of a button.
http://www.medicalrecords.com/physicians/meaningful-use-government-incentives-information
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
http://www.medicalrecords.com/physicians/meaningful-use-government-incentives-information
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
TLDR20
Verified SOF
- Joined
- Jan 7, 2009
- Messages
- 6,235
Bank account information has nothing to do with what I responded to. You said
Last I checked bank account information had ZERO to do with healthcare decisions between a doctor and a patient.
This comment either doesn't belong here, and you posted it accidentally, or you are being willfully ignorant of facts and coming here to propagate bullshit.
As to my denigration of your posts, if you post something that is lacking a basis in any kind if fact, I will criticize it. If you think it is unfair for me to criticize something that you posted in the open, then I don't know what to tell you.
I will pass along your sentiments to the patients I have that are dealing with issues directly related to their enrollment in the ACA and how it is impacting their healthcare. Particularly the gentleman who, somehow has had his ID # switched out with that of his son's, that no one can seem to get corrected. Healthcare.gov blames the vendor and the vendor blames the Healthcare.gov sign up. These individuals do not share the same exact name either. This is most certainly affecting the health care of both individuals as claims are being denied and this has disrupted the life sustaining medication the father requires as well as surveillance testing the son requires due to a (now in remission) pediatric cancer. Sure, the patient is free to pay out of pocket for these expenses if he wishes to stop paying all of his other obligations in life. While the government has stepped in to make sure everyone has healthcare that is affordable, the sad fact is that is not playing out for every citizen. This particular patient is paying for his healthcare as mandated by law, but he is certainly having a hard time getting anything covered regarding himself and his son. He has told us this issue has affected his income tax filing this past year as well, due to this switching of numbers. Couple all of that with the legal fees he is paying to try to get this snafu rectified. This family did not have any issues until they were forced to utilize the ACA due to the patient's employer dropping health care coverage, as they found the options too expensive to sustain their business. The ACA has most definitely affected the healthcare decisions for these people. Luckily the cancer center where the son was treated has agreed to cover any life sustaining treatment on a charity basis for the child. However, they will not extend that to his 3 month surveillance for recurrence testing. For that, an out of state charity based cancer facility has agreed to provide any needed testing. However the family has to travel to the facility at their own expense. As for the father, he has resorted to a less than optimal treatment modality that is far less effective for him, for now. Hopefully the plethora of letters and documentation my boss has provided for him will soon be effective and his optimal treatment will be restored an properly paid for.
Penalties for not participating with the ACA will be assessed via the IRS. http://www.savingtoinvest.com/2012/...-having-health-insurance-under-obamacare.html
I do not see how this could ever be a problem.
Penalties for not participating with the ACA will be assessed via the IRS. http://www.savingtoinvest.com/2012/...-having-health-insurance-under-obamacare.html
I do not see how this could ever be a problem.
STOP FIGHTING MOM AND DAD!!!
Look, I purchased insurance through an exchange, and the only time I input bank account information was when I was making payments through the insurer's website. At no time did the exchange ask me for bank information. So as to that point, it's not a concern. However, the exchange website did ask for personal information, to include SSN, so if the healthcare.gov website is breached then customers' identities may be at risk.
Look, I purchased insurance through an exchange, and the only time I input bank account information was when I was making payments through the insurer's website. At no time did the exchange ask me for bank information. So as to that point, it's not a concern. However, the exchange website did ask for personal information, to include SSN, so if the healthcare.gov website is breached then customers' identities may be at risk.
So in order to facilitate your payments you did indeed provide your banking information, correct?
Is this the correct profile of information gathered during the sign up process in your experience?
http://waysandmeans.house.gov/uploadedfiles/pdf_cms_1_031313.pdf
Is this the correct profile of information gathered during the sign up process in your experience?
http://waysandmeans.house.gov/uploadedfiles/pdf_cms_1_031313.pdf
TLDR20
Verified SOF
- Joined
- Jan 7, 2009
- Messages
- 6,235
I only gave bank information to BCBS.
To the computer folks, can you explain to people like me that do not know/understand what would be the point of this "hack" and how it happened if the server was not supposed to access the internet? Why would any government system have low security settings as stated in the article? What could have happened if this breach has not been manually located, and what is the possibility such like things sitting there that have not even been detected?
http://online.wsj.com/articles/hacker-breached-healthcare-gov-insurance-site-1409861043
http://online.wsj.com/articles/hacker-breached-healthcare-gov-insurance-site-1409861043
I provided account/routing information to the insurer (in this case, Anthem Blue Cross). I believe that the only information that I provided to the exchange site was voluntary info about income, savings and the like (as outlined in section 11).
TLDR20
Verified SOF
- Joined
- Jan 7, 2009
- Messages
- 6,235
Your first question is incorrect, the payments are made to the insurance company you purchase coverage through.
That is the exact profile of questions I was asked, there is no banking information asked there, only tax and income questions.
Last edited:
Yes, at the INSURANCE site, NOT healthcare.gov. I looked into it before we started on Tricare, at no time do you enter payment into on healthcare.gov. They match you with insurance companies. Yes, you need to enter SSN and IRS tax info but not bank account info.
Last edited:
comrade-z
Unverified
I can't read that article (I don't have a subscription), but I can try answering your questions as is.
If the server could not access the internet at all, then that really does suggest that the DDoS software was very likely not the main payload - more malware could have been on the way, or even already installed. Perhaps it was used to test to see if they could just get any malware onto the machine. DDoS software (Distributed Denial of Service) is malware that is used to cause traffic jams on a network, in order to paralyze access to resources - it is what gets used to prevent access to websites for example. Other possibilities exist, but DDoS software is generally not as effective on devices that can't reach out to the internet - from an internal test server it *could* still cause a decent bit of mayhem on whatever internal network that server was on, or, since the hackers clearly had a way on to the machine, they could have directed traffic back out the way they came. How smart this would be depends on the local network design, as it could be anything from being easy to do, to being easy to set off alarms.
Lower security relative to other systems will always exist, as higher security comes with more restrictions on usability - while it would be nice to have the full organization's security applied to every device, it isn't always realistic. *How* much lower the security was for this server, and in what ways.....*shrug*. Chances are that is information that will not be publicly released as part of any investigations findings due to sensitivity.
How it happened isn't something that can really be answered with currently available knowledge - how segregated from the internet was this machine, what security was or was not in place, where was this machine within the internal network, etc.
What could have happened if it hadn't been located is also a big question - anything from "nothing" to "hackers now effectively own the entire internal network". This is a complete unknown until all potentially affected systems have been completely segregated from everything else, and get thoroughly checked, multiple times. It really depends on who did this, what they wanted from this system, and whether the DDoS malware was all that they put onto the network - however I would wager that there is a strongly non-zero probability that there could be more malware on the particular server or on other machines.
I know some of you on here are more directly involved with IT on a daily basis than I am, so any corrections, additions, etc would be appreciated.
