Healthcare.gov: Proceed at your own risk
- 19 March, 2014 19:27
Nearly six months after the Obamacare rollout, the agency in charge of its website, Healthcare.gov, says it is reasonably secure.
According to the federal Department of Health and Human Services (HHS), Americans should have no fear of entering sensitive personal information on it, said spokeswoman Alicia Hartinger. The site is, "protected by stringent security standards (and) monitored by sensors and other tools to deter and prevent any unauthorized access," she said in an emailed statement.
No, it isn't, according to a number of security experts. David Kennedy, CEO of TrustedSec, spoke for many of his colleagues when he said the site is so lacking in basic security that it amounts to the online version of a car with its doors and windows open.
So whom should you believe?
Part of the problem with sorting out a credible answer is that HHS won't respond to specific questions about security measures on the site. Hartinger said that, "the privacy and security of consumers' personal information are a top priority for us," and that to date, "there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site."
She added that the components of the site that are operational, "have been determined to be compliant with the Federal Information Security Management Act (FISMA), based on standards promulgated by the National Institutes of Standards and Technology (NIST) and promulgated through the Office of Management and Budget (OMB)."
But, she declined to address questions regarding the unanimous opinion of security experts that compliance with FISMA is not equivalent to security. In the words of Danny Lieberman, CTO at Software Associates, "FISMA is the equivalent of counting the number of rivets on an F-15 and declaring it safe to fly because it has 100% of its rivets.
"If HHS is serious about security, they are invited to publish their threat model and analysis of the web site and hold it up to public scrutiny," he said, noting that this has not happened. "A site that cost $700 million and relies on politics and security by obscurity will never be secure," he said.
Hartinger also had no response to critics who have said the monitoring of the site is poor -- that it has reported detecting only dozens of attacks, while it is almost certain that there have been thousands.
And within the security community, there is virtually unanimous agreement that the site remains catastrophically vulnerable. Martin Fisher, director of information security at Wellstar Health System, was perhaps the most gentle when he called it, "more-or-less as secure as the vast majority of websites out there."
But he quickly added, "that's not an attempt to excuse anything -- it's more a sad statement on the state of security across the breadth of sites."
And obviously most sites are not nearly as attractive to cyber attackers as one with connections to other government agencies -- like the Internal Revenue Service (IRS) -- with information on every citizen in the country.
Kennedy, who testified before the House Science and Technology Committee in January that serious security flaws remain on the site, said the statement from HHS is, "the default response they've sent all media requests."
But he said it is apparent when any website goes live, "whether or not security was integrated or even a thought in the development process." And he said the reality of Healthcare.gov is that, "unfortunately, when the site was released it had a number of flaws on the site and didn't have much when it came to security. We had documented a number of them and also contacted HHS to let them know of the exposures."
Other security experts agree that security was not a priority in the development of the site. "The evidence provided so far would indicate that the project was rushed to completion to meet a deadline after what I suspect could only be ineffective development," Wellstar's Fisher said.
Other experts who submitted written testimony to the January congressional hearing included Kevin Mitnick, known once as "the world's most wanted hacker," who is now CEO of Mitnick Security Consulting. "It's clear that the management team did not consider security as a priority," he wrote, noting that the danger of a breach involves much more than the site itself, since it retrieves information from other government agencies including the IRS, Social Security Administration, Department of Homeland Security, and various state agencies.
"It would be a hacker's wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases," he wrote, calling the lack of security "shameful."
Kevin Johnson, CEO of Secure Ideas, also submitted testimony that the site displays, "not only a basic lack of security testing...[but also] has been written by developers who have not been introduced to basic security training, nor understand the importance of security within an application."
Still, if the site is that vulnerable, with such a trove of valuable personal information that covers every citizen of the country, why hasn't there been a successful attack so far?
Kennedy and others say a successful attack may indeed have occurred, and that HHS either doesn't know or simply is not telling. "The federal government has no legal liability to disclose if a breach has occurred," he said, adding that after the site launched, there was testimony before Congress from contractors that showed, the agency, "didn't have the ability to detect if the site had been compromised or not."
Kennedy himself became mired briefly in controversy after he reported that through the use of basic Google search tools, he could tell that 70,000 records (possibly many more than that) were vulnerable.
It was then reported multiple times that he had hacked the site, which he had to scramble to correct. In blog posts and interviews he said he had not hacked or downloaded any sensitive information, but simply used, "passive reconnaissance, which allows us to query and look at how the website operates and performs...It's a rudimentary type attack that doesn't actually attack the website itself -- it extracts information from it without actually having to go into the system."
Daniel Berger, president and CEO of Redspin, said Kennedy had used crafted search queries through Google, called "dorks," to find sensitive information indexed by search engines.
"Although this is a very easy issue to fix, it is indicative of the potential for more serious vulnerabilities that reside deeper within the app," he said. "So yes, the analogy about leaving the windows down in a locked car rings true."
Whether security has improved since the launch of Healthcare.gov is difficult to verify. U.S. Rep. Elijah Cummings, the top Democrat on the House committee that conducted the hearings in January, declared at the time that the site has now undergone end-to-end testing and that the government now has a strong mitigation plan in place to respond to attacks.
But, again, HHS's Hartinger did not respond to a request to confirm that. And Redspin's Berger noted the obvious: "Without details about the testing or seeing the mitigation plan, it is impossible to tell if this is adequate. It is easy to say that a plan is in place but when vulnerabilities keep arising people tend to lose faith in the statements made by officials," he said.
Kennedy said he does see some reason for encouragement. While he is not aware of any significant improvements to the site since its launch, he said he recently spoke with the CISO at HHS, "and from the discussions, I had a positive view of the direction of where they were focusing efforts on now in security. Based on the testimony, I think it opened some eyes and got a large focus that it hadn't previously," he said.
That attention to security, Berger said, should be foundational to the site. "Security needs to be built in to their development process, so future revisions are fully tested before release," he said. "Fixing things as they are discovered after the fact and published in the media does not build trust with your users."