Healthcare.gov Security Flaws Could Make Social Security Numbers Publicly Available
Even if it were functioning properly the Federal Health Care Exchange website would still have problems.
In addition to just plain not working for many people, it’s becoming apparent that the structure of the Federal Health Care Marketplace website is also suffering from some serious security vulnerabilities. For example, web security experts are saying the site is vulnerable to a cyber attack that could leave the personal information of everyone who has applied on the site open to the public:
With Healthcare.gov plagued by technical difficulties, the Obama administration is bringing in heavyweight coders and private companies like Verizon to fix the federal health exchange, pronto. But web security experts say the Obamacare tech team should add another pressing cyber issue to its to-do list: eliminating a security flaw that could make sensitive user information, including Social Security numbers, vulnerable to hackers.
According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called ”clickjacking,” where invisible links are planted on a legitimate web page. Using this scheme, hackers could trick users into giving up personal data as they enter it into the web site, potentially placing Americans at risk of identity theft or allowing fraudsters to file bogus health care claims.
Kyle Wilhoit, a threat researcher at Trend Micro, a Japanese security software company, studied the Healthcare.gov portal with his security team and found a “moderate risk” for hacking due to an easy-to-fix coding problem that leaves the site vulnerable to clickjacking. Nidhi Shah, who works on research and development for Hewlett-Packard’s Web Security Research Group, found the same problem. This wouldn’t be the first time a federal site experienced coding problems: Earlier this year, SAM.gov, a government contracting award management site, automatically revealed companies’ private data, without a hacker lifting a finger, because of bad coding.
“Common clickjacking would be a popular method to attempt to exploit [the site]” says Wilhoit. “Hackers could use this information in the creation of fake identities, fake credit cards, and fake accounts very easily.” He adds that it’s relatively easy to fix, although the fixed code would need to rolled out on multiple Healthcare.gov pages and potentially state websites as well.
Asked about clickjacking concerns, the Department of Health and Human Services (HHS) referred Mother Jones to this security statement, which says that Americans don’t need to worry: ”If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents.”
And it turns out that this security flaw isn’t just limited to the Federal website:
Some state Obamacare sites could be significantly more vulnerable than the federal portal. Healthcare.gov site uses a common form of encryption called Secure Sockets Layer (SSL), which prevents information from being intercepted by a hacker after you click “send” (SSL doesn’t defend against most clickjacking). But the 15 states currently running their own independent Obamacare websites do not have explicit instructions from the HHS to use SSL. According to HHS, these states and the District of Columbia, which also has its own Obamacare site, are independently responsible for ensuring that they “develop standards to protect the privacy and security of consumers’ personal information.”
“These state sites…represent more viable targets for direct attack” than the federal data hub, Budd argues. And hackers have been known to target state healthcare programs—last year, over 280,000 Social Security numbers were stolen from Utah’s Medicaid server.
Hawaii, for example, does not automatically use SSL across its entire website, potentially leaving user information vulnerable to hackers—particularly if a visitor to the site is using an open wireless network, such as one at a coffee shop. The same is true with the online health exchanges created by Minnesota and Colorado. Budd notes that attacking state sites “rather than the more fortress-like data warehouse [like the data hub] can be easier to pull off with a greater chance of success.”
This news comes on the same day that Congress held its first hearings regarding the problems with the Federal website, taking testimony from representatives of the main contractors who helped build the site:
WASHINGTON — Federal officials did not fully test the online health insurance marketplace until two weeks before it opened to the public on Oct. 1, contractors told Congress on Thursday.
While individual components of the system were tested earlier, they said, the government did not conduct “end-to-end testing” of the whole system from start to finish until late September.
The disclosure came at a hearing of the House Energy and Commerce Committee, which is investigating problems plaguing the federal marketplace, or exchange, a central pillar of Mr. Obama’s health care overhaul.
Cheryl R. Campbell, a senior vice president of CGI Federal, a unit of the CGI Group, the main contractor on the federal exchange, said that end-to-end testing of the full integrated system first occurred “in the last two weeks of September.”
Another witness, Andrew M. Slavitt of UnitedHealth Group, said, “We didn’t see end-to-end testing until a couple days leading up to the launch” of the federal marketplace on Oct. 1.
UnitedHealth, one of the nation’s largest insurers, owns Quality Software Services, which was in charge of “identity management,” including the use of password-protected accounts, in the federal marketplace.
Ms. Campbell and Mr. Slavitt said they would have preferred to have months of testing, as required by industry standards for a project of such immense complexity. The federal exchange must communicate with other contractors and with databases of numerous federal agencies and more than 170 insurance carriers.
The rollout of the Affordable Care Act has been tarnished by technical problems that have made it difficult for consumers to shop in the federal marketplace serving 36 states.
Ms. Campbell said that CGI continually reported to top officials at the federal Centers for Medicare and Medicaid Services, including Michelle Snyder, the chief operating officer of the agency, and Henry Chao, the deputy chief information officer. Those officials made critical decisions about the federal exchange, Ms. Campbell said.
In response to questions, Ms. Campbell said, “We were not responsible for end-to-end testing” of the whole system. The Medicare agency, known as C.M.S., was responsible, she said.
Mr. Slavitt said that his company had tested computer code for the federal marketplace and had found problems. “We informed C.M.S. that more testing was necessary,” he testified.
