Cyber experts: Health care exchanges may be vulnerable to attack

Caroline Purser | Photodisc | Getty Images

Computer glitches plagued the debut this week of the online health care exchanges put in place by the Affordable Care Act, and while there's no evidence the website malfunctions and delays are anything more than a flood of traffic, cyber experts say citizens should be aware of the potential security pitfalls with the new exchanges.

The Affordable Care Act does not mandate security protocols for the exchanges, leaving the 15 states not participating in the federal government's health care exchange to write their own rules.

"I think in general states shouldn't have to require a mandate, they should just be doing it. When you consider the risks to their residents if these sites get compromised then I would think that this would be a no-brainer," said Alex McGeorge, Senior Security Researcher with Immunity.

(Read more: Hackers sell social security info)

McGeorge points out that limited funds may be an issue preventing some states from implementing robust security measures.

Experts agree, however, that the federal health care exchange web site www.healthcare.gov, which serves 35 states, is more secure than the state exchanges.

The Centers for Medicare and Medicaid Services (CMS) says it built the federal exchange with a secure data services "hub," designed to minimize risk by not retaining or storing Personally Identifiable Information.

(Read more: 'Flash Freeze' postmortem: Protecting markets from hackers)

The health care exchanges built individually by 15 states, on the other hand, appear to be less secure based on the web platforms they are running, according to security experts CNBC spoke with.

"Some of these web frameworks that the states have elected to use have had a history of security problems that could allow for an attacker to take over the web server that is running this service," McGeorge said.

Despite that, none of the states CNBC contacted, nor the federal exchange, report any cyber-attacks, and all say they have security measures in place.

A spokesman for California's exchange says the website has a program that checks for malicious behavior. Meanwhile, a spokeswoman for the Connecticut exchange says its website prioritizes traffic from those in state and blocks all international traffic.

New York reportedly had some 30-million hits in a state with fewer than three million uninsured, but the state department of health told CNBC in a statement, "There is no indication of any intentional efforts to overwhelm the site."

(Read more: CNBC's Special Report: Hacking America)

Follow Scott on Twitter @ScottCohnCNBC. Follow Jennifer on Twitter @jennyanne211

Investigations Inc.: Cyber Espionage

  • When a person enters information on a website, like an email or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.

    By attacking business computer networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy.

  • lock_laptop.jpg

    China is working feverishly to counteract its slowest GDP growth in recent years, and one of the ways it’s doing so, say U.S. officials, is through the theft of American corporate secrets.

  • hacker_keyboard_200.jpg

    US businesses are enduring an unprecedented onslaught of cyber invasions from foreign governments, organized crime syndicates, and hacker collectives, all seeking to steal information and disrupt services, cybersecurity experts say.


Technology Explained