WASHINGTON—Cyber security experts stated on Tuesday that HealthCare.gov should be temporarily shut down in anticipation of ongoing cyber security concerns.
A month and a half after its launch, it is suspected that the site has already been hacked up to 16 times. This is concerning in light of the fact that users are required to submit sensitive information when registering an account with HealthCare.gov, including birthdates and Social Security numbers.
According to David Kennedy, founder of TrustedSec, a number of factors have contributed to the site’s recent problems and security breaches.
One of the chief issues is the hasty fashion in which the site was built. About a month prior to launch, the web designers of HealthCare.gov coded a change that prevented users without an account from comparing different insurance plans. But after this change was made, federal officials failed to follow up and test the updated website. In fact, placeholder language commonly used by web designers could still be found in the site’s code well after its official launch.
That time was not taken out to properly test HealthCare.gov is especially glaring in light of another contributing factor: the website’s complexity. With 500 million lines of computer code, HealthCare.gov is several times more complex than Windows and Facebook combined. In this case, a longer code equates to more numerous and difficult-to-find vulnerabilities.
Lastly, compounding the website’s design flaws is its inability to handle a high volume of traffic. It has been observed that HealthCare.gov receives 500,000 visitors a day with 20,000 to 30,000 users accessing it at one time. This traffic means that the site is currently operating at half-capacity. Even so, HealthCare.gov continues to operate slowly and send users false information.
Federal officials are optimistic that they can fix the website and have it accessible to most users by November 30th. But cyber security experts disagree. Kennedy and others feel that the site’s code is too long to patch all of the flaws before then. According to their estimates, it could take as much as a year to work out all of the site’s kinks.
In the meantime, two significant lessons are already apparent. First, when designing a website whose code is millions of lines long, it is important to adequately test the site prior to launch. That is cyber security common sense, especially in regards to federal websites that collect millions of people’s personal information.
Second, federal officials need to listen better to the information security community. As early as April of this year, outside information consultants warned the White House and the Department of Homeland Security that HealthCare.gov had a number of flaws and, if unfixed, could pose serious security flaws on its October 1st launch. Clearly, the problems we are seeing could have easily been avoided.
To prevent future cyber security nightmares, the government would be wise to collaborate with the information security community and heed its opinions.
David Bisson | @DMBisson
Area of Expertise:
David specializes in cyber security as it relates to U.S. national security and to American military and strategic culture.
Professional Biography:
David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation. He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern. Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.
Previous blog: Cyber Security Lessons in the Wake of Project MUSCULAR
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.