Healthcare // Security & Privacy
News
1/16/2014
03:58 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Healthcare.gov Still Insecure, Critics Tell House Panel

At Congressional hearing, critic who suggested in November site should be shut down says, "Nothing has changed."

In a sequel to a previous inquiry about the risks associated with the federal government's health insurance exchange website, the US House Science, Space, and Technology Committee held a hearing Tuesday entitled Healthcare.gov: Consequences of Stolen Identity.

While the testimony presented was a little less unanimous against the integrity of the website this time, Democratic members protested the premise of the hearing as biased and giving too much weight to speculation about potential vulnerabilities rather than evidence of real problems.

Testifying before a US House committee, David Kennedy, CEO of TrustedSEC, LLC, said that "nothing has changed" to alter the opinion he offered at the same committee's November hearing that the HealthCare.gov website is insecure and should have been shut down until basic flaws were corrected.

"I don't understand how we're still discussing whether the website is insecure or not. It is. It's not a question of whether it's insecure -- it's how to fix it," Kennedy said. He also provided the committee with a collection of letters from security experts -- Ed Skoudis, Kevin Mitnick, Kevin Johnson, Lares Consulting (Chris Gates, Eric Smith, Chris Nickerson), and John Strand -- echoing his condemnation.

For example, Kevin Mitnick, the former criminal hacker and founder and CEO of Mitnick Security Consulting, wrote:

Healthcare.gov retrieves information from numerous third-party databases belonging to the IRS, Social Security Administration, Department of Homeland Security, and other State agencies. It would be a hacker's wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases. A breach may result in massive identity theft never seen before -- these databases house information on every U.S. citizen!

[Is it safe to shop? Read Target Breach: 8 Facts On Memory-Scraping Malware.]

Kennedy also cited the connections of HealthCare.gov to other federal systems as a reason to worry -- although at some level that's not only a criticism of HealthCare.gov. "Security in the federal government as a whole is in a really bad state," he said.

Chairperson Lamar Smith (R-Texas) teed up the issue by claiming that "clear indicators that even basic security was not built into the HealthCare.gov website" and by citing a recent Experian report that healthcare-related data breaches are likely to surge in 2014 and should be a major area of concern.

The ranking minority member, Eddie Bernice Johnson of Texas, protested that "none of the majority witnesses' concerns have turned into actual security breaches." She also questioned the quality of their analysis, saying, "Not one of them has actual knowledge of security structure at HealthCare.gov. The best they can do is speculate." She charged that the hearing was part of a cynical campaign to make Obama administration's healthcare reform initiative fail by making people afraid to use the website.

Johnson got some support from one of the testifying cybersecurity experts, Waylon Krush, co-founder and CEO of Lunarline, Inc. In the absence of an active vulnerability assessment, including penetration testing -- which would be illegal to conduct without the permission of the US government -- security researchers can hypothesize that the site could be vulnerable to attacks. But, he pointed out, "we can only speculate on whether those attacks will work." Further, the suggestion that a hacker who gained access to HealthCare.gov would be able to hopscotch into the connected systems such as those of the IRS, he said, "shows a lack of knowledge" of the extensive security measures all those sites have in place.

Citing his firm's contracts with the US Department of Health and Human Services and the Centers for Medicare and Medicaid division that oversees the operation of the website, Krush said. "Of anyone here, I probably have the most backend knowledge [of how these systems actually work]." (Later in the hearing, Chairperson Smith suggested those contracts might bias Krush to speak favorably about those agencies.) Krush also disputed the idea that HealthCare.gov represents a particularly big target for hackers, who tend to "go where the money is," businesses like Target and Neiman Marcus.

The federal government has also established some of the world's strongest standards for information security, he asserted.

Maybe so, but the health insurance exchange is a very large system. It was built so quickly, said Michael Gregg, CEO of Superior Solutions, that "it's very hard to believe" all those federal information security requirements were met. While it's good that the site's operators are running weekly assessments, he pointed out, that doesn't mean they're catching all possible problems.

The committee also heard from Lawrence Ponemon, chairperson and founder of Ponemon Institute, which conducts information security research. Ponemon testified mostly about the financial and emotional harm caused by identity theft, particularly medical identity theft, and the lack of confidence engendered by the way the HealthCare.gov site stumbled at launch. "Regaining the public's trust will be essential to the success of this initiative," he said.

One of the major assertions of the critics was that HealthCare.gov should be subject to an independent third-party assessment. This idea also became an item of partisan dispute, with Democratic members raising the point that the site was in fact being scrutinized by The MITRE Corp., Blue Canopy, and Frontier Security.

When Rep. Suzanne Bonamici (D-Oregon) asked if those firms were qualified to audit the security of the website, all four witnesses said yes (although Ponemon said he was specifically familiar with only MITRE's qualifications). Bonamici said the fact that the government is already following that recommendation undercut the whole premise of the proceeding. "[The] title of the hearing suggests the consequence of signing up at HealthCare.gov is going to be identity theft," she said.

