December 3, 2013

Security at the HealthCare.gov website is worse than before

With less than three weeks to sign up for insurance or pay a penalty, problems with the healthcare.gov website are still unresolved.  It is impossible to imagine the anxiety and suffering of the millions who lost their health care policies and who don't want to put their identities at risk by going online to healthcare.gov.

Expert: Healthcare.gov Security Risks Even Worse After ‘Fix’

“It doesn’t appear that any security fixes were done at all,” David Kennedy, CEO of the online security firm TrustedSec, told the Washington Free Beacon.

Kennedy said fundamental safeguards missing from Healthcare.gov that were identified by his company more than a month ago have yet to be put in place.
--
After warning Americans when testifying before Congress on Nov. 19 to stay away from Healthcare.gov, Kennedy now says the situation is even worse.

“They said they implemented over 400 bug fixes,” he said. “When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code.”

Get this.  The Federal Government doesn't have to notify anyone if the site is hacked.

“States are required to notify in the event of a breach, the federal government is not,” he added. “So in the event that Healthcare.gov gets compromised and all their information gets taken out of it they don’t have to notify anybody.”

Kennedy said the team working on Healthcare.gov is more likely to hide its security flaws than address them. When it was revealed that the most popular searches on the website were hack attempts—confirmed by entering a semicolon in the search bar—the website simply removed the tool.

The White House won't even give classified briefings to Congress about the security problems of healthcare.gov.  Chairman of the House Intelligence Committee Mike Rogers said,

“They could not even provide someone — CMS and HHS, the two folks responsible for the HealthCare.gov website — in a classified setting to come up and talk about the breaches that they know have happened. That’s just unconscionable.”

He warned that there is currently no coordinated effort within the administration to test the website’s newly-written code which was completed over the past two months of repairs, leaving it vulnerable to breaches. “You’re encouraging people to go to a site that our own government knows doesn’t meet safety standards when it comes to security of private information.”

78% Fear ObamaCare Site Security, Could Deter Signups

The latest IBD/TIPP Poll finds that 78% say Americans should be worried about the security of the ObamaCare exchange website, and 53% say they should be "very concerned." This view was shared across parties, with 69% of Democrats saying security concerns are warranted.

More worrisome for the law's success, 82% of those aged 18-24 say concern is justified. These are among the people ObamaCare most desperately needs to enroll to keep overall premiums from spiraling out of control.

John Podhoretz writes in Commentary,  No, Healthcare.Gov Isn’t Working.    Much of the backend hasn't been constructed yet. 

There is no such thing as a functioning website if the “back end” isn’t working. The “back end” is the catchall phrase for everything you don’t see when you visit a website. It refers to the software that translates pictures and words into what you see here. It refers to the software that mediates the relationship between 1) users who enter information, 2) the servers that store the website’s information, and 3) third parties hired to take some (but not all) of the information and process it on their servers and computers. It refers to the security systems put in place so that the website cannot be disabled by an outside attack and so that the data entered cannot be stolen or otherwise compromised.
--
In other words, the back end is the website. What many people are seeing now at healthcare.gov is a visual demonstration of a sign-in. If the sign-in data are not transferred to a database, nothing has happened. It’s like taking a practice test; it’s not scored and it’s not registered and it means nothing.

New Obamacare Headache: Is Your Enrollment Real?

Obama administration officials acknowledged today that some of the roughly 126,000 Americans who completed the torturous online enrollment process in October and November might not be officially signed up with their selected issuer, even if the website has told them they are.
--
While the front-end of the website has been vastly improved, the back-end glitches remain a serious concern, IT experts and industry officials say.
---
For those who thought they enrolled in a plan through the federal exchange since October, the Obama administration now advises that individuals contact their insurance company to verify coverage and if none exists, to start all over again.

Errors plague one third of Obamacare online enrollees

The Washington Post is reporting the bad news for Obama; about of consumers enrolled through healthcare.gov have serious errors in the plans they chose.

The mistakes include failure to notify insurers about new customers, duplicate enrollments or cancellation notices for the same person, incorrect information about family members, and mistakes involving federal subsidies.
Posted by Jill Fallon at December 3, 2013 10:18 PM | Permalink