The launch of the federal government's HealthCare.gov website has been dogged by reports of security issues, but according to one cybersecurity expert, the problems that have surfaced are far from abnormal.
Created under provisions of the Patient Protection and Affordable Care Act, commonly referred to as Obamacare, HealthCare.gov is meant to serve as an exchange where millions of individual citizens and families can shop for and compare health insurance plans. When the site launched on October 1, it was immediately plagued by availability problems, forcing many would-be shoppers on the exchange to wait indefinitely. Those concerns have since been compounded by reports of HealthCare.gov security issues, with many in the security industry alarmed that a trove of personal and health-related data could be exposed to attackers.
The uproar reached a fevered pitch last week when the Associated Press discovered an internal government memo intended for Marilyn Tavenner, administrator for the Centers for Medicare and Medicaid Services, that stated the contractors working on the site were unable to perform a complete security control assessment. Though the memo noted all of the security controls for the different versions of the system had been tested through three previous rounds, all of the security controls for the complete version of the system were not tested.
"From a security perspective, the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed a high risk for FFM [Federally Facilitated Marketplace]," the memo noted.
Waylon KrushCEO, Lunarline Inc.
Though the subsequent media reaction to the memo painted a bleak picture, Waylon Krush, CEO of Lunarline Inc., an Arlington, Va.-based security services provider that works extensively with federal agencies, was quick to emphasize that many large enterprise systems, particularly in the defense sector, are tested under similar circumstances. As individual components are brought online, it's common for enterprises to test the security of each individual component and lock it down, he said. The company then just focuses on how the controls for each component may affect the system as a whole, and, assuming there are no interoperability issues, the company signs off on the security of the entire system.
In fact, Krush believes HealthCare.gov was released properly under the guidance of the Federal Information Security Management Act (FISMA). If that hadn't been the case, he noted, the conversation regarding the security of the site likely would have been much graver.
"[As part of FISMA], they have to build a system security plan, so they have to, or they're supposed to, be developing an architecture so they can meet all the security requirements for the entire system, and then each of those subcomponents have to be locked down in accordance with those requirements," Krush said. "I think they followed that process. There was a risk-based decision that was made, that this system had issues, which all systems do. They looked at the mission requirements and getting it online, and what security issues were outstanding, and they decided that they had a date they had to meet and they turned it on."
The first known security vulnerability that was uncovered as part of the HealthCare.gov launch involved the site's password-reset functionality. Ben Simo, former president of the Association for Software Testing, exposed the issue, which would allow an attacker to view information such as the email address associated with an account and the security questions a user had selected to answer. The vulnerability, which was fixed within a week of its disclosure, was reportedly never exploited by anyone outside of Simo, but could have potentially been used in phishing attacks.
Krush saw the issue as minor though, as an attacker would have still needed to analyze such details and glean more information from users before it would have been of value. The privacy aspect of the vulnerability is also overplayed, he commented, because many people will put more detailed information about themselves on social media sites like Facebook.
"I think this is kind of getting overblown from a cybersecurity perspective, but it's just because it's the main focus in the news," he said. "No one has put something out that I just can't believe from a security perspective [and] that I haven't seen in multiple other organizations. Not to say it's correct; I'm just saying it's nothing that's a blinding security issue."
One HealthCare.gov security concern that does worry Krush is the government's selection of Quality Software Services Inc. (QSSI) as one of the contractors assigned to repairing the site. In June, a report by the Health and Human Services inspector general revealed that QSSI allowed workers to connect unsanctioned devices to USB ports, which posed a risk to the personally identifiable information of over 6 million Medicare beneficiaries. He believes many contractors suffer similar issues to QSSI and that the government should focus on such problems when selecting contractors.
"If you have contractors and they have systems, they need to meet the same security requirements, without question," Krush commented. "And if they can't do that, then they shouldn't be selected as a contractor."
Having acknowledged that outside contractors pose a potential security pitfall, Krush reiterated that much of the concern surrounding HealthCare.gov is simply because it's the hot topic of the moment. If enough interest and attention is paid to the security of any system, including those run by the government, he said vulnerabilities will eventually be discovered. Krush himself has yet to find a system that didn't have security holes, but in the case of HealthCare.gov, he believes a plan for ongoing testing and continuous monitoring is in place that will ensure such holes are closed.
The intense focus paid to every misstep by HealthCare.gov may also prove to be a blessing, according to Krush. Whether it's a private company or government organization, he said users really need to push to ensure their personal and health-related data is protected, and the spotlight shone on HealthCare.gov has certainly provided the necessary attention to ensure the system is better secured.
As for whether Krush himself would currently trust his sensitive data to HealthCare.gov, he simply responded, "Yeah, I would."