Why wasn't healthcare.gov security properly tested?
Michelle Drolet, founder, Towerwall
When the healthcare.gov website was launched on Oct. 1 it didn't take long for technical issues to hit the headlines. Americans trying to register for health care found the website unusable. There were glitches, extremely long loading times, and serious errors, but most worrying of all for anyone entrusting sensitive data to the system was the lack of security testing.
Three white hat hackers, charged with exposing flaws in the security of online systems told a Congress hearing that the healthcare.gov website has serious flaws that could expose sensitive information to determined cyber criminals. David Kennedy, chief executive of TrustedSec, told CNBC that, “It's really hard to go back and fix the security around it because security wasn't built into it.” He was able to produce a 17-page dossier of issues, which has not been publicly disclosed, in order to protect users of the website and give the government time to fix it.
Start with security
Anyone designing a new system such as this should take security into account from the beginning. The amount of personal information that could be harvested by any breach is truly alarming and the public must have confidence that their details are safe. It is highly unlikely that a commercial project that had not undergone rigorous testing would have been launched at all. The project should have been delayed.
Retro-fitting security is tough and expensive, especially in a live product. There's a debate raging about how long this will take to fix and just what the level of risk is to users of the website, but there's little doubt that proper penetration testing could have exposed problems and given developers a chance to solve them before release.
Where was the application penetration testing?
According to a top official at the Homeland Security Department, talking to CNN, hackers have engaged in more than a dozen cyber attacks, but none were successful. The Department of Health and Human Services CIO, Frank Baitman told a hearing that a white hat hacker or “ethical hacker” had been engaged to expose flaws and that a number of loopholes for potential security breaches were subsequently closed.
You would expect the government to engage in serious penetration testing for a project of this magnitude. It seems that time pressures led to corners being cut. An article in the Washington Examiner suggested that the website wasn't being properly tested until the week before launch, which is completely unacceptable for such an important system dealing in sensitive data. Generally speaking, the earlier problems are exposed and dealt with, the cheaper they are to solve.
Usability is the focus
The Department of Health and Human Services has released a report on its progress towards improving the healthcare.gov site, but it focuses on hundreds of software fixes, improved site capacity, and better site monitoring which reveals a lower incidence of errors, improved stability, and a much improved response time. There hasn't been much discussion about the potential for security breaches.
Any website with coding errors or bugs is going to be vulnerable to a wide array of possible attacks. Fixing these bugs should, in theory, reduce the potential entry points, but if software fixes are rushed out the door there's every chance they could introduce new weaknesses.
Exposing security threats
A chain is only as strong as its weakest link and because the healthcare.gov website transmits sensitive data, even if it doesn't store it, that data could be vulnerable to all sorts of attacks. There's potential for cross-site scripting or code injection attacks to install malware and run malicious code to steal passwords, cookies, and other data from subsequent visitors. Clickjacking could be used to redirect users to fake websites. The risk is complicated by the fact that many individual states effectively run their own Affordable Care Act sites and they're independently responsible for the security of those sites.
There are many unanswered questions. How well encrypted is your data during transit? How does the site handle authentication and manage individual sessions? These kinds of threats could be legitimately exposed and reported to HHS with the help of cyber security experts. The government should be employing white hat hackers on an ongoing basis as the system is being continually updated.
The level of personal information that must be submitted includes a full name, address, phone number, email address, income details, employer details, and Social Security numbers. This is easily enough for cyber criminals to create fake accounts. Identity theft affects around 15 million Americans every year and this kind of fraudulent activity is responsible for financial losses in the billions.
Spending a bit more on penetration testing at the outset, and delaying the launch when it became clear that it wasn't ready for prime time, would have been a lot wiser, less damaging and healthier on the cost side in every sense.