On October 1, 2013, the U.S. Department of Health and Human Services green-lit the healthcare.gov website in order to serve Americans interested in and eligible for health insurance under the Affordable Care and Patient Protection Act. Flooded by hundreds of thousands of requests for enrollment, the site’s servers have consistently struggled to keep up with traffic, contradicting the Obama Administration’s claims that the ACA rollout would be technologically sound. To cope with demand, healthcare.gov now gives visitors the option to enroll by phone while the White House recruits developers and back-end engineers for a site overhaul.
Amid the long enrollee waiting times and the simultaneous fervor created by the federal government shutdown and standoff over the statutory debt ceiling, government observers and consumers alike may have overlooked the possible security red flags that have existed on the site since day one. Perhaps healthcare.gov’s designers stopped short of completely securing the portal due to tight deadlines or simply neglected to account for the traffic surge. Either way, the ACA site is a prime target for cybercriminals for several reasons:
- It requires the entry of personally identifiable information, including date of birth and Social Security number, making it a possible vehicle for identity theft if left unsecured
- Millions of users visit it on a regular basis, and traffic is likely to remain high throughout the open enrollment period that extends through March 31, 2014
- It will create potentially millions of new digitized health records that over the long-term could become liabilities
The Obama Administration’s seriousness in regard to fixing website technical issues is a promising show of effort, but it may need to channel a similar level of energy into addressing any red flags. A fast and secure healthcare.gov would do more than just keep patients safe – it would provide a blueprint for how the healthcare sector can navigate the host of cybersecurity issues that confront it.
Healthcare.gov architecture mostly secure, but red flags persist
Like other government sites, healthcare.gov is supposed to exhibit compliance with cybsecurity recommendations from the National Institute of Standards and Technology. Despite its beleaguered start, the website technically has not run afoul of the NIST’s guidance, and some cybersecurity experts have argued that its architecture is fundamentally secure, if not well implemented.
Speaking to USA Today, CDNetworks president Jeff Kim noted the security of healthcare.gov’s code while pointing out its possibly dangerous reliance on aging Web technologies.
“The application could be fundamentally flawed,” said Kim. “They may be using 1990s technology in 2.0 world.”
Accordingly, visitors to healthcare.gov are not falling into a snakepit of proven risks so much as they are inviting cybercriminals to test the weak edges of the site while its handlers’ attentions are directed elsewhere.
As HHS and the White House work diligently to shore-up performance, they may not have the option to completely re-architect the site, given the ongoing open enrollment and consistently high traffic. Using data from the discrete state-run ACA exchanges, The Associated Press estimated that at least 476,000 persons have completed ACA applications, while U.S. CTO Todd Park told USA Today that government officials had planned for only 50,000 to 60,000 simultaneous visitors, far fewer than the 250,000 who visited between Oct. 1 and Oct. 7.
Healthcare.gov could be high-profile target for all-access attacks, click-jacking
The federal ACA may exhibit several red flags that, if unaddressed, could turn into vulnerabilities.
For example, a feature in the website header could permit an all-access request from other sites via cross-domain communication. Nidhi Shah, a member of HP’s Web Security Research Group, explained this tactic in a recent blog post.
“Failing to restrict cross-domain communication can allow a malicious site to send requests, including POST requests, to healthcare.gov on victim’s behalf and gain access to his health records, and possibly enough information to steal his identity,” wrote Shah. “Healthcare.gov should reconsider enablement of [cross-origin resource sharing] feature on this site.”
Currently, healthcare.gov uses a value of “*” in it header that allows any site to make a request to healthcare.gov and access any information returned in the response. Shah did not succeed in accessing authenticated areas of the site, although she explained that high site traffic, rather than airtight security, may have been the cause.
Other possible vulnerabilities include click-jacking, which is the phenomenon of over-laying invisible webpage elements that redirect clicks to run malicious scripts, and cookie theft. In regard to the latter, healthcare.gov does not use secure flags to prevent cookies from being transmitted in plain text.
Breach of Minnesota ACA exchange shows that risks are real
Some of the red flags on healthcare.gov may never become real issues, but cybersecurity professionals and government officials should take these weakness seriously. Although accidental, a recent breach of MNsure, Minnesota’s state-level ACA marketplace, indicates the risky atmosphere surrounding all ACA properties in cyberspace.
Citizens in all 50 states have access to similar online marketplaces that provide information and enrollment options related to ACA. In a piece for the StarTribune, Jackie Crosby examined the case of a Minnesota man who was seeking basic information about ACA from MNsure, but instead received an email containing thousands of names, Social Security details and license plate numbers. The man and MNsure quickly and safely resolved the issue, but the damage was already done.
“The more I thought about it, the more troubled I was,” the man, an insurance broker, told the newspaper. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”
Although isolated, the MNsure incident indicates the high stakes for securing digitized healthcare and insurance. The rollout of healthcare.gov is a watershed moment in healthcare delivery, and its technological viability is hardly a trifling matter. The Obama Administration wanted the website to be reliable in part to attract the healthy young individuals crucial to creating a varied pool of risk for insurance coverage. However, the site’s red flags must be addressed to achieve this goal, and ACA officials will have to be careful with the vast amounts of patient information that will come under their care. The technical issues and MNsure leak should serve as examples of what could go wrong if ACA implementation does not receive the cybersecurity attention that it deserves.