State Exchanges Not Requiring Password Changes

Health and Human Services reset the passwords of all Healthcare.gov users last week to protect consumers from the Heartbleed virus, which the agency said posed a threat serious enough to necessitate an abundance of caution. But officials at the state-run ObamaCare exchanges aren’t going to those same lengths. They don’t believe it’s necessary.

Morning Consult spoke with officials from nine state-run exchanges – one of which discovered it was vulnerable to the virus – and none of them are resetting user IDs or passwords, or requiring that consumers do so on their own.

Most of the exchanges use a version of OpenSSL technology that is believed to be resistant to the virus, and are therefore confident that consumer data remains safe without taking the additional step of resetting user passwords. The federal government wouldn’t say if they used OpenSSL technology that was vulnerable to Heartbleed in their exchanges.

The Heartbleed virus, which targets websites that use a common version of OpenSSL technology, affects between 60 and 70 percent of the Internet, according to Jerry Irvine, a member of the National Cyber Security Partnership, a public-private partnership between the US Chamber of Commerce and DHS.  The threat is serious enough that the Department of Homeland Security’s (DHS) Emergency Response Team last week issued a legal notice about the threat.

“Any system that may be affected by this vulnerability should regenerate any credential information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items,” the bulletin said.

The vulnerable version of the OpenSSL, which is used by some federal websites, puts at risk the kind of personal data that people have become accustomed to sharing through secure online portals.

Many websites, including the federal healthcare exchange at Healthcare.gov, are urging or requiring users with accounts that contain personal information change their passwords to ensure their data remains protected.

The state-run ObamaCare exchanges reached by Morning Consult are an exception.

The Centers for Medicare and Medicaid Services sent an alert to the state-run exchanges on April 10^th, two days after news of the virus hit the mainstream press, warning of the bug and requiring Chief Information Officers test their sites and report back within 24 hours.

The Hawaii Health Connector said it discovered it was using a vulnerable version of OpenSSL, and notified CMS of the issue on April 11^th. The exchange’s IT contractor, CGI, hosts the data center for the exchange, and patched it immediately, according to an exchange spokesman.

The exchange said “there were no security breaches related to the patch,” and told Morning Consult it would not require users to change their IDs or passwords.

Will Dormann, a vulnerability analyst in the CERT Division of the Software Engineering Institute at Carnegie Mellon University, says Hawaii should reconsider.

“Due to the nature of the Heartbleed vulnerability, it can be difficult for a system administrator to know if a vulnerable system was attacked, and if it was successfully attacked, what information was leaked,” he said. “Therefore, administrators of known-vulnerable systems should have taken the usual steps of regenerating and revoking potentially compromised key material, as well as regenerating passwords or other sensitive material.”

Irvine echoed this sentiment.

“Sound business and security practices would recommend changing user IDs and passwords not only at the time of a breach, but also periodically throughout the year,” he said.

Hawaii’s special enrollment period is open through April 30, so users are likely still accessing the website with their old user IDs and passwords.

Representatives at exchanges in Massachusetts, Vermont, Connecticut, Minnesota, Nevada, Washington, Oregon, and Maryland said they were comfortable with users keeping their old user IDs and passwords because they use a version of the OpenSSL that isn’t susceptible to the virus.

“Some users may feel more comfortable changing their passwords in light of hearing about the bug elsewhere,” a spokesperson for the Maryland Health Connection said. “But we’re not broadly recommending everyone change them – it’s not necessary given the determined lack of vulnerabilities.”

Representatives from the exchanges in Connecticut and Minnesota are similarly confident they’ve avoided the threat, saying they had identified the virus as a potential issue before even hearing from CMS, and had already begun testing their servers.

The Nevada Health Link said it automatically requires password changes every 90 days, and the Vermont exchange said it was “adding language” to its website about the virus in case consumers have questions. Vermont’s exchange website had not been updated when this article was posted.

Dormann agreed with the state officials that these sites are likely safe and don’t need to change user passwords.

“If a system was not vulnerable then those extra cleanup steps are unnecessary,” he said.

Still, HHS wrote in a blog post called “Protecting Your Marketplace Account” that it was instituting automatic password changes at Healthcare.Gov even though, like the bulk of the state exchanges, there were no apparent vulnerabilities.

“HealthCare.gov uses many layers of protections to secure your information. While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution,” the statement said. “This means the next time you visit the website, you’ll need to create a new password. We strongly recommend you create a unique password – not one that you’ve already used on other websites.”

An official at CMS did not say whether they suggested the state-run exchanges follow their lead, or why such policies aren’t uniform throughout the exchanges.

Irvine said that like HealthCare.gov, the state-run exchanges should err on the side of caution.

“If it was determined that no vulnerability existed within the state exchanges, it may not be necessary for changes in user IDs or passwords,” he said. “Nevertheless, it would be recommended that any common user IDs or passwords being used across both state and federal systems be changed in order to mitigate the potential of loss should the federal site have been breached.”

Republicans focused on cyber-security issues surrounding Healthcare.Gov after the problem-plagued rollout, holding hearings where they argued the website was rushed through production and not adequately tested for security concerns and potential data breaches.

CMS is adamant that there haven’t been any breaches so far.

“Since being made aware of the vulnerability, the Administration took action to protect networks and websites. As with any vulnerability or threat in cyberspace, the Federal government – HHS in this instance – has a standard process for addressing how it may impact the infrastructure, and are using that to mitigate this vulnerability and monitor for problems,” the agency said. “Again, we have not seen any issues from being made aware of this issue.”