Now that the Information Technology and Security communities have had time to digest what’s going on with Healthcare.gov, they are starting to think about what the “glitches” mean from a security perspective. For example, here’s some coverage in eWeek. And I’ve been asked by several other publications to provide my thoughts on the site’s security.
Ironically, the glitches may be the best security tool yet, per the article:
“In fact, the site’s stability issues and lack of usability to this point may be its best security: Even hackers haven’t been able to get in long enough to make it work,” Carpenter (VP of Strategy at AccessData) said.
As I point out in the article, a system as complex and interconnected as this one is, with as much data as it contains, is highly susceptible to attack, exploitation and breach of data. The technical difficulties that the site has suffered through do not hold out much hope that security has been implemented without “glitches”, either.
A site this complex, with this many bugs and glitches, being fixed on a crash basis, will have all sorts of vulnerabilities. And it turns out that one of the key contractors working on healthcare.gov, QSSI, has had security control problems in the past per this article. The only way to secure complex systems is to do the basics of security very well. But, the specific security control issues cited in the government audit, allowing employees to connect USB drives and iPods to workstations with access to sensitive data, is a pretty basic thing.
*Update – There’s another good article on SC Magazine’s site as well.