HealthCare.gov Breach: What Was Really Lost?

By James Christiansen ·

The reported breach of HealthCare.gov is just one of many breaches announced during the past few weeks. Healthcare.gov has sensitive information of millions of Americans, thus any breach in the security of the website could lead to major privacy issues. According to reports, the breach occurred on a test server with no consumer data and was not intended to be connected the internet. The default password had not been changed, which is one of the most basic mistakes a system administrator and how the server was inadvertently allowed access to the internet is of concern. 

Having been a CISO for global organizations, I understand the complexities of securing a major web site. It can be difficult to ensure the organization’s development team understands that even the breach of a test system can result in major reputational damage. The trust of consumers is in the brand name. If this almost non-event had not occurred with a trusted government website, the breach wouldn’t have been newsworthy. Of course, as the investigation into the total impact of the breach continues the circumstances may change.

It is important to keep our eyes on the big picture. There continues to be major breaches across multiple business sectors, and we need to avoid getting “security breach fatigue.”  We cannot throw in the towel and accept that major security breaches are just a way of life.  The only way to protect the corporate assets and consumer personal information is by implementing a holistic, business-aligned security strategy, understanding the true threats to the sensitive data, and staying focused on implementing the appropriate security controls.