Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Close HealthCare.gov For Security Reasons, Experts Say

Testifying before the House technology committee, four security experts advise would-be HealthCare.gov users to steer clear of the site, pending security improvements.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)

Should the embattled HealthCare.gov website be shut down until the White House proves it's secure?

That was one approach advocated by several security experts, testifying Tuesday during the House Science, Space, and Technology committee's "Is My Data on HealthCare.gov Secure?" hearing.

Ever since the October 1 launch of the federal HealthCare.gov portal, which implements the Affordable Care Act and is used by 36 states, security experts have been warning that the site is vulnerable to a number of different types of attacks. To date, would-be hackers appear to have paid scant attention to the site, but many security experts -- and legislators -- have voiced their concerns over the hack-attack potential for a healthcare portal that handles people's personal information, including social security numbers, income levels, and medical details.

"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure. Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals," said committee chairman Lamar Smith (R-Texas) at the hearing.

[What will it take to make HealthCare.gov work? Read How To Get Obamacare Moving Now.]

"Several vulnerabilities have already been identified, and we know of at least 16 attempts to hack into the system. And I heard this morning that there were another 50," he added. "But we can assume that many more security breaches have not been reported."

David Kennedy, CEO of information security consulting firm TrustedSEC, echoed that assessment, saying there was no way that HealthCare.gov had been targeted only 16 times in the first six weeks after it launched. "What this statement shows is the lack of a formal detection and prevention capability within the website and its infrastructure," said Kennedy. "On average, while working for an international Fortune 1000 company, our main website was attacked over 230 -- averaged [out to] 232 attacks a day for the year of 2012 -- times a day."

Whatever the attack volume, the security experts testifying at the hearing all emphasized the challenge of trying to secure any infrastructure that sports 500 million lines of code, and which was implemented in a rush. "When it comes to security, complexity is not your friend. Indeed it has been said that complexity is the enemy of security," Fred Chang, a former NSA research director who now heads the cybersecurity program at Southern Methodist University in Dallas, told Congress. Likewise, for maximum protection, "ideally, security is built into an application from the very beginning rather than having it 'bolted on' afterwards," he said.

President Obama signs the Affordable Care Act.
President Obama signs the Affordable Care Act.

Avi Rubin, a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University in Baltimore, questioned the implementation methodology employed for the site, and especially the lack of beta testing with real users. "Most large, consumer-facing web-based rollouts happen in phases," Rubin told the committee. "For example when Google introduces a new service, they initially offer it to a select group of users. As bugs are ironed out and problems are resolved, the new functionality is enabled for more users. It is an iterative process, and there are always issues to resolve."

"One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day," he added. "That is not the way large systems go live in practice."

What should happen next? TrustedSEC's Kennedy outlined three scenarios: fixing the in-production site, shutting the website down entirely until it can be fixed, or using secure coding practices to build a brand-new "version 2.0" HealthCare.gov website in parallel with the current one. He recommended pursuing the last approach. "If design and code quality weren't created from the start, the fixes that we see now will only be small patches for a much larger problem," he said.

But how likely is it that HealthCare.gov might be taken offline, or rebooted any time soon via a version 2.0? In recent days, some Obama administration officials have said they want to have the site up and working for the "vast majority" of Americans by the end of this month.

Furthermore, Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), which is responsible for building HealthCare.gov, said in a separate House hearing Tuesday that the site sported "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid.

Still, President Obama said in a press conference last week that if he'd known the state that HealthCare.gov was in, he wouldn't have authorized its October launch.

"I was not informed directly that the website would not be working the way it was supposed to. Had I been informed, I wouldn't be going out saying, 'Boy, this is going to be great,' " he told reporters. "I'm accused of a lot of things, but I don't think I'm stupid enough to go around saying this is going to be like shopping on Amazon or Travelocity a week before the website opened, if I thought it wasn't going to work."

The president added: "We would not have rolled out something knowing that it wasn't going to work the way it was supposed to, given all the scrutiny we knew would be on the website."

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Strategist
11/22/2013 | 2:43:40 PM
Re: Unanimous?
As Prof. Rubin states, "One of the biggest mistakes of HealthCare.gov was the decision to roll it out all on one day. That is not the way large systems go live in practice."

Any Internet company would have started with a website where people signed up to get a notification when the live site was available, and invitations would then be metered out to those people to try it before it went live to any larger group. That kind of slow roll out could have identified scalability problems early and minimized security issues.
User Rank: Ninja
11/22/2013 | 1:09:44 PM
Re: Stating the obvious
I'm with Lorna. As you took quote from a Republican politician, who probably needs help from his 9 year old to reboot his computer, this article lost some credibility.

The government has had enough of our information for many years that someone could use for identity theft. Why we are now talking about this because of this new application? If this site is not "safe", then I'm sure the IRS, Medicare, etc are just as vulnerable. And only to the very best and brightest hackers, no script kiddie is cracking these sites. The guys that wrote StuxNet? They can probably get into anything that is usable and connected. That's life today.
Lorna Garey
Lorna Garey,
User Rank: Ninja
11/21/2013 | 11:18:07 AM
Stating the obvious
EVERY site -- every Internet-connected device -- is constantly being probed for weaknesses. The only way the ACA site is 100% safe is if it's unplugged, which is exactly what the GOP wants. No matter how much money or expertise you throw at code, no one can promise 100% invulnerability. To imply otherwise is disingenuous.
User Rank: Apprentice
11/20/2013 | 11:32:10 PM
Hard Pill to Swallow
It's hard to take as credible the statement by Henry Chao, deputy CIO at the Centers for Medicare and Medicaid Services (CMS), when he says Healthcare.gov sports "layers" of security, and referenced CMS's track record of securing the data for people enrolled in Medicare and Medicaid.  The Medicare and Medicaid sites are still going through rigorous reviews and improvements in security controls and they are mature systems. Going live with Heathcare.gov before completing the necessary testing seems like opening a US embassy in Russia while it's still under construction and expecting nothing incideous will happen.  The notion of replacing the current system with a new  one maybe a hard pill to swallow, but it may be the right decision.

User Rank: Apprentice
11/20/2013 | 8:48:25 PM
Re: Unanimous?
Unfortunatley I think politics is keeping the site open. Maybe the government will do the right thing and shut it down, fix it, then get it back online. I'm not holding my breath.
David F. Carr
David F. Carr,
User Rank: Strategist
11/20/2013 | 3:40:56 PM
Seems unanimous: Healthcare.gov: Biggest Security Risks Yet To Come

Who would care to make an argue that it's better to soldier on and fix the system while continuing to operate it? Is there a technical argument for keeping the site live, as opposed to a political one?
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...