Thinking About Healthcare.gov’s Security

Now that the Information Technology and Security communities have had time to digest what’s going on with Healthcare.gov, they are starting to think about what the “glitches” mean from a security perspective. For example, here’s some coverage in eWeek. And I’ve been asked by several other publications to provide my thoughts on the site’s security.

Ironically, the glitches may be the best security tool yet, per the article:

“In fact, the site’s stability issues and lack of usability to this point may be its best security: Even hackers haven’t been able to get in long enough to make it work,” Carpenter (VP of Strategy at AccessData) said.

As I point out in the article, a system as complex and interconnected as this one is, with as much data as it contains, is highly susceptible to attack, exploitation and breach of data. The technical difficulties that the site has suffered through do not hold out much hope that security has been implemented without “glitches”, either.

A site this complex, with this many bugs and glitches, being fixed on a crash basis, will have all sorts of vulnerabilities. And it turns out that one of the key contractors working on healthcare.gov, QSSI, has had security control problems in the past per this article. The only way to secure complex systems is to do the basics of security very well. But, the specific security control issues cited in the government audit, allowing employees to connect USB drives and iPods to workstations with access to sensitive data, is a pretty basic thing.

*Update – There’s another good article on SC Magazine’s site as well.

Advertisements

About Eric Cowperthwaite

Nearly 30 year security professional, 11 years in the US Army, and another 18 in the civilian world. Worked for EDS for 9 years, then for Providence Health & Services as their CSO for 7 years. Now I work for CORE Security as their VP, Advanced Security & Strategy. This blog is not just about security, either physical or information. You can expect to read about cigars, my life, things I think are funny and much more. And I will rail about the FUD that so many security practitioners toss around on a regular basis. Plus, once in a great while, I might actually share a thought or two about security. Did I mention that I will probably blog about cigars? Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.
This entry was posted in InfoSec and tagged . Bookmark the permalink.

5 Responses to Thinking About Healthcare.gov’s Security

  1. Pingback: BizzyBlog

  2. joe mack says:

    Maybe the law is impossible to implement with current technology.

    • richard40 says:

      Even with better technology I don’t believe the fed regulatory behemoth can implement a law this big, over a sector this big, without constant adverse side effects, and constant corruption and cronyism. That is the fundamental flaw of obamacare. It might work at the state level, since there you have a much smaller entity, and also bureaucratic excess is constrained by the constant threat that the state citizens will get fed up and leave the state, while it is much harder to leave the whole country if fed regulation screws things up.

      • Fundamentally, security is not a function of the technology. It is a function of design, implementation and integration of technology and business. The bottom line, something this poorly designed (and given it’s lack of function it is clearly not well designed and implemented) and implemented simply cannot have good security. Except, as I noted, for the sort of security that exists because the system is not functional.

  3. richard40 says:

    So the only thing protecting our private data from hackers so far is the site is so bad that even the hackers cant use it. Somehow I do not find that really comforting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s