December 24, 2013
Attention Criminals: Hack Healthcare.gov not Target
Ethel C. Fenig
Hey criminal hackers, for criminal success hack healthcare.gov not Target.
Oh sure, the government health "marketplace" site doesn't contain handy, easy to use credit card numbers and other information embedded in the magnetic strip. However, it is much harder to hack Target's site than the notoriously insecure government site. And the latter contains much juicier, personal information than a credit card's.
And certainly Target and the credit card companies vet their employees while healthcare. gov uses ACORN workers or other "navigators" without any background checks to do the intake work. Also, as John Fund on National Review pointed out,
But at least Target informed its customers of the security breach, as it is required by federal law to do. HealthCare.gov faces no such requirement; it need never notify customers that their personal information has been hacked or possibly compromised. The Department of Health and Human Services was specifically asked to include a notification requirement in the rules it designed for the health-care exchanges, but HHS declined. (snip)
It's not as if the Obama administration wasn't notified of security concerns about its website. MITRE Corporation, an HHS contractor, alerted the agency that 19 unaddressed security vulnerabilities plagued the website before its launch on October 1. Last week, Teresa Fryer, the chief information-security officer for the Centers for Medicare and Medicaid Services (CMS), told the House Oversight Committee that she recommended that HealthCare.gov not launch on October 1 because of serious security concerns. "My evaluation of this was a high risk," she told the committee in a private interview. Tony Trenkle, the project manager for the website, declined along with Fryer to sign the Authority to Operate (ATO) license needed to launch the site, which is why it had to be signed by Marilyn Tavenner, the political appointee in charge of CMS. Trenkle retired on November 13 and has declined to talk with reporters. But Fryer said her own concerns about security remain unaddressed because there have been "two high findings of risk" -- the most serious warning level -- in tests conducted in just the past few weeks. A CMS spokesman says both problems have been resolved.
Few cyber-security experts I spoke with for this article have much confidence that the government will quickly or competently reveal any security breaches on HealthCare.gov.
According to Bruce Webster, a consultant who has advised companies for 40 years on IT issues, the administration's policy appears to be "security through obscurity," a largely discredited approach.
Already, credit card owners who merely think their information has been compromised are suing Target. The odds are much higher that this will happen with the healthcare.gov site but the victim won't even be aware of the breech.
Will some bronze plan health care purchaser sue the government over leaked information? What about someone who laid out major dollars for a gold plan? Can they even do it? Suing Obamacare? Isn't that...racist?
But don't worry, be happy. El Dictator Presidente just made his 15th on the fly change to the (Un)Affordable Care Act, Obamacare; extending the sign up deadline till today. But maybe by the time you read this it will have changed again.