News & Comment: Hackers breach HealthCare.gov system, get data on 75,000

COMMENT:

Michael Magrath, Director, Global Regulations & Standards, OneSpan, Inc.

“The breach of the Federally Facilitated Exchanges (FFE) reinforces the need for all insurers (private and public) to adopt the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law published in late 2017.  Although written for states to adopt, there is nothing prohibiting the federal government from mandating tighter cybersecurity controls in its own programs, especially when it comes to protecting sensitive personally identifiable information (PII) such as health insurance information.

“The NAIC’s Model Law closely resembles the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) which took effect in March 2017 with multiple phases.  A key provision of the regulation is the use of multi-factor authentication “to protect against unauthorized access to Nonpublic Information or Information Systems”.  With Nonpublic information being the individual’s private information.

“How the breach occurred has not been made public as the investigation is likely ongoing.  However, as reported in Verizon’s 2017 Date Breach Investigations Report, “81% of hacking-related breaches leverage either stolen and/or weak passwords.” With that in mind, there is a strong likelihood that if multi-factor authentication was mandated it may have prevented the FFE breach.

“In May, South Carolina became the first state to adopt the NAIC’s Model Law with the “South Carolina Insurance Data Security Act”  As a FFE state, the citizens of South Carolina would benefit from the new law.  However, the new law will not go into effect until January 1, 2019. “