Healthcare // Security & Privacy
News
11/15/2013
05:00 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

HealthCare.gov: Biggest Security Risks Yet To Come

Push to fix Healthcare.gov by the end of November might create more problems, says security expert.

For the security and integrity of Healthcare.gov, the date that scares Mac McMillan is November 30. There is already evidence that in addition to failing to perform at the required scale, the federal health insurance portal is riddled with security problems -- and a rush job to "fix" the site will likely only make matters worse.

McMillan is CEO of CynergisTek, a healthcare-focused information security firm and chair of the Health Information Management Systems Society (HIMSS) Privacy and Security Policy Task Force. He warned about the dangers of a lack of testing back in September in the blog post, "Health Insurance Exchanges: Ready or Not, Here They Come," on About.com. He worried about developers rushing then, and it concerns him at least as much now. Once again, the site could be on a path to fail.

A month before the site went live on October 1, there were news reports that testing of the website hadn't begun because the developers were still rushing to get the software done and stable. Right away, that set off alarm bells.

"They were behind in testing, rushing to get it done, and somebody needed to say, 'It's more important to get it right,' " McMillan said. "The problem was it was all political -- it's still political, that's why it hasn't been taken down." The website really should have been taken offline for repairs once the extent of its problems were obvious, he said.

[ Could this be a way out? Read How To Get Obamacare Moving Now. ]

To him, the mystery is that after winning such an important, hard-fought legislative battle over "the biggest issue in politics for the last 30 years" with the Affordable Care Act, the Obama administration seems to have been so careless in failing to line up the right talent to bring the technical infrastructure for it online. The smarter thing to do would have been to bring in experts in building high-traffic, transactional websites rather than the usual government contractors, he said.

Illustration: Mike Licht (CC BY 2.0)
Illustration: Mike Licht (CC BY 2.0)

Even if the software development had been essentially complete in early September, one month would have been an awfully tight timeframe for such a complex system with multiple dependencies on other state and federal IT systems. McMillan's perspective comes from serving in a Department of Defense Designated Approving Authority role, where he oversaw the certification of defense IT systems as secure and correctly implemented. There, the process typically took a month to a month and a half, he said, "and that was just for a regular system," not a monster system like the insurance portal.

"That's where I said there's no way in hell they're going to get this all done -- they're rushing it, and they're going to put it up, come hell or high water," McMillan said. "The question is, how much risk have they introduced into the whole process?"

Since then, we've learned that internal warnings about security risks were ignored as project leaders pushed toward the October 1 launch. And of the many stories to have come out about the website's shortcomings, some have featured breaches of confidential information, like the one highlighted by The Foundry, a conservative blog from The Heritage Foundation, about a man who tried to register on the site and got back a confirmation message containing another individual's private information.

The Obama administration's response to the embarrassment of the under-performing website has been to promise that it will be fixed by the end of November. That's yet another deadline set by politics, rather than careful planning, and will result in developers churning out more code that ought to be properly tested -- but probably won't be, McMillan said.

"I hope that somebody who knows what they're doing is now part of that process," he said. "You need someone who will be responsible at end of this month to say if it's not ready, it's not ready -- and do the right thing."

Despite all his concerns, McMillan said he believes with the right leadership and the right team in place, the website could be fixed within the allotted time. "It's doable that it could be fixed and correct," he said. "Whether it could be thoroughly tested in such a short period of time -- I don't know about that."

Also, one of his underlying concerns is with the sprawling nature of the program, which goes beyond Healthcare.gov to include websites set up by the states, which integrate with a federal data hub for access to eligibility information. The decentralized nature of the program introduces that many more places for cybersecurity breaches to occur, he said. Moreover, it gives more people in more places access to sensitive information, and some of those people will inevitably turn out to be untrustworthy.

"That's where the real issues are going to be down the road," McMillan said. "At the end of the day, it's a question of what are the American people willing to put up with. It appears we're willing to put up with a hell of a lot."

Follow David F. Carr on Twitter @davidfcarr or Google+. He is the author of Social Collaboration For Dummies (October 2013).

Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Author
11/15/2013 | 5:35:04 PM
Lock the Door
Great column, David. Thanks.  Security is certainly my no. 1 concern when it comes to storing the most-personal facts about hundreds of millions of Americans online.  In the black market, personal health records fetch the highest price -- more than $10 a person.  I've always wondered who would want to buy it -- other than big pharma and insurance companies that stand to gain billions from such info.
mwagner919
50%
50%
mwagner919,
User Rank: Apprentice
11/15/2013 | 6:13:32 PM
Re: Lock the Door
It seems inevitable that proper security testing is gong to fall by the wayside in the rush to get HealthCare.gov fixed. The political consequences of failing to meet the deadline are high, and security problems will be felt down the road. 
testytester
50%
50%
testytester,
User Rank: Apprentice
11/16/2013 | 1:26:52 PM
Re: Lock the Door
does this work?
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
11/16/2013 | 4:45:00 PM
Unacceptable
Sadly healthcare.gov has become a joke. The Obama administration should be embarrassed and ashamed for putting this out. Is it any coincidence this came after he was elected for a 2nd term? I think not. The administration has no worries about repercussions from this and they should. The fact that the security has come into question is unacceptable. The US Government knowingly rushes a site that will have personal info about American citizens and knows there will be security issues. Unacceptable.
Alex Kane Rudansky
50%
50%
Alex Kane Rudansky,
User Rank: Author
11/18/2013 | 10:01:57 AM
The wrong approach
Those in charge of Healthcare.gov took a backwards approach, introducing a flawed product on schedule. It's better to delay a launch and get it right than launch a disaster of a site on time. I'm eager to see how the Nov. 30 deadline will shake out.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
11/19/2013 | 9:59:38 AM
Re: Unacceptable
I'm not making a political statement. Personally, I want to see Obamacare work. I'm just disappointed in the lack of follow-through from winning a policy victory to taking the practical details of implementation seriously and putting them in the hands of competent people.
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
11/20/2013 | 8:40:10 PM
Re: Unacceptable
Now it is coming out that the administration was warned there were security concerns and there wasn't enough time to address all of them before the site went live. I don't understand the rush to get this out if it wasn't ready. The presidents administration would have been better off explaining the site wasn't ready and not rushing to get it online.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.