Avoid this Mud-Hole: Protect your Family and Business – Experts Highlight Serious Security Defects with HealthCare.Gov
Of Mud-Holes and Mismanagement
“NO!” That was the unanimous answer by four experts during testimony to the Science, Space and Technology Congressional committee November 18, 2013, when asked if they thought the HealthCare.Gov website was secure.
In their written and oral testimony, the experts laid out a dismal prognosis for the security flaws currently included in the site. Furthermore, they were extremely critical of the current process being employed to fix these flaws. As a business crisis and fraud expert, I spend a considerable amount of time helping my clients get out of the ‘Mud-Holes‘ that they have created. It’s better when you can see a mud-hole and step around it. This article outlines what the experts told Congress regarding significant threats to your personal information.
Can Software be Too Complex for Security?
HealthCare.Gov is a very complex website. The site is comprised of 500 million lines of code and is visited by no more than 500,000 unique visitors daily. This compares with the 727 million unique daily visitors on Facebook which contains only 20 million lines of code.
Dr. Frederick R. Chang, former director of research at the National Security Agency and current Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security and Professor in the Department of Computer Science and Engineering in SMU’s Lyle School of Engineering in his testimony wrote, ”Today our opponents in cyberspace are intelligent, seam-seeking, shape-shifting adversaries that have an uncanny ability to penetrate and evade cyber defenses and compromise the targeted system…When it comes to security, complexity is not your friend.”
Morgan Wright, CEO of Crowd Sourced Investigations, LLC added: “The complexities and interdependencies of the current government site create significant opportunities for disruption of service, compromise of the security and privacy of personally identifiable information (PII), frauds and scams and insider threats. The vast amount of code also means applying industry-standard security practices…..is a task that can have no real chance of success at present” (emphasis added). So not only is it complex, but its basic design will mean that it may never be secure – the basic architecture of the site will leave it susceptible to fraud.
During the construction of the site there were multiple vendors, but there was no single point of contact for security. Mr. Wright noted, “…the number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top down view of the full security picture. For a system dealing with what will be one of the largest collections of PII, and certain to be the target of malicious attacks and intrusions, the lack of a clearly defined and qualified security lead is inconsistent with accepted practice.” What is even more troubling is that this was known prior to launch. In a September 3, 2013 memo to Secretary Sebelius, one such threat described as “risk potential limitless” was given until May 2014 to be fixed. One expert testified: “This is completely unacceptable from an industry perspective, and is in extreme contravention of security best practices. Only in the government could such a gaping hole be allowed to exist without fear of consequence.”
Can the Actual Design of the Site Lead to Fraud?
The internet has been designed for users to give as little information as possible in order to shop online. It is not until we have made the decision to buy that we are typically redirected, whether we notice or not, to a secured site. The secured site then captures the personal information needed to conclude a transaction. HealthCare.Gov requires you provide your PII before you shop, which one expert described as “polar opposite of how consumers buy in the private sector.” This requirement creates a ‘new normal’ that will allow fraudsters and scam artists to create deceptive practices to get this information. In fact, because the government did not register similar, misspelled or deceptive domain names (known as cybersquatting), there are more than 700 fraudulent sites today as it relates to the Federal and State exchanges. In the private sector companies register domains which will protect their customers from misspellings – so if you type ‘microsfot.com’ you will be redirected to ‘Microsoft.com’; Health and Human Services did not do that.
Since law enforcement has limited resources, frauds perpetrated on these sites will almost be impossible to track down. The IRS will be responsible for enforcement; one has only to look as far as the 1.1 million fraudulent tax returns filed in 2011, stealing more than $3.6 billion in undetected refund fraud to know that those scammed by these fraudsters have little hope of regaining their money or identities any time soon.
The requirement for PII to begin the process has also given rise to telephone fraud, particularly on the sick and elderly. Fraudsters are calling elderly citizens and offering to help them complete the enrollment process. Since the need to provide PII is well known, and the elderly are already susceptible to fraud (higher trust factor), these frauds are going on today thanks to the poor design of the website.
Increasing the likelihood of success for these scammers has been a total lack of education to the consumer by Health and Human Services for users of HealthCare.Gov and the Affordable Care Act enrollment process. Private sector businesses that collect data (banks and other financial institutions), spend a considerable amount of time educating their customers how to spot phishing emails and prevent fraud; there has been no such campaign associated with HealthCare.Gov.
You’re Not Even Safe if You Avoid the Website?
Yes, unfortunately even if you avoid the website and call a navigator to enroll you are at risk. HHS Secretary Sebelius admitted that there have been no background checks for those employed as navigators. She admitted that a convicted felon could be a navigator for the federal exchange. But background checks are just the beginning, and by themselves do not prevent fraud. Robust, continuous auditing of back office systems using predictive analytics are necessary to catch unauthorized activity as it occurs. Insurance companies and financial institutions have been running these systems for years. As one expert testified, “Aggressive auditing should be implemented to deter improper activity and identify procedural weaknesses that could contribute to misconduct, and continuous training should be delivered to the work force and monitored for satisfactory compliance.” So in other words, there is no way of knowing if your information is safe from those authorized to use the system.
So this Software can be Fixed…Right?
The experts were asked if HealthCare.Gov could be fixed while it was still available to the public. Three of the four said “No”- the fourth said that taking the site down would be “drastic” and that he would want to know more before he made that decision, but said he would not use the system. But they all agreed that the veracity of the ‘fixes’ would not be as good as if the site was pulled from operation. Dr. Chang stated that, “the breach-then-fix model is untenable. Data breaches are harmful to its victims, time-consuming and costly to repair, damaging to the enterprise’s reputation, and more.”
More important to the taxpayers, the cost to fix the site after roll-out is 100 times more expensive (yes, they said 100 times!). The costs escalate due to the additional effort, planning, contingency planning, resource allocation which must keep the site operational and functional while fixes are installed. Security has to be an integral part of the system design, rather than added on later – which in these experts’ opinion appears to a systemic flaw in the design of HealthCare.Gov. In addition, continuous breach testing must be conducted, preferably on an unannounced interval by third parties. This apparently is lacking as well.
What if I need Insurance from the Exchange?
- Use a reputable insurance broker to help you. They will know what is available and what is best for your current situation.
- Use a hub like eHealth and shop directly with participating insurance carriers. Or obtain a list of participating insurance companies in your State’s exchange and see if you can enroll directly with the Insurance company, bypassing HealthCare.Gov and the State exchanges.
- Join a trade group or association which may have insurance. You can purchase through them and avoid the exchange.
- Wait. Wait for the independent, cyber security experts to declare HealthCare.Gov safe.
What if I have Already Entered my Personal Information on HealthCare.Gov or a State Exchange?
- If you have entered your personal information on the Federal or State exchange, I strongly recommend you purchase a subscription to an identity theft protection service (Identity Guard, Trust ID, LifeLock, etc…)
- If it was a State Exchange, see what the cyber security experts are saying about its security. Some States have adequate security. This article focused on HealthCare.Gov and is not comprehensive enough to list which States have passed review.
- Go back to the site and see if you can delete your information from the exchange. That won’t stop fraudsters who may have already possibly stolen your information, but will prevent others in the future.
The cyber security mess associated with HealthCare.Gov is a manmade Mud-Hole deeper than we thought. Educate yourself, your friends, your employees and relatives about the security problems with HealthCare.Gov and the scams perpetrated on the uninformed. Being informed is the only way to keep your information safe (and stay mud free!).