Pages

Tuesday, November 12, 2013

Security Issues And ObamaCare

A gazillion "things" will be written about ObamaCare but these are the two overriding issues:
  • unlimited liability the insurers have signed on to (elimination of lifetime caps)
  • security of the on-line website exchange
This is the security issue:
HealthCare.gov [is a] patchwork of hastily constructed systems that contractors ... hastily stitched together. To meet their deadlines, these contractors ... cut corners on key security features, such as encryption of sensitive personal data. 

HHS has been ... evasive with Congress on its security certifications, and CBS has reported that the security certification work is still incomplete—despite previous assurances by the White House and HHS to the contrary. [Consumer Reports advises folks to stay away from the on-line ObamaCare exchanges.]

The White House aggravated this security problem with its insistence on maximal use of “the cloud" .... ["The cloud" means that unencrypted data of every purchaser of insurance through HealthCare.gov crosses the Internet and travels unprotected into “the cloud” many times—every hacker’s dream.
[By the way, if you have a slow wi-fi connection, the next time you log onto HealthCare.gov, note all the sites that are being accessed while the website is being downloaded.]
 
Several major media organizations have confirmed first-hand how easy it is to hack into HealthCare.gov.
As just one example of some of the issues, an expert hired by CNN found that the system: (1) confirmed a guessed user name; (2) exposed unencrypted source code in the browser that allowed access to the password resetting mechanism; and (3) with the user name and the reset code, displayed a person’s three security answers. 
The resulting damage will not be limited to other sensitive data in the exchanges. Since many systems use the same security questions, theft of these answers will allow hackers, directly and indirectly, to access Americans’ bank accounts, brokerage accounts and other sensitive data bases. CNN concluded that this kind of theft from HealthCare.gov “wouldn’t have even taken a skilled hacker.”
I go to HealthCare.gov daily to check its status, but I would never, never enter any personal data. 

No one denies that the security issues are real. The only debate is how serious the security issues are.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.