This week there’s a lot of talk about a “tech surge” to address issues with the healthcare.gov website. While that is to address issues specific to that site only, this focus on improvements around the Affordable Care Act’s (ACA) online experience is a good time to consider an important and necessary change to fundamentally improve the overall security of the experience. Put simply, there needs to be a verifiable online “seal” or label program for official ACA-related websites.
The root of the problem is there’s no simple, uniform way to verify an ACA-related site is legitimate. This makes it nearly impossible to distinguish legitimate state sites from legitimate third party sites and those from illegitimate scam or fraud sites. This problem is so acute right now that even a security and privacy professional like myself can’t say with confidence if some sites are legitimate or not.
The reasons for this situation lie in the lack of consistency and standards for these sites. For example, domain names can vary widely: some states’ official sites use .org domains, others use .com while the Federal site is .gov. Even the names of the sites are inconsistent: The federal site is “healthcare,” Washington State calls theirs “wahealthplanfinder” but California’s is “coveredca.” This means regular users can’t reliably use domain names like they’re used to with businesses (e.g. www.coke.com). Another problem is that there is no standard for “look and feel” with these sites. And in some cases, states’ official sites look and feel less official than third party sites. These problems are compounded by the fact that use of digital certificates among sites is inconsistent: people are sometimes deprived of that security check entirely. Taken altogether, this means that identifying whether a site is legitimate or not is more guesswork than informed decision making.
The reality is that these are major issues that can’t be addressed quickly or easily. That’s why the best solution now is to establish a verifiable online seal program for legitimate ACA-related sites. This can give people a way to quickly and easily identify legitimate sites and so steer away from illegitimate sites. It also is a relatively simple solution that less sophisticated users can use.
A good example of an online seal program like this is the Better Business Bureau’s (BBB) online seal program. This program gives businesses that meet the standards and criteria of the BBB the right to display the BBB online seal on their webpage. The BBB online seal links to the BBB’s site; the visitor can verify the legitimacy of the site hosting the seal by going to the BBB’s site. The BBB’s site also supports digital certificates, so you can verify the legitimacy of their site. If the original site also supports digital certificates, this together creates a clean, simple verifiable chain of trust that can give you confidence in the legitimacy of the site you’re wondering about.
In regards to ACA-related sites there’s a partial chain of trust already in place. If you start with Federal Healthcare.gov site and follow links to state sites that support digital certificates, you can verify those sites. Implementing an online seal program can tie into the existing chain of trust and complete it so people can verify all official ACA-related sites.
A key piece to an online seal program being successful is people understanding how to verify the seal properly and doing so regularly. A seal by itself with no verification can easily be spoofed. This means not only does there need to be a seal program, but there has to be clear instructions for people not just on how to recognize the seal but how to verify it as well.
While understanding how to verify a seal is a hurdle, it can be done. Most people now understand to look for the “lock” before they buy something online. And with time, technology can evolve to help make this easier. The fact that this program has been used successfully by the BBB shows that it can work.
Implementing a program and education like this is not a small undertaking. But if there really is a “tech push” under way, implementing a verifiable online seal program for ACA-related sites can be done. And when we look at the current environment of hundreds or even thousands of unverifiable sites asking for critical personal information, it’s clear that something needs to be done sooner than later.
