Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Close HealthCare.gov For Security Reasons, Experts Say

Testifying before the House technology committee, four security experts advise would-be HealthCare.gov users to steer clear of the site, pending security improvements.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)

Should the embattled HealthCare.gov website be shut down until the White House proves it's secure?

That was one approach advocated by several security experts, testifying Tuesday during the House Science, Space, and Technology committee's "Is My Data on HealthCare.gov Secure?" hearing.

Ever since the October 1 launch of the federal HealthCare.gov portal, which implements the Affordable Care Act and is used by 36 states, security experts have been warning that the site is vulnerable to a number of different types of attacks. To date, would-be hackers appear to have paid scant attention to the site, but many security experts -- and legislators -- have voiced their concerns over the hack-attack potential for a healthcare portal that handles people's personal information, including social security numbers, income levels, and medical details.

"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure. Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals," said committee chairman Lamar Smith (R-Texas) at the hearing.

[What will it take to make HealthCare.gov work? Read How To Get Obamacare Moving Now.]

"Several vulnerabilities have already been identified, and we know of at least 16 attempts to hack into the system. And I heard this morning that there were another 50," he added. "But we can assume that many more security breaches have not been reported."

David Kennedy, CEO of information security consulting firm TrustedSEC, echoed that assessment, saying there was no way that HealthCare.gov had been targeted only 16 times in the first six weeks after it launched. "What this statement shows is the lack of a formal detection and prevention capability within the website and its infrastructure," said Kennedy. "On average, while working for an international Fortune 1000 company, our main website was attacked over 230 -- averaged [out to] 232 attacks a day for the year of 2012 -- times a day."

Whatever the attack volume, the security experts testifying at the hearing all emphasized the challenge of trying to secure any infrastructure that sports 500 million lines of code, and which was implemented in a rush. "When it comes to security, complexity is not your friend. Indeed it has been said that complexity is the enemy of security," Fred Chang, a former NSA research director who now heads the cybersecurity program at Southern Methodist University in Dallas, told Congress. Likewise, for maximum protection, "ideally, security is built into an application from the very beginning rather than having it 'bolted on' afterwards," he said.

Avi Rubin, a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University in Baltimore, questioned the implementation methodology employed for the site, and especially the lack of beta testing with real users. "Most large, consumer-facing web-based rollouts happen in phases," Rubin told the committee. "For example when Google introduces a new service, they initially offer it to a select group of users. As bugs are ironed out and problems are resolved, the new functionality is enabled for more users. It is an iterative process, and there are always issues to resolve."

"One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day," he added. "That is not the way large systems go live in practice."

What should happen next? TrustedSEC's Kennedy outlined three scenarios: fixing the in-production site, shutting the website down entirely until it can be fixed, or using secure coding practices to build a brand-new "version 2.0" HealthCare.gov website in parallel with the current one. He recommended pursuing the last approach. "If design and code quality weren't created from the start, the fixes that we see now will only be small patches for a much larger problem," he said.

But how likely is it that HealthCare.gov might be taken offline, or rebooted any time soon via a version 2.0? In recent days, some Obama administration officials have said they want to have the site up and working for the "vast majority" of Americans by the end of this month.

Furthermore, Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), which is responsible for building HealthCare.gov, said in a separate House hearing Tuesday that the site sported "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid.

Still, President Obama said in a press conference last week that if he'd known the state that HealthCare.gov was in, he wouldn't have authorized its October launch.

"I was not informed directly that the website would not be working the way it was supposed to. Had I been informed, I wouldn't be going out saying, 'Boy, this is going to be great,' " he told reporters. "I'm accused of a lot of things, but I don't think I'm stupid enough to go around saying this is going to be like shopping on Amazon or Travelocity a week before the website opened, if I thought it wasn't going to work."

The president added: "We would not have rolled out something knowing that it wasn't going to work the way it was supposed to, given all the scrutiny we knew would be on the website."

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
11/22/2013 | 2:43:40 PM
Re: Unanimous?
As Prof. Rubin states, "One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day. That is not the way large systems go live in practice."

Any Internet company would have started with a website where people signed up to get a notification when the live site was available, and invitations would then be metered out to those people to try it before it went live to any larger group. That kind of slow roll out could have identified scalability problems early and minimized security issues.
TerryB
50%
50%
TerryB,
User Rank: Ninja
11/22/2013 | 1:09:44 PM
Re: Stating the obvious
I'm with Lorna. As you took quote from a Republican politician, who probably needs help from his 9 year old to reboot his computer, this article lost some credibility.

The government has had enough of our information for many years that someone could use for identity theft. Why we are now talking about this because of this new application? If this site is not "safe", then I'm sure the IRS, Medicare, etc are just as vulnerable. And only to the very best and brightest hackers, no script kiddie is cracking these sites. The guys that wrote StuxNet? They can probably get into anything that is usable and connected. That's life today.
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Ninja
11/21/2013 | 11:18:07 AM
Stating the obvious
EVERY site -- every Internet-connected device -- is constantly being probed for weaknesses. The only way the ACA site is 100% safe is if it's unplugged, which is exactly what the GOP wants. No matter how much money or expertise you throw at code, no one can promise 100% invulnerability. To imply otherwise is disingenuous.
WKash
100%
0%
WKash,
User Rank: Apprentice
11/20/2013 | 11:32:10 PM
Hard Pill to Swallow
It's hard to take as credible the statement by Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), when he says Healthcare.gov sports "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid.  The Medicare and Medicaid sites are still going through rigorous reviews and improvements in security controls and they are mature systems. Going live with Heathcare.gov before completing the necessary testing seems like opening a US embassy in Russia while it's still under construction and expecting nothing incideous will happen.  The notion of replacing the current system with a new  one maybe a hard pill to swallow, but it may be the right decision.

 
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/20/2013 | 8:48:25 PM
Re: Unanimous?
Unfortunatley I think politics is keeping the site open. Maybe the government will do the right thing and shut it down, fix it, then get it back online. I'm not holding my breath.
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
11/20/2013 | 3:40:56 PM
Unanimous?
Seems unanimous: Healthcare.gov: Biggest Security Risks Yet To Come

Who would care to make an argue that it's better to soldier on and fix the system while continuing to operate it? Is there a technical argument for keeping the site live, as opposed to a political one?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.