HealthCare.gov: Change PasswordsHeartbleed Bug Prompts Precautions
See Also: The Global State of Online Digital Trust
A notice on HealthCare.gov, the website for the federally facilitated health insurance marketplace under the Affordable Care Act, or Obamacare, says, "Recently, you may have heard about a new Internet security weakness, known as Heartbleed, which is impacting some websites. HealthCare.gov uses many layers of protections to secure your information. While there's no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers' passwords out of an abundance of caution."
The notice continues, "This means the next time you visit the website, you'll need to create a new password. We strongly recommend you create a unique password - not one that you've already used on other websites. ... There's no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk. However, we're resetting current passwords out of an abundance of caution, to ensure the protection of your information."
In a statement provided to Information Security Media Group the morning of April 21, HHS' CISO Kevin Charest says, "There has been no effect from Heartbleed for Healthcare.gov. This is simply following the best practices established, which include a number of steps such as patching, reinstalling encryption keys, and end user password resets."
Charest said in an recent interview, conducted before the Heartbleed bug was revealed by security investigators, that there have been "no successful malicious attacks on the [HealthCare.gov] site or systems."
The site is undergoing "end-to-end" security testing every quarter, even though the federal government requires such testing every three years, he added. The quarterly testing will likely continue for the next year or two, "then move to a reasonable cycle" he said. Also, before the next open enrollment period begins on Oct. 1, the HealthCare.gov technical and security team will be busy at work updating the site and systems with new health plans being offered by insurers, Charest said. "We're continually improving the site," he added.
"We continue to be vigilant; that's not a boast. It's simply saying we've done the things needed to protect the site," he said. "Anything can be compromised, I'm not trying to say we will never have a problem because that would be foolish, too. But I will say that we take this very seriously."
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as e-mail, instant messaging and some VPNs (see Heartbleed Bug: What You Need to Know).