9

Security Concerns with Healthcare.gov Website

Posted by on Nov 7, 2013

Image from www.healthcare.gov

Image from www.healthcare.gov

Healthcare.gov website has been encountering some technical difficulties lately. After the launch of the website, many visitors who paid a visit to the website were extremely disappointed with the site’s slow and sluggish operation. Some people were greeted with a blank screen, some spoke to misleading call center representatives or received error messages and some even had their personal data compromised. On top of all these technical glitches, an issue related to the security of the website was revealed recently. The security flaw was discovered by Arizona based Software Tester Ben Simo. According to Simo’s research, gaining access to user accounts by exploiting the security loopholes in the websitewas extremely simple.. Initially he found out a flaw in the site’s password reset function, where anyone can reset your Healthcare.gov password without your knowledge and can potentially hijack your account. Apart from that he lists some of the other possible ways by which your sensitive information (like birthdate, Social Security number and estimated income range) could have been compromised. A hacker could have accessed your personal information by:

  • Guessing an existing user name, and the website would have confirmed it exists.
  • Claiming that you forgot your password, and the site would have reset it.
  •  Viewing the site’s unencrypted source code in any browser to find the password reset code.
  •  Plugging in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
  • Answering the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted
Image from http://listentometalkaboutmyself.files.wordpress.com

Image from http://listentometalkaboutmyself.files.wordpress.com

 

Anyone with basic knowledge about website coding can conduct such attacks and compromise your personal and healthcare information. The software quality researcher also found flaws with the coding done to integrate the site. Personally identifiable information was embedded both in Web addresses sent to reset user passwords and in data being sent to third-party sites not directly involved in the health insurance certification process. While the data is being sent over an encrypted connection still then it could be vulnerable to exploits targeting the website users.

Some security researchers say that the website is vulnerable to a hacking technique called “clickjacking” (planting invisible links on legitimate websites.) According to the researchers, Healthcare.gov, portal where the consumers of 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to use clickjacking technique. The hacker could trick users to give their personal data as they enter into the website leaving them vulnerable to identity theft or allowing fraudsters to file health care claims. As mentioned earlier the website uses Secure Socket Layer encryption (SSL) which prevents hackers from intercepting data in transmission. However the 15 states running their own independent Obamacare websites do not have any explicit instruction from HHS (Health and Human Services) to use SSL. They are individually responsible for developing their standards to protect the privacy and security of consumers’ personal information.

Image from www.arstechnica.com

Image from www.arstechnica.com

The reason behind these security flaws in the website could be the long-delayed security testing of the entire integrated exchange system. According to an internal memo, the administrators knew that the Obamacare website has security flaws days before the launch of the website. The memo warned that the system hadn’t been sufficiently tested, “exposing a level of uncertainty that can be deemed high risk”. The site was only given provisional security approval before the launch because a substantial amount of testing had not been completed just days before the site’s October 1 launch date. Health and Human Services Secretary Kathleen Sebelius told a House committee last week that temporary authority was granted because a security risk “mitigation plan” was in place. “The personal information going into HealthCare.gov includes birth date, Social Security number and an estimated income range. Sebelius emphasized that the additional security controls gave the agency confidence in going ahead with the launch, despite the audit showing a security gap”.

Keep your health information secured

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!

 

9 Responses to “Security Concerns with Healthcare.gov Website”

  1. Dale says:

    We need to report government invasion of privacy more and more. This is the most transparent administration we have ever encountered and our constitutional rights are being stripped faster than ever before. It is not only our duty to blow the whistle on the govt. invading our privacy, but our right as american citizens to stand up for what we believe in. I can’t be the only one who is tired of the govt. treating us sub-human am I?

  2. Heather says:

    It is very obvious that the website was not ready for the public. The government should have spent more time to work out bugs and security issues. People already don’t want to go to the website because of the slow loading. Put security issues on top of that and no one will want to log on. It’s a disaster! The government doesn’t care about your privacy either, they just want your votes.

  3. Roxie says:

    Wow. I think that one is conditioned to expect some techno glitches in this day and age, however, one that centers around something as basic as your password/user name combo is troubling indeed. This is a huge operation, with so many agencies at the federal and then at the multiple state level involved, I’m thinking it’s going to be a few months if not longer before it is really ready for “joe average” to be able to use it with enough confidence that they use their banks website. But I do believe they will achieve their goal, it’s just a same that their “customers” are the ones to do all the beta testing.

