On Tuesday, the Inspector General (IG) of the Health and Human Services Department released a report detailing the state of security on HealthCare.gov and the results of vulnerability scans performed in April and May of this year. The report's conclusions are grim, but far from surprising given the security issues that have plagued the site since it was launched.
The report outlines several issues with the website, managed and maintained by the Centers for Medicare & Medicaid Services (CMS), many of which have existed for some time. In fact, the application vulnerabilities discovered by the IG are stacked on top of the problems discovered by the Government Accountability Office earlier this month.
A report from the Associated Press painted the IG's assessment in a positive light, but clearly CMS has a long way to go before they have a security program in place to address application vulnerabilities and mitigation that could be called mature.
"Generally, state and local government IT agencies are not as aggressive as a financial or [technical organization] would be in terms of assessing product," said John Bock, VP of software security for Accuvant, in an interview with Salted Hash.
The financial and tech sectors have processes to test applications and products on a continual basis. These processes aren't perfect, clearly, but the programs used by these sectors are far more developed than what is being used by the government.
The IG report glosses over the fact that the assessment on HealthCare.gov was a point in time vulnerability scan. It's clearly noted that the scan was conducted in April and the vulnerability patched in June, but the IG's report doesn't single this out as an issue.
Moreover, nothing in the report that says additional testing was conducted after the discovered critical vulnerability was patched. In fact, it's just the opposite.
The official report notes that CMS had not "detected and defended" against the website vulnerability scanning and simulated attacks conducted by the IG. In addition, CMS has not implemented a process to use automated tools to test database security configurations, nor have they implemented a tool to scan HealthCare.gov for website vulnerabilities.
CMS says that weekly vulnerability scans are conducted, but both the GAO and the IG reports note that patch management and code fixes remain a problem regardless.
To scan or not to scan, that is the question:
Application scanning is only part of the answer, and reliance on this method alone can quickly become a problem. The IG report made mention of the fact that scanners "use the same techniques as hackers, so the scanners test the security from an outside perspective."
This is true to a degree, but criminals won't rely on scanners exclusively, and neither do the professionals.
Dave Kennedy, the founder of TrustedSec and one of the few security experts that's testified before Congress on the state of security surrounding HealthCare.gov, said that he'd never use a scanner to profile a website.
"As an attacker, if I were to profile a website, the last thing I would use is a vulnerability scanner. I would look at how it behaves to certain commands, attempt to manipulate and find exposures," Kennedy said in a statement to Salted Hash.
"The definition of a penetration test is loosely defined in general in the security industry and we see vulnerability scans on a regular basis pass as a penetration test. I think we need to educate the government on security practices and focus on promoting a better environment to protect our government websites and infrastructure."
Moving to the bigger picture, Kennedy said that he believed the biggest problem isn't with HealthCare.gov, it's with how security is defined within the government. The government is literally ten years behind the private sector, he said, and given the number of breaches that have occurred in the private sector, ten years is a scary number.
"For me, when a penetration test is defined as a vulnerability scan, it really shows the lack of maturity on the government side on how to identify what exposures are truly out there. We find that vulnerability scanners detect maybe 5 percent of what a real attacker would," Kennedy said.
HealthCare.gov is the nation's largest federally facilitated marketplace. A single data breach could be catastrophic. Yet, despite several warnings, and plenty of proof that there were problems, things are still broken. The website has already suffered one breach, and it was shrugged off by most of the public.
What's needed is a continuous cycle of testing and development, and while the IG's report noted that CMS has action plans to do so, this is something that should have happened from the start.
The fact that it didn't is a problem, and shows that CMS has a long way to go before they have program maturity. The sad thing is; they may never get there.
"That level of programmatic maturity is not something we see out of the government sector," Bock explained.
"It's something that's in the private sector, and it's really only in the top tier of the private sector, which is financial and very, very large tech that's hitting that level of assurance."
The issue, as mentioned by Kennedy isn't just a HealthCare.gov problem. In fact, HealthCare.gov is just the tip of the iceberg.
"It's a wide spread and massive problem we have on all government systems, this includes federal, state and the local levels," Kennedy said.
"What the government faces isn't unlike what we face in the private sector. Finding qualified people is a challenge, and in general, getting the appropriate funding and approval through a highly bureaucratic process is something I can't even imagine."
If anything, the problems that plague CMS should serve as an example of the security gridlock that exists in most government agencies and programs. This is why Kennedy feels that something needs to change.
"We need to push for federal law in disclosure of breaches," he said, regardless if data is compromised.
"We need to be aware of how frequent these attacks are, and as taxpayers, we should have it clearly [explained] how often we are being breached and attacked. I think if breaches in government websites (especially federal) were made public and forced for disclosure, we would see a large reaction in the public, since the government contains some of the largest repositories of personal information in existence."