As it now exists, Healthcare.gov, the federal exchange for approved health plans, "creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more," Morgan Wright, CEO, Crowd Sourced Investigations, LLC told the House Science, Space, and Technology committee in a hearing held yesterday. He was only one of several cybersecurity experts who testified as to the vulnerabilities of the already infamous Website, launched October 1 as part of the rollout of Obamacare. Perhaps the only saving grace is the frequency with which Healthcare.gov crashes, dissuading people from entering information, or even making use impossible, and so sparing them the high risk of data theft.
In his testimony (PDF), Wright said:
The first major issue is the lack of, and inability to conduct, an end to end security test on the production system. The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top down view of the full security posture. 3For a system dealing with what will be one of the largest collections of PII, and certain to be the target of malicious attacks and intrusions, the lack of a clearly defined and qualified security lead is inconsistent with accepted practices.
Wright pointed to a flaw involving the management of names and passwords, discovered by a private security researcher, that would have allowed hackers to take control of people's accounts. That hole has been patched, but others have been assigned a fix date of May 31, 2014—while the Website remains up and running.
This is completely unacceptable from an industry perspective, and is in extreme contravention of security best practices. Only in the government could such a gaping hole be allowed to exist without fear of consequence. This shows a lack of understanding for the consequences to consumers and the protection of also creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more. Much of this is playing out right now.
Avi Rubin, professor of Computer Science at Johns Hopkins University, pointed out (PDF), "One cannot build a system and add security later any more than you can construct a building and then add the plumbing and duct work afterwards." He then discussed the challenges faced in necessarily doing exactly that with the federal exchange.
Dr. Frederick R. Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security at Southern Methodist University, was similarly critical (PDF).
The fact that there is not one single place to sign up for health care coverage will lead to confusion by the public. There is the main federal site, individual state sites, as well as legitimate third party sites. As I understand it, there is no official designation or marking that a consumer can use to determine whether they are on the correct site or not. As people seek to register for health care coverage they may find that there are a dizzying array of websites to select from. When it comes to typing in information like a social security number into a web form, many people might be cautious about doing so, but given that it has do with health insurance coverage people might be more inclined to do so (particularly if they think the request is coming from a legitimate website). These two factors could combine to create a ripe circumstance for personal information to get into the wrong hands. It is difficult to estimate how much traffic these fake websites will siphon off, but it could be significant
David Kennedy, CEO and Founder of TrustedSec, cautioned (PDF) that existing reports of hacking attempts on Healthcare.gov are incomplete and that, because of poor security precautions, "in the event that the website is hacked (or already has been), the attacks would go largely unnoticed and the website would remain compromised for a long period of time." He went on to detail a series of vulnerabilities his company discovered on the site, and then alluded to others he said he was unwilling to publicly reveal.
Kennedy recommended building an entirely new Healthcare.gov website while the first one is up and running (including its flaws) and replacing the existing one when it's ready. If, instead, the already bought-and -paid-for site is taken down for a full fix, "the remediation process will span seven to twelve months at a minimum."
Fixing the exisiting site while it's being used would take even longer.