HealthCare.gov: Biggest Security Risks Yet To Come
Push to fix Healthcare.gov by the end of November might create more problems, says security expert.
For the security and integrity of Healthcare.gov, the date that scares Mac McMillan is November 30. There is already evidence that in addition to failing to perform at the required scale, the federal health insurance portal is riddled with security problems -- and a rush job to "fix" the site will likely only make matters worse.
McMillan is CEO of CynergisTek, a healthcare-focused information security firm and chair of the Health Information Management Systems Society (HIMSS) Privacy and Security Policy Task Force. He warned about the dangers of a lack of testing back in September in the blog post, "Health Insurance Exchanges: Ready or Not, Here They Come," on About.com. He worried about developers rushing then, and it concerns him at least as much now. Once again, the site could be on a path to fail.
A month before the site went live on October 1, there were news reports that testing of the website hadn't begun because the developers were still rushing to get the software done and stable. Right away, that set off alarm bells.
"They were behind in testing, rushing to get it done, and somebody needed to say, 'It's more important to get it right,' " McMillan said. "The problem was it was all political -- it's still political, that's why it hasn't been taken down." The website really should have been taken offline for repairs once the extent of its problems were obvious, he said.
To him, the mystery is that after winning such an important, hard-fought legislative battle over "the biggest issue in politics for the last 30 years" with the Affordable Care Act, the Obama administration seems to have been so careless in failing to line up the right talent to bring the technical infrastructure for it online. The smarter thing to do would have been to bring in experts in building high-traffic, transactional websites rather than the usual government contractors, he said.
Even if the software development had been essentially complete in early September, one month would have been an awfully tight timeframe for such a complex system with multiple dependencies on other state and federal IT systems. McMillan's perspective comes from serving in a Department of Defense Designated Approving Authority role, where he oversaw the certification of defense IT systems as secure and correctly implemented. There, the process typically took a month to a month and a half, he said, "and that was just for a regular system," not a monster system like the insurance portal.
"That's where I said there's no way in hell they're going to get this all done -- they're rushing it, and they're going to put it up, come hell or high water," McMillan said. "The question is, how much risk have they introduced into the whole process?"
Since then, we've learned that internal warnings about security risks were ignored as project leaders pushed toward the October 1 launch. And of the many stories to have come out about the website's shortcomings, some have featured breaches of confidential information, like the one highlighted by The Foundry, a conservative blog from The Heritage Foundation, about a man who tried to register on the site and got back a confirmation message containing another individual's private information.
The Obama administration's response to the embarrassment of the under-performing website has been to promise that it will be fixed by the end of November. That's yet another deadline set by politics, rather than careful planning, and will result in developers churning out more code that ought to be properly tested -- but probably won't be, McMillan said.
"I hope that somebody who knows what they're doing is now part of that process," he said. "You need someone who will be responsible at end of this month to say if it's not ready, it's not ready -- and do the right thing."
Despite all his concerns, McMillan said he believes with the right leadership and the right team in place, the website could be fixed within the allotted time. "It's doable that it could be fixed and correct," he said. "Whether it could be thoroughly tested in such a short period of time -- I don't know about that."
Also, one of his underlying concerns is with the sprawling nature of the program, which goes beyond Healthcare.gov to include websites set up by the states, which integrate with a federal data hub for access to eligibility information. The decentralized nature of the program introduces that many more places for cybersecurity breaches to occur, he said. Moreover, it gives more people in more places access to sensitive information, and some of those people will inevitably turn out to be untrustworthy.
"That's where the real issues are going to be down the road," McMillan said. "At the end of the day, it's a question of what are the American people willing to put up with. It appears we're willing to put up with a hell of a lot."
Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchangeissue of InformationWeek Healthcare: why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs. (Free registration required.)
Healthcare Data Breaches Cost More Than You ThinkHealthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?