Rep. Chris Collins (R-New York) said the minority protests were a matter of trying "to defend the indefensible," meaning the Obama administration's rush to get the site online by October 1 to keep a political promise. "That was the overriding concern, certainly not security," he said.

In the end, when the witnesses were asked for a yes or no answer on whether the site was secure, Kennedy and Gregg said no. "It's hard to say," Ponemon said, "but as a citizen of this country, I'm concerned. I'm not happy with what I'm hearing today."

"Speculating on whether it's secure or not, I'm not willing to say," Krush said, sticking to his assertion that the question couldn't be answered by anyone who hadn't actively tested the site's defenses. When pressed, he pointed back to the regime of weekly security scans that's been implemented. "That's pretty secure," he said.

David F. Carr is the editor of InformationWeek Healthcare and a contributor on social business, as well as the author of Social Collaboration For Dummies. Follow him on Twitter @davidfcarr or Google+.

Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: Why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
1/22/2014 | 8:47:26 AM
Re: The first thing to g
This is a huge project and I can't say that there is any one best place to start but I would begin with securing the transactions between the various modules since an issue could very easily snowball and it would be less obvious than a direct attack on the web facing servers.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
1/21/2014 | 12:09:55 PM
Re: The first thing to g
@SaneIT, where would you start, if it were your job to make HealthCare.gov truly secure?
SaneIT
IW Pick
100%
0%
SaneIT,
User Rank: Ninja
1/20/2014 | 8:26:09 AM
Re: The first thing to g
When I first heard about the issues that they were having with healthcare.gov, I started digging because I knew that the news outlets could only be giving as much information as they understood and that meant that the technical details would be the first things to be left out.  I think it is important to look at this how it was built not just if it is working or not.  The individual pieces seem to work or most of them work.  The problem is that they hand off information between many different modules and departments and it's like playing the telephone game, when one module misbehaves the entire transaction is twisted.  Securing the site is going to be rough because one bad module will punch holes that could affect several other modules or the information that they collect.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
1/17/2014 | 9:48:31 AM
Speculation
With the help of one friendly witness, the Democrats were able to bring out the fact that a lot of the criticism is speculative in the sense that it's not based on an actual audit or penetration test.

On the other hand, I have to give HealthCare.gov security critic Kennedy credit for a comparison, which I neglected to use in the article: He said he was like a mechanic who passes a car that's blowing out big clouds of smoke -- enough evidence to suggest the vehicle is burning oil and in severe trouble, without the mechanic needing to look under the hood.
Laurianne
50%
50%
Laurianne,
User Rank: Author
1/17/2014 | 9:29:29 AM
Re: The first thing to g
SaneIT, interesting point. Thank you for bringing a thoughtful point of view to many of our discussions recently.
WKash
50%
50%
WKash,
User Rank: Author
1/17/2014 | 9:27:41 AM
Re: Who do you believe?
House committee hearings -- at least the ones I've attended -- seem to more about speaking to an audience outside the hearing room than to listening to what experts really have to share.  When Congressmen call in experts, vs the people who actually lived through HealthCare.gov's development, you have to wonder what real good comes out of these hearings besides a good show.
SaneIT
IW Pick
100%
0%
SaneIT,
User Rank: Ninja
1/17/2014 | 7:45:38 AM
Re: The first thing to go
I think you're on the right track, not only are they being pressured to get to a state that they can get users through an application, the security issues take a back seat for now because the hand offs between all the modules they are using make locking it down tougher than addressing a single exchange of data.  I don't know that I'd say they see it as less important but they probably see it as a bigger longer term fix.
cbabcock
50%
50%
cbabcock,
User Rank: Strategist
1/16/2014 | 9:14:56 PM
The first thing to go
With the pressure they are under to just make it work, sound security practices have had to take a back seat, I have no doubt. If this were a well-managed project, security would have already been accounted for -- built in -- by now. But no. This is a mad scramble to get something done that looks like it works.
Sadie!
50%
50%
Sadie!,
User Rank: Strategist
1/16/2014 | 6:57:45 PM
Re: Who do you believe?
None of them are sincere, they're politicians.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/16/2014 | 5:12:39 PM
Re: Who do you believe?
People are entitled to their own opinions. They're not entitled to their own facts. There are either security flaws in the code comprising the site or there aren't. It's like manmade global warming - if 100 subject-matter experts examine the evidence, and 97 say something is so, well then ...

This seems like a similar case. Show security experts within the gov/Accenture the insecure code. Obviously, flaws are not going to be made public, nor should they be. But let's leave politics at the door and just fix it.
Page 1 / 2   >   >>
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.