Crashing and timeouts may be the least of Healthcare.gov’s problems as damning new evidence calls into question the site’s ability to safeguard user’s personal information.
Days after a memo was released detailing government officials’ prelaunch security concerns, experts are finding a number of weak links in the federal health insurance exchange website that could constitute a major privacy risk for citizens trying to access the site.
According to ArsTechnica, software quality researcher Ben Simo has come across a number of “slapdash” coding errors that hint at just how poorly HealthCare.gov was put together. Simo found “personally identifiable information embedded both in Web addresses sent to reset user passwords and in data being sent to third-party sites not directly involved in the health insurance certification process.” He also found that HealthCare.gov tends to push personal data unrelated to site functionality back to browsers. And even though this data is encrypted, Simo says it’s still at risk for attacks targeting the site’s users.
This review comes on the heels of an internal government memo from the Center for Medicare and Medicaid Services, indicating that a full security assessment of the site was not conducted before its glitch-laden roll out at the start of the month.
“Due to system readiness issues, the SCA [security control assessment] was only partly completed,” reads the Sept. 27 memo, which was turned over to the House oversight committee investigating the site’s creation. “This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations.”
The memo was penned just days before HealthCare.gov went live and reccomended the creation of a “dedicated security team” to monitor the site’s risk, perform weekly scans, and “conduct a full-scale SCA test” within 60 to 90 days.
The memo did not, however, highlight specific security concerns. That’s what experts like Simo have slowly started to piece together.
Simo found significant vulnerabilities in the site’s password reset functions (which may have something to do with the lateness of the decision to require user accounts). A bug that revealed users email addresses and password reset codes has been repaired, but another flaw remains. The username and reset code are transmitted via clear text in the link users are asked to click to carry out the reset. The password reset code also appears to be permanent, meaning that if compromised, it could be used repeatedly to take over a user’s account.
A separate security risk, uncovered by Simo, relates to the transmission of data from the site to Web browsers and to analytics sites. This data also includes names and passwords, according to ArsTechnica:
“HealthCare.gov sends data to analytics providers such as Google’s DoubleClick and Pingdom. As Simo reviewed the Web requests being made as part of his movement through the HealthCare.gov site, he found requests sent to these two providers that included his visit to the password reset page—and all of the user data that was generated by the page. That runs counter to the privacy policy on HealthCare.gov, which states that no personally identifiable information will be collected by site analytics tools. This is the same sort of behavior that the Federal Trade Commission has fined social networks such as Facebook and Myspace for in the past.”
These discoveries are just the latest indications that HealthCare.gov’s problems may be more substantial than mere unexpected user demand. Since launching on Oct. 1, more and more details have emerged to indicate that HealthCare.gov’s development was rushed in order to meet rigid political demands.
A report earlier this month claimed that despite receiving a $94 million contract in December 2011, CGI Federal, the largest independent contracter behind HealthCare.gov, did not start writing code until last spring. The reason allegedly relates to the Obama administration’s reluctance to issue site specifications so as not to give hostile Republican’s any political ammunition. Another report uncovered plagiarized open source code was used in the site’s construction.
During a hearing on Capitol Hill Wednesday, Health and Human Services Secretary Kathleen Sebelius, who has taken the most political flake for the site’s flawed roll out, apologized for the slew of problems that have plagued the site.
“I am as frustrated and angry as anyone with the flawed launch of HealthCare.gov,” Sebelius said. “You deserve better. I apologize. I’m accountable to you for fixing these problems, and I’m committed to earning your confidence back by fixing the site.”
Photo by United States Mission Geneva/Flickr