Attacks/Breaches
11/20/2013
02:30 PM
Connect Directly
RSS
E-Mail
100%
0%

Close HealthCare.gov For Security Reasons, Experts Say

Testifying before the House technology committee, four security experts advise would-be HealthCare.gov users to steer clear of the site, pending security improvements.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)

Should the embattled HealthCare.gov website be shut down until the White House proves it's secure?

That was one approach advocated by several security experts, testifying Tuesday during the House Science, Space, and Technology committee's "Is My Data on HealthCare.gov Secure?" hearing.

Ever since the October 1 launch of the federal HealthCare.gov portal, which implements the Affordable Care Act and is used by 36 states, security experts have been warning that the site is vulnerable to a number of different types of attacks. To date, would-be hackers appear to have paid scant attention to the site, but many security experts -- and legislators -- have voiced their concerns over the hack-attack potential for a healthcare portal that handles people's personal information, including social security numbers, income levels, and medical details.

"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure. Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals," said committee chairman Lamar Smith (R-Texas) at the hearing.

[What will it take to make HealthCare.gov work? Read How To Get Obamacare Moving Now.]

"Several vulnerabilities have already been identified, and we know of at least 16 attempts to hack into the system. And I heard this morning that there were another 50," he added. "But we can assume that many more security breaches have not been reported."

David Kennedy, CEO of information security consulting firm TrustedSEC, echoed that assessment, saying there was no way that HealthCare.gov had been targeted only 16 times in the first six weeks after it launched. "What this statement shows is the lack of a formal detection and prevention capability within the website and its infrastructure," said Kennedy. "On average, while working for an international Fortune 1000 company, our main website was attacked over 230 -- averaged [out to] 232 attacks a day for the year of 2012 -- times a day."

Whatever the attack volume, the security experts testifying at the hearing all emphasized the challenge of trying to secure any infrastructure that sports 500 million lines of code, and which was implemented in a rush. "When it comes to security, complexity is not your friend. Indeed it has been said that complexity is the enemy of security," Fred Chang, a former NSA research director who now heads the cybersecurity program at Southern Methodist University in Dallas, told Congress. Likewise, for maximum protection, "ideally, security is built into an application from the very beginning rather than having it 'bolted on' afterwards," he said.

President Obama signs the Affordable Care Act.
President Obama signs the Affordable Care Act.

Avi Rubin, a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University in Baltimore, questioned the implementation methodology employed for the site, and especially the lack of beta testing with real users. "Most large, consumer-facing web-based rollouts happen in phases," Rubin told the committee. "For example when Google introduces a new service, they initially offer it to a select group of users. As bugs are ironed out and problems are resolved, the new functionality is enabled for more users. It is an iterative process, and there are always issues to resolve."

"One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day," he added. "That is not the way large systems go live in practice."

What should happen next? TrustedSEC's Kennedy outlined three scenarios: fixing the in-production site, shutting the website down entirely until it can be fixed, or using secure coding practices to build a brand-new "version 2.0" HealthCare.gov website in parallel with the current one. He recommended pursuing the last approach. "If design and code quality weren't created from the start, the fixes that we see now will only be small patches for a much larger problem," he said.

But how likely is it that HealthCare.gov might be taken offline, or rebooted any time soon via a version 2.0? In recent days, some Obama administration officials have said they want to have the site up and working for the "vast majority" of Americans by the end of this month.

Furthermore, Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), which is responsible for building HealthCare.gov, said in a separate House hearing Tuesday that the site sported "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid.

Still, President Obama said in a press conference last week that if he'd known the state that HealthCare.gov was in, he wouldn't have authorized its October launch.

"I was not informed directly that the website would not be working the way it was supposed to. Had I been informed, I wouldn't be going out saying, 'Boy, this is going to be great,' " he told reporters. "I'm accused of a lot of things, but I don't think I'm stupid enough to go around saying this is going to be like shopping on Amazon or Travelocity a week before the website opened, if I thought it wasn't going to work."

The president added: "We would not have rolled out something knowing that it wasn't going to work the way it was supposed to, given all the scrutiny we knew would be on the website."

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
11/20/2013 | 3:40:56 PM
Unanimous?
Seems unanimous: Healthcare.gov: Biggest Security Risks Yet To Come

Who would care to make an argue that it's better to soldier on and fix the system while continuing to operate it? Is there a technical argument for keeping the site live, as opposed to a political one?
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/20/2013 | 8:48:25 PM
Re: Unanimous?
Unfortunatley I think politics is keeping the site open. Maybe the government will do the right thing and shut it down, fix it, then get it back online. I'm not holding my breath.
WKash
100%
0%
WKash,
User Rank: Apprentice
11/20/2013 | 11:32:10 PM
Hard Pill to Swallow
It's hard to take as credible the statement by Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), when he says Healthcare.gov sports "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid.  The Medicare and Medicaid sites are still going through rigorous reviews and improvements in security controls and they are mature systems. Going live with Heathcare.gov before completing the necessary testing seems like opening a US embassy in Russia while it's still under construction and expecting nothing incideous will happen.  The notion of replacing the current system with a new  one maybe a hard pill to swallow, but it may be the right decision.

 
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Ninja
11/21/2013 | 11:18:07 AM
Stating the obvious
EVERY site -- every Internet-connected device -- is constantly being probed for weaknesses. The only way the ACA site is 100% safe is if it's unplugged, which is exactly what the GOP wants. No matter how much money or expertise you throw at code, no one can promise 100% invulnerability. To imply otherwise is disingenuous.
TerryB
50%
50%
TerryB,
User Rank: Ninja
11/22/2013 | 1:09:44 PM
Re: Stating the obvious
I'm with Lorna. As you took quote from a Republican politician, who probably needs help from his 9 year old to reboot his computer, this article lost some credibility.

The government has had enough of our information for many years that someone could use for identity theft. Why we are now talking about this because of this new application? If this site is not "safe", then I'm sure the IRS, Medicare, etc are just as vulnerable. And only to the very best and brightest hackers, no script kiddie is cracking these sites. The guys that wrote StuxNet? They can probably get into anything that is usable and connected. That's life today.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
11/22/2013 | 2:43:40 PM
Re: Unanimous?
As Prof. Rubin states, "One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day. That is not the way large systems go live in practice."

Any Internet company would have started with a website where people signed up to get a notification when the live site was available, and invitations would then be metered out to those people to try it before it went live to any larger group. That kind of slow roll out could have identified scalability problems early and minimized security issues.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.