As state health insurance exchanges begin operation, there is a new awareness of potential cybersecurity issues, as a flood of personally identifiable information flows through the system.
Within hours of the exchanges going live, security firms warned that hackers might try to create look-alike sites or deploy other tactics to trick people into handing over their personal information.
Intercepting data as it shuttles between systems is also a concern, because the larger exchange ecosystem consists of federal, state and third-party components. Uneven security and verification standards could cause a weak link by which user data becomes vulnerable to theft.
These security risks have obvious implications for people using the health exchanges, but the scams may also target the government and contractor staff members who operate the exchanges.
Phishing remains the most widely reported type of cybersecurity incident, accounting for 68 percent of the 153,000 incidents reported by federal, state, local, tribal and commercial entities to the U.S. Computer Emergency Readiness Team in fiscal 2012.
Phishing scams have grown more sophisticated and complex as the volume and extent of personal data stored on networks has ballooned. Consumer information related to health insurance and tax records has enormous financial value, making it an appealing target for scammers and thieves.
However, federal agencies aren’t required to report attempted phishing incidents. Federal agencies primarily report loss or theft of laptops, mobile devices, authentication tokens or smart cards, and mishandling of sensitive or controlled unclassified information in digital or hard-copy formats.
Despite occasional reports of phishing attacks on federal departments, the lack of comprehensive data on their volume and success rates can make it difficult to assess the danger. The number of phishing attacks on federal agencies is likely much higher than reported, and there’s limited visibility into the threat it actually poses to these agencies.
The best protection against phishing is an aware user who doesn’t take the bait. Still, the need for data security grows with the pace and scope of government aggregation and use of personally identifiable information.
John Slye is an advisory research analyst in federal industry analysis at Herndon-based Deltek, which conducts research on the government contracting market and can be found at www.deltek.com.