HealthCare.gov Passwords To Be Reset in Wake of ‘Heartbleed’ Bug
April 21, 2014 in News
Federal officials are instructing HealthCare.gov account holders to reset their passwords, following an administration-wide review of the government’s vulnerability to the destructive “Heartbleed” computer bug, Reuters reports (Francescani, Reuters, 4/19).
About the Bug
The computer bug — recently discovered by a Google engineer and another security team — infiltrates systems through a Web encryption program known as OpenSSL, which is used by hundreds of thousands of websites including Amazon and Google. Experts say that hackers potentially could use the program to get sensitive information from:
- Email servers;
- Mobile phones; and
- Security firewalls (iHealthBeat, 4/14).
In a statement, senior government officials said HealthCare.gov users are being advised to change their login information “out of an abundance of caution,” given the heavy traffic and sensitive user information hosted on the health care website (Pace, AP/Sacramento Bee, 4/20).
According to PC Magazine, users will be prompted to select a new password the next time they attempt to log in (Murphy, PC Magazine, 4/20).
Officials said there is no indication that any personal data on HealthCare.gov have been compromised.
The security of HealthCare.gov and the state-based exchange websites has been a point of contention after they experienced widespread glitches when they launched last fall. Critics have honed in on potential security risks, given that they hold large amounts of sensitive data.
The Department of Homeland Security is leading the review of potential government vulnerabilities. In a blog post, Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications, wrote that DHS will “continue to focus on this issue until government agencies have mitigated the vulnerability in their systems.”
Schneck added that DHS “will continue to adapt our response if we learn about additional issues created by the vulnerability” (AP/Modern Healthcare, 4/19).
Heartbleed Bug Unlocks Secure Data in Nine Hours
In related news, hackers participating in a crowdsourcing challenge were able to use the Heartbleed encryption bug to unlock secure data in just nine hours, Modern Healthcare reports.
The challenge — which was created by Cloudflare, a San Francisco-based company that offers computer network and security services — aimed to demonstrate how dangerous the encryption bug is.
Overall, Cloudflare reported four different “winners.”
In a blog post, the company wrote, “This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability” (Conn, Modern Healthcare, 4/14).