  4. Trish says:

    This statement: “However the 15 states running their own independent Obamacare websites do not have any explicit instruction from HHS (Health and Human Services) to use SSL.” is a little misleading. HIPAA standards have been established for over a decade now (not to mention other privacy standards). So, states would have known that they would have to have a security audit and that SSL would be required on all of those connections. I couldn’t imagine a state not using SSL, no matter what HHS did or didn’t say to them. That would be a bit like them setting up a site to allow credit card information over plain text links. It just isn’t going to happen.

    As to the rest of the registration web site problems. This is why EVERYONE who is building web sites of any significance needs to have a security engineer involved from the very beginning. In the long run, they’re going to actually save you money because good security forces good designs. And, in a lot of cases, they’re going to save your reputation. The most expensive time to decide to get to know a security engineer is AFTER you’ve been hacked because that’s when things like Secret Service and public notifications have already kicked in. A reputation is an expensive thing to try to buy back.

  5. reg says:

    This was an outrageous and seemingly intentional failure of implementation. I believe there was a mandate from the top down to the coders and testers that they were not ever allowed to state the truth about the status of the website. How this administration could have thought the website would magically work on its own, with virtually no testing, suggests that the political pressure to make the claim that Obamacare was now in effect, superseded the facts. I thought this administration was fond of factual information.

  6. Brady Johnson says:

    It always cracks me up that even with seemingly unlimited spending on hardware and software that the government usually can’t make a server completely secure. It’s a website that is going to be accessed by millions and there’s definitely going to be some people that would like to sabotage as a political message or any other personal reason.

    What can we do to stop this? If I don’t feel comfortable submitting private data to a government website how can I know I’m being protected. Is there anything I(we) can do to help or stop vulnerabilities in the site alltogether?

    -Brady.

  7. Darcy says:

    All I can say about this article is, “Wow, Wow, Wow!” Yes, like every other person on earth, I was aware that the government healthcare website was having serious problems. Nevertheless, I assumed that the problems were content-based, not with security risks. The most amazing thing is that this is the same government which also houses security outfits such as the CIA, FBI, NSA, etc. It’s well-known that not only does the United States government invest in defending itself against cyber-attacks from other countries but also possesses (and sells ) the technology which allows it to go on a cyber-offensive against other countries. So in light of these advanced capabilities, I’m confused as to why this same government can’t even sufficiently protect a website. I’m not a tea party member but I have to admit that I’m disappointed. The problem that I haven’t isn’t so much that the website has had problems but that they would even release it to the public if there were such security concerns. For lack of a better term, it just seems irresponsible. Nevertheless, I’m glad to hear there are truly safe technological options like SpikerOak’s services which seem positively bulletproof. I could definitely use a safe cloud service so I’m definitely going to check out the company.

  8. Matt Corgan says:

    The problem is that the developers behind the website know as little or less than the politicians behind the website. How can you effectively design and develop a website if you don’t entirely understand the concept.

    The security behind the website is acceptable but not perfect. Of course you can’t have a completely foolproof design this early into the development process. The developers need more usability testers in order to document what the general public is observing.

    Another problem is that hiring the most expensive developers for hundreds of millions isn’t the best solution. They could hire hundreds of developers and usability testers for an average salary and still have a well developed/secure website.

    I don’t think that the main developers entirely know what their doing. They should also distribute the server load so people won’t experience downtime at peak hours. The healthcare bill needs to evaluated and detailed better. That will ensure that more details can be put into the website. It doesn’t seem like the website and the bill are entirely centralized. This in turn reduces the security of the website forms and pages.

  9. Terri Gibson says:

    I believe the Government should recall this healthcare law until they can make sure our private personal information can in no way be compromised. I also feel like due to the cost of this a lot of people will opt for the fine versus paying for the coverage. Some people actually come out better paying the fine. It is a ridiculous bill that should be dismissed. Hopefully they will do it soon. I know I tried to make and account and sign in and all I got was nothing. Website is not ready and should be taken down and done away with.

Leave a Reply

Powered by sweetCaptcha