Now that the Information Technology and Security communities have had time to digest what’s going on with Healthcare.gov, they are starting to think about what the “glitches” mean from a security perspective. For example, here’s some coverage in eWeek. And I’ve been asked by several other publications to provide my thoughts on the site’s security.
Ironically, the glitches may be the best security tool yet, per the article:
“In fact, the site’s stability issues and lack of usability to this point may be its best security: Even hackers haven’t been able to get in long enough to make it work,” Carpenter (VP of Strategy at AccessData) said.
As I point out in the article, a system as complex and interconnected as this one is, with as much data as it contains, is highly susceptible to attack, exploitation and breach of data. The technical difficulties that the site has suffered through do not hold out much hope that security has been implemented without “glitches”, either.
A site this complex, with this many bugs and glitches, being fixed on a crash basis, will have all sorts of vulnerabilities. And it turns out that one of the key contractors working on healthcare.gov, QSSI, has had security control problems in the past per this article. The only way to secure complex systems is to do the basics of security very well. But, the specific security control issues cited in the government audit, allowing employees to connect USB drives and iPods to workstations with access to sensitive data, is a pretty basic thing.
*Update – There’s another good article on SC Magazine’s site as well.
Pingback: BizzyBlog
Maybe the law is impossible to implement with current technology.
Even with better technology I don’t believe the fed regulatory behemoth can implement a law this big, over a sector this big, without constant adverse side effects, and constant corruption and cronyism. That is the fundamental flaw of obamacare. It might work at the state level, since there you have a much smaller entity, and also bureaucratic excess is constrained by the constant threat that the state citizens will get fed up and leave the state, while it is much harder to leave the whole country if fed regulation screws things up.
Fundamentally, security is not a function of the technology. It is a function of design, implementation and integration of technology and business. The bottom line, something this poorly designed (and given it’s lack of function it is clearly not well designed and implemented) and implemented simply cannot have good security. Except, as I noted, for the sort of security that exists because the system is not functional.
So the only thing protecting our private data from hackers so far is the site is so bad that even the hackers cant use it. Somehow I do not find that really comforting.