More is coming to light in recent days and weeks to suggest that concerns about potential security issues with the healthcare.gov website may be justified.
In an article today from CNN, it was revealed that lack of testing of healthcare.gov presented a security risk, according to an internal government memo written by IT officials at CMS days before the launch.
An internal government memo obtained by CNN and written just days before the start of open enrollment for Obamacare warned of a “high” security risk because of a lack of testing of the HealthCare.gov website.
“Due to system readiness issues, the SCA (security control assessment) was only partly completed,” said the internal memo from the U.S. Center for Medicare and Medicaid Services. “This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations.”
The memo goes on to explain that the Center for Medicare and Medicaid Services would create a “dedicated security team” to monitor the risk, conduct weekly scans and, within 60 to 90 days after the website went live, “conduct a full-scale SCA test.”
The memo did not detail the security concerns. It was written by IT officials at the Center for Medicare and Medicaid Services, and was sent to and signed by the agency’s director, Marilyn Tavenner, who testified on Capitol Hill on Tuesday that she thought the website was ready to go when it began its crash-riddled rollout on October 1.
And in an earlier article at CNN Money titled Security hole found in Obamacare website, it was also reported that a cybersecurity expert discovered a security flaw that went unaddressed for more than three weeks after healthcare.gov’s launch.
Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account.
The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have:
- guessed an existing user name, and the website would have confirmed it exists.
- claimed you forgot your password, and the site would have reset it.
- viewed the site’s unencrypted source code in any browser to find the password reset code.
- plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
- answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted.
Armed with the account holder’s email address, a person with malicious intent could easily track down their target on social media, where they’d likely discover the answers to those security questions.
The report further indicated that only minimal comprehension of viewing programming code was necessary to have potentially exposed a target’s address and phone number.
The existence of such a security issue is indicative of what many others have expressed – that hackers and those with savvy social engineering skills are likely to find plenty of other vulnerabilities not yet discovered or publicized. Via CNN, Simo points out a similar concern.
Still, Simo fears that a savvy hacker could find other holes and Obamacare applicants’ data will be compromised on a mass scale.
“This seems really sloppy,” Simo said. “Either the developers were incompetent and did not know how to do the basic things to protect user information, or the development was so fractured that the individuals building the system didn’t understand how they fit into the bigger picture.”
CNN Money reported that when Simo attempted to bring the security issue to the attention of officials, a healthcare.gov operator referred him to law enforcement.
That issue has since reportedly since been fixed, but that seems to be little assurance for many who still have concerns about the site’s security and protection of Americans’ privacy.
During today’s hearing with HHS Secretary Kathleen Sebelius, Republican Congressman Mike Rogers raised the issue that adequate end-to-end testing may not have been conducted to address security issues as new code has been added. HHS has maintained that security testing is conducted on an ongoing basis as new functionality is added, according to CBS News, but did not seem to specify whether or not that testing refers to full end-to-end testing.
From CBS News:
“You accepted a risk on behalf of every user of this computer that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of this system,” Rogers said. “Amazon would never do this, ProFlowers would never do this, Kayak would never do this. This is completely an unacceptable level of security.”
“You have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk.”
Sebelius assured Rogers that the site is secure, that Americans’ personal information is secure and that it’s operating with a temporary security certificate until full testing can be completed.
An HHS official pointed out that Security Control Assessments of the enrollment and eligibility functions of the Marketplace and the datahub have been conducted and that “We continue to conduct security testing on an ongoing basis as we add new functionality.”
In her testimony today, Sebelius maintained that the personal information of Americans is secure.
Given the government’s performance on this project to date, and the unwillingness of officials to be entirely forthcoming about issues surrounding the project, I think it’s difficult to take such reassurances seriously.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
“Swiss Cheese” is the best way to describe the coding talents of those who created this software fiasco.
The solution that you should fear would be the decision to “eat it” until they come up with an actual solution…
There’s that old idea how if you put a hundred monkeys in a room with a hundred typewriters, eventually one of them will tap out something coherent. I think this is how they designed and built Obamacare. Just not enough monkeys.
Thanks, Mandy and pls keep following this issue.
I am mostly interested in whether your medical details could be divulged by the site or used by some gov’t agency against you. (Though of course, passwd reset on your account or account hijacking would also be a bother, to say the least!)
I saw a claim that HealthCare.gov violates “HIPAA” (Mark Steyn? A Congressman?). I saw a report where (I think) the CGI spokeslady just said “we do what the gov tells us to do”. Lefties were saying that HC.gov just passes through your name/addr/birthdate to the insurance people, not your medical details so it doesn’t need to be HIPAA compliant.
I want to learn more so I can respond correctly and intelligently when this gets raised.
Hey Syrian Electronic Army….here’s a big neon sign for you!
NEWS ITEM : “John McAfee On Obamacare: web sites ‘What Idiot Set This Up?’ ‘This Is A Hacker’s Wet Dream!'”
FROM: All Hackers and Identity Thieves Throughout the World
TO: Everyone Who Manages to Sign Up for OBOZOCARE on a Government Web Site
Thank you, thank you, thank you !!!!
The information you placed on these UNSECURED, BADLY MANAGED JOKE SITES is appreciated. We promise to use this information to our maximum advantage in creating new accounts under your name and personal identifying information with every credit card and financial institution in the universe.
Please check your mailbox in the next couple of weeks for all the bills from our purchases.
Please be sure to pay on time and in full – DON’T BE A DEADBEAT !!!
Again, thanks for your generous support !!!!!
—Anonymous
PS – and if we don’t steal your identity, you can bet those criminals called OBOZCARE “navigators” hired by the OBOZO regime (with NO BACKGROUND CHECKS) will do it !
FYI: OBOZOCARE website’s projected cost: $93 million. Actual cost: $634 million. DO you think these people are going to reduce your health care costs?
I think the first major breach/disclosure, and I’m talking about a Sony level disaster, will sink Healthcare.gov. I also think that day is not far in the future. There are thousands of hackers worldwide who would love to get their little paws on a treasure trove like this. Even though I long to see Disastercare die, I hate to think of what the dozens of people already signed up will go through when their information is stolen.
The Obama Admin would never fess up they were hacked the worst case scenario is the breach that goes undetected and by stealth siphon off financial and personal information. Don’t think for a second that the Syrian Electronic Army and every self respecting hacker on the planet would miss the ObamaCare Rollout… Obama’s Healthcare exchange are target’s for the ultimate Trophy Hack, for the Syrian Electronic Army, it would be the “Holy Grail” of Hacks. In the opening days of the Exchanges, there were widespread complaints of slow or inaccessible portals due to high volume. Gut reaction would reckon network security was being probed scanned and tested for holes or vulnerability in perimeter security, Denial of Service (DoS) attacks on a targeted system could easily be construed as an overloaded system. You can bet the ranch there isn’t an ObamaCare Portal that hasn’t been subject ongoing “Brute Force” attacks.
Mandy have you seen this?
“Obamacare is a Hacker’s Wet Dream” – Security Founder
John McAfee
Read more at http://globaleconomicanalysis.blogspot.com/2013/10/security-founder-john-mcafee-obamacare.html#wXklGtwhYBPRiAeZ.99