• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Security   »   Affordable Care Act-related sites need an online seal program

Affordable Care Act-related sites need an online seal program

  • Posted on:October 23, 2013
  • Posted in:Security
  • Posted by:Christopher Budd (Global Threat Communications)
0

This week there’s a lot of talk about a “tech surge” to address issues with the healthcare.gov website. While that is to address issues specific to that site only, this focus on improvements around the Affordable Care Act’s (ACA) online experience is a good time to consider an important and necessary change to fundamentally improve the overall security of the experience. Put simply, there needs to be a verifiable online “seal” or label program for official ACA-related websites.

The root of the problem is there’s no simple, uniform way to verify an ACA-related site is legitimate. This makes it nearly impossible to distinguish legitimate state sites from legitimate third party sites and those from illegitimate scam or fraud sites. This problem is so acute right now that even a security and privacy professional like myself can’t say with confidence if some sites are legitimate or not.

The reasons for this situation lie in the lack of consistency and standards for these sites. For example, domain names can vary widely: some states’ official sites use .org domains, others use .com while the Federal site is .gov. Even the names of the sites are inconsistent: The federal site is “healthcare,” Washington State calls theirs “wahealthplanfinder” but California’s is “coveredca.” This means regular users can’t reliably use domain names like they’re used to with businesses (e.g. www.coke.com). Another problem is that there is no standard for “look and feel” with these sites. And in some cases, states’ official sites look and feel less official than third party sites. These problems are compounded by the fact that use of digital certificates among sites is inconsistent: people are sometimes deprived of that security check entirely. Taken altogether, this means that identifying whether a site is legitimate or not is more guesswork than informed decision making.

The reality is that these are major issues that can’t be addressed quickly or easily. That’s why the best solution now is to establish a verifiable online seal program for legitimate ACA-related sites. This can give people a way to quickly and easily identify legitimate sites and so steer away from illegitimate sites. It also is a relatively simple solution that less sophisticated users can use.

A good example of an online seal program like this is the Better Business Bureau’s (BBB) online seal program. This program gives businesses that meet the standards and criteria of the BBB the right to display the BBB online seal on their webpage. The BBB online seal links to the BBB’s site; the visitor can verify the legitimacy of the site hosting the seal by going to the BBB’s site. The BBB’s site also supports digital certificates, so you can verify the legitimacy of their site. If the original site also supports digital certificates, this together creates a clean, simple verifiable chain of trust that can give you confidence in the legitimacy of the site you’re wondering about.

In regards to ACA-related sites there’s a partial chain of trust already in place. If you start with Federal Healthcare.gov site and follow links to state sites that support digital certificates, you can verify those sites. Implementing an online seal program can tie into the existing chain of trust and complete it so people can verify all official ACA-related sites.

A key piece to an online seal program being successful is people understanding how to verify the seal properly and doing so regularly. A seal by itself with no verification can easily be spoofed. This means not only does there need to be a seal program, but there has to be clear instructions for people not just on how to recognize the seal but how to verify it as well.

While understanding how to verify a seal is a hurdle, it can be done. Most people now understand to look for the “lock” before they buy something online. And with time, technology can evolve to help make this easier. The fact that this program has been used successfully by the BBB shows that it can work.

Implementing a program and education like this is not a small undertaking. But if there really is a “tech push” under way, implementing a verifiable online seal program for ACA-related sites can be done. And when we look at the current environment of hundreds or even thousands of unverifiable sites asking for critical personal information, it’s clear that something needs to be done sooner than later.

Related posts:

  1. The Coming Risk of Scam “Obamacare” Sites
  2. How Online Crime Gets Online and Stays Online: Bulletproof Hosting Services
  3. Why Digital Certificates are Important for Health Care Sites and How to Use Them
  4. The Inside Scoop on the World’s Leading Bug Bounty Program

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.