Lawmakers from both parties expressed anger during the hearing at the performance of contractors hired to build the online health insurance marketplace, which is still limping along after three weeks.
Lawmakers said they were dismayed because the contractors assured the committee on Sept. 10 that they, their computer systems and the online federal marketplace were ready to enroll millions of Americans eager to buy insurance, subsidized by the government.
“Why did they assure us that the Web site would work?” asked Representative Fred Upton, Republican of Michigan and chairman of the committee. “Did they not know? Or did they not disclose?”
“This is more than a Web site problem,” Mr. Upton said. “The Web site should have been the easy part. I’m also concerned about what happens next. Will enrollment glitches become provider payment glitches? Will patients show up at their doctor’s office or hospital only to be told that they aren’t covered, or even in the system?”
The hearing room was packed with spectators eager to witness the confrontation between lawmakers and business executives whose companies have received tens of millions of dollars to build the federal marketplace, or exchange.
Politics pervaded the session. Republicans said that technical problems crippling the federal Web site epitomized fundamental flaws in the 2010 health care law, Mr. Obama’s most significant legislative achievement.
Democrats said that the law was fundamentally sound, but that the Web site needed to be fixed immediately so people could get the insurance promised to them.
Representative Diana DeGette, Democrat of Colorado, said: “Three weeks after the Web site went live, we are still hearing reports of significant problems. These problems need to be fixed, and they need to be fixed fast.”
Representative John D. Dingell, Democrat of Michigan, lamented the sorry state of the Web site and said: “This is unacceptable. It needs to be fixed.”
But Representative Frank Pallone Jr., Democrat of New Jersey, said the hearing was part of “a cynical Republican effort to delay, defund or repeal the Affordable Care Act.”
Representative Tim Murphy, Republican of Pennsylvania, said the contractors “were shockingly unaware of what was happening or deliberately misleading our committee and the public” when they testified last month that their components of the exchange would be ready on time.
Ms. Campbell said all of CGI’s work had been done “under the direction and supervision” of C.M.S.
“We acknowledge that issues arising in the federal exchange have made the process for selecting and enrolling in qualified insurance plans difficult to navigate for too many individuals,” Ms. Campbell said. “Unfortunately, in systems this complex with so many concurrent users, it is not unusual to discover problems that need to be addressed once the software goes into a live production environment.”
She blamed Quality Software Services for problems that consumers have had creating password-protected accounts. These problems “created a bottleneck that prevented the vast majority of users” from gaining access to the federal exchange, Ms. Campbell said.
The exchange, she said, is “not a standard consumer Web site,” but “a complex transaction processor” that must simultaneously help millions of Americans shop for insurance and enroll in health plans. It must communicate instantaneously with computer systems developed by other contractors and with databases of numerous federal agencies and more than 170 insurance carriers qualified to do business in the 36 states where the federal marketplace operates, she said.
Mr. Slavitt said its identity verification tool was just one part of “the federal marketplace’s registration and access management system, which involves multiple vendors and pieces of technology.”
These were overwhelmed by people trying to use the site, Mr. Slavitt said. One reason for the logjam, he suggested, is that the administration made “a late decision requiring consumers to register for an account before they could browse for insurance products.”
John Lau, a program director for Serco, another contractor, said his company was seeing an increase in paper applications. Serco is supposed to enter data from those applications in the government’s computerized eligibility system, but problems in that system have created challenges for Serco, as they have for consumers, Mr. Lau said.
The same contractors, testifying before the same committee on Sept. 10, assured lawmakers that they were ready to handle a surge of users when the federal exchange opened on Oct. 1.
So, basically what happened is that none of the contracts were willing to take responsibility for what’s gone wrong with the site, or any of the problems with the site. Indeed, for the most part they seemed to push much of the responsibility for what has been happening off onto the Centers For Medicare and Medcaid Services (CMS), the Federal Agency inside the Department of Health And Human Services primarily responsible for the Federal Government’s end of the operation. They blame CMS, for example, for the fact that the architecture of the site needed to be changed less than a month before the site went live so that users would be required to set up accounts, including providing a vast amount of private information right down to Social Security Numbers, before being able to price shop for insurance in their states. It also appears that CMS was largely responsible for the fact that the final system was unable to be tested until some time in mid-September, which seems to be cutting it pretty short for a website that was supposed to debut on October 1st. As I said yesterday, given that this is a system that everyone knew was going to come into existence more than three years ago, the fact that it took so long for the project to get up and running to the point where actual testing was possible seems like a clear failure of project management, both by the government contractors themselves and by the Federal Agency responsible for overseeing the project.
It’s worth noting, of course, that its in the interests of the contractors to point fingers elsewhere. In all likelihood, the work that will need to be done to fix what has gone wrong with the Federal website is going to lead to claims of backcharges against their contracts and, potentially, lawsuits over who was ultimately responsible for what went wrong. There will likely be tens of millions of dollars at stake at the very least, not to mention potential damage to their future ability to secure federal contracts. Nonetheless, as noted above, there were several aspects of today’s testimony that are noteworthy, most especially what seems to be incredibly lax project management by the relevant Federal Agency. This should make next week’s testimony by HHS Secretary Sibelius and other HHS official quite interesting indeed.