In Part I of our blog series, we discussed three things your organization can learn from the Affordable Care Act (ACA) website launch. In Part II, we will discuss three more.
4. Know where your data lives and how it’s handled. Contrary to what many people believe, the sensitive information being submitted through healthcare.gov isn’t permanently stored in a centralized database, which makes it harder for hackers to steal sensitive information in bulk. Instead, data is routed through a secure “data hub” to various federal agencies, where it can be verified and trigger a notice to private insurance companies that an applicant has signed up and selected a plan. This situation isn’t unique to the healthcare.gov website, however. Many enterprise companies rely on a variety of third-party and cloud providers to host sensitive data, and often lack a real understanding of where data “lives” and who has access to it. Tip: Don’t rely on compliance requirements to guide your data encryption and access policies – make security the priority, and compliance will follow.
5. Make sure new functionality and features play well with others. When deploying new applications, patches, or features on your website, make sure they work with existing functionality and don’t introduce new security risks when integrated. Individual features or applications may be fine on their own, but combined with others may be problematic. Experts say one possible cause of the problems with the healthcare.gov website being overloaded is that hitting “apply” causes 92 separate files, plug-ins and other data to stream between the user’s computer and the servers powering the site, thus causing it to crash frequently. Tip: When deploying new features or functionality, or enabling features like user uploads, carefully consider how they will impact the existing website, and always test for security issues before the combined features go live.
6. Develop and test your Incident Response plan. This one can’t be stressed enough. Many organizations – even large ones – don’t spend enough time developing a plan to address potential problems with their website and network or to develop a crisis communications plan before a big launch. This is one area of information security that often takes a backseat to the challenges of just getting the product or website out the door, so to speak, but it is a critical component that can’t be overlooked. Tip: Take the time to document what could go wrong and develop your mitigation and communication plan accordingly.
Once the website is launched, security should continue to be an ongoing consideration. In addition to protecting their site and network with firewalls, IDS/IPS, and the like, smart enterprise organizations should employ a third-party service to monitor for phishing attacks, malware and other threats. By following these steps, organizations can avoid some of the problems that have plagued the launch of the healthcare.gov website.