Virtually all the recent news about the Patient Protection and Affordable Care Act (ACA), commonly known as Obamacare, has been about the "glitch"-filled rollout this past month of its website — Healthcare.gov.
But, those glitches will eventually be fixed. In some number of weeks or months, the site is expected to be reasonably functional as the online entry portal to health insurance for millions of Americans.
Functional does not mean secure, however. And somewhat lost in the frenzy over curing the front-end dysfunction for consumers is the question of how secure the site is now, or will be when it is fixed. Several security experts say the answer to that question is ominous.
"Anything that doesn't even work is almost by definition going to be a security disaster," said Gary McGraw, CTO of Cigital and a long-time proponent of "building security in" during software development.
Loricca, a security and compliance vendor, argued in recent blog posts that the security risks of the site are multiple and significant largely because the federal government used open-source content management systems (CMS) – it named Drupal and WordPress – which the company said are vulnerable to, "known security risks," including cross-site scripting, un-validated redirects, failure to restrict URL access, SQL injection, authentications and sessions and insecure direct object references.
With applicants required to provide, "massive amounts of personal identifiable information (PII)...we could be dealing with the largest Health Care IT Security breach of all time," the company said. "Millions of personal and health records could be compromised in a very short time."
Ron Beltz, vice president at Loricca, said his firm's analysis of the code for Healthcare.gov indicates that it a hybrid of Drupal and WordPress. The bottom line, he said, is that the site is, "a data breach just waiting to happen."
Martin Fisher, director of information security at Wellstar Health System, said while every online site is vulnerable to some degree, that is not caused by an open-source CMS. While he doesn't directly accuse Loricca of spreading FUD – fear, uncertainty and doubt – he does find the warnings exaggerated.
"Every site everywhere is vulnerable to some degree or another. To say or infer otherwise is quite silly," he said, adding that, "the vulnerabilities Loricca points out are not unique to Drupal. They exist on virtually any website that does transactions through the interface. Can they name a proprietary CMS that isn't vulnerable to these things? I am seriously disappointed that Loricca would put such tripe out there."
Fisher agreed that Healthcare.gov is likely a bigger target for hackers because of its prominence and the political controversy over it, "but that's got nothing to do with vulnerabilities," he said.
Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, said Loricca is correct that an open-source CMS does have, "many risks to it." But he agreed with Fisher that the use of Drupal is not itself a security problem. "All CMSs have vulnerabilities that lead to risk if not patched or otherwise mitigated in some fashion," he said.
Whatever the reasons, it is clear that vulnerabilities exist. There have been no data breaches of the site reported yet, but Health and Human Services (HHS) Secretary Kathleen Sebelius, testifying before Congress this past week, acknowledged that a "skilled hacker" had discovered a "theoretical (security) problem" and told the HHS about it. She said the problem had been fixed immediately.
But the Washington Post and Associated Press reported the flaw had not been fixed immediately. It cited an internal memo days before the Oct. 1 launch of the website that said the system had not been sufficiently tested and was a "high" security risk.
CNN reported that Ben Simo, an Arizona-based security researcher, discovered several weeks later, a flaw in the site that made it "frighteningly simple" for an attacker with minimal skills to hijack a customer's account in the insurance hub. That flaw, it said, was not fixed until Oct. 25.
According to CNN, when Simo tried to report the problem, "the Obamacare hotline operator referred him to law enforcement — which was neither helpful nor relevant."
As Paul Rosenzweig, founder of Red Branch Law and Consulting and a former deputy assistant secretary for policy in the Department of Homeland Security, noted in a brief Lawfare blog post, the hacker fortunately, "reported it, rather than exploited it. Which, of course, just reiterates the point that there are no invulnerable systems — only comparatively more or less secure ones."
That also illustrated the reality, however, that other skilled hackers might not be as charitable and ethical as Simo. And Cowperthwaite noted that the federal health exchange system, "has been described over and over as one of the most complex systems deployed by the government."
Healthcare.gov is not covered by the Health Insurance Portability and Accountability Act (HIPAA), which has numerous regulations requiring the protection of Protected Health Information (PHI) because it is not involved in actual transactions between patients and providers.
But it is loaded with PII. Applicants must supply highly personal, confidential information, which is then shared with other government agencies including Social Security, HHS and the IRS, to see if they qualify for subsidies or other benefits. And once that is done, the information is shared with a provider.
"There are dozens of agencies and private insurance organizations involved, all of the state exchanges and Medicaid agencies, and probably much more I'm not even touching on," Cowperthwaite said. "Any system that contains large amounts of PII could be the source of a massive breach. And the more complex the system is, the more likely there are significant vulnerabilities that can breached."
Experts said given the complexity of the site, there is no way to know for sure how vulnerable the Obamacare site is. "I don't think there are enough data points to make a reasoned judgment," Martin Fisher said.
But he added that forcing the website to comply with HIPAA regulations, as some have suggested, would be a very bad idea. "If we were to expand HIPAA to cover this website we'd have to expand HIPAA to cover every website everywhere," he said.
Cowperthwaite said in theory, an open-source system should be more secure, at least at the start, with fewer bugs and the chance for them to be fixed more rapidly. But, he said, once a piece of software is deployed, "it essentially becomes a frozen asset that exists in the state it was at deployment. After deployment, the fact that open-source software gets patched faster than proprietary software sort of doesn't matter anymore. What matters is how quickly and well vulnerability and patch management is done by the organization that deployed the software."
The president and Sebelius have promised that the site will be fixed by the end of November, but most analysts are dubious about that, given that the site reportedly has 500 million lines of code, and it is difficult for a new team of software developers to fix what another team has created.
Loricca's Beltz said what will make that even worse is that "the other people the government has brought in (to fix the site) are not open-source people."
Gary McGraw said the fact that the system was not tested thoroughly before it was deployed is a very bad sign. "You have to build security in from the start," he said. "They've done it in the wrong order. They've already built it, and you can't spray paint security on the side of a honking piece of software."
He said the problems with the rollout are evidence that government doesn't take the complexity of security seriously. "Software security is hard," he said. "Microsoft finds it difficult. Google finds it difficult. And government is way behind in that area. They can't even get a system to function, let alone function securely."
Beltz added that if there is a major data breach, the cost of cleaning up the mess will, of course, fall to taxpayers. "The biggest cost would be Congress having to pay for ID protection," he said.