Friday, February 7, 2014

Outgoing Congressional Staffer Warns On Security Issues Surrounding Healtcare.gov

Adam de Angeli is leaving  Congressman Kerry Bentivolio's office. EPJ has obtained an email he sent out to friends discussing his decision to leave. The email contained significant commentary and warning about the web site, Healthcare.gov. That part of his email is produced below:
With Healthcare dot gov, you have the government supervising the most colossal security failure imaginable, easy for any and every software engineer--let alone security expert--to discern.  And still this is categorically denied by everyone at the Center for Medicare and Medicaid Services that developed the website.

Funny, isn't it, that when it comes to protecting our privacy and security, the government is completely incompetent, yet when it comes to controlling and diminishing our lives, the government couldn't be more competent.

The entire issue is a home run for conservatives.  Here we have the undeniable fact that the Obamacare website is almost completely insecure, jeopardizing the personal information of every user.  Expert consensus is growing.

More ominously, the website threatens the security of every federal, state, and private system it connects with, and every security expert weighing in (outside those working for the Administration or dependent on it) agrees that this is a real concern. Unfortunately, only insiders can determine for certain what is really going on, but we have every reason to suspect the worst.

The worst case is that the medical records of every American can be stolen by hackers.

I asked a security expert, one who actually supports Obamacare in concept, whether it was hyperbolic to call this a national emergency. 

Her response:

No, I don't. Between the known weaknesses of healthcare dot gov, the known weaknesses of the rest of the healthcare industry (as evidenced by the recent CMS audits), and the unknown security of the HIE interfaces, I think that it is absolutely an emergency.

The healthcare industry as a whole does not take security seriously and healthcare dot gov, the worst example of all, is actually exempt from HIPAA, as an extension of CMS. It was poorly implemented at exorbitant cost to taxpayers and we're stuck with the bill of the cleanup, or worse – the cleanup costs of the inevitable breach.

Your data, my data, everyone's data – it's all out there. The letters and credit monitoring services given when a breach has occurred are going to be worthless when it's the entire nation.

The only responsible reaction is to take the website off-line and fix it.  (Actually, it would probably be easier to start over.) 

But that would be the political death of the President, so that will not happen.[...]

In the meantime, though, Republicans can freely beat the daylights out of the President and his loyal party for their delusional ignorance of what is actually going on at this website.  There will be no shortage of news stories in the coming months as the public realizes what is happening. 

4 comments:

  1. JW says that anyone who believes any of this probably also believes the earth is 6000 years old.

    ReplyDelete
  2. As a fortune 100 information security consultant, let me say that is even worse than most could imagine, and you would be crazy to put a single shred of your information in a single field on Healthcare.gov.

    Where this article is wrong, that is worth calling out, is the quote regarding 'letters and credit monitoring services when a breach has occurred'... that's blatantly false and laughable. Breach reporting laws are passed by govt. onto the PRIVATE sector, not the public sector. Just as the person quoted rightfully understands the public sector doesn't have to comply with HIPAA, which was aimed at making sure the private healthcare sector protected your data (still hasn't made a difference btw), the govt. also doesn't have to comply with their own breach notification laws. And there is NO law that states that anyone has to provide credit monitoring services after a breach; this is always done to prevent any class action lawsuits and manage financial losses after the fact.

    Add to this the recent GAO report showing that government cybersecurity controls are much worse than almost any private company imaginable and you have a perfect storm. A govt. that can legally compel you to provide them your intimate and private personal, medical (PII), and financial data. Is immune to any laws or compliance regulation that they have passed and supposedly enforce, and has sovereign immunity to any lawsuits for the violations of your privacy or any damage to you due to mishandling of your information through their sheer incompetence.

    ReplyDelete
  3. The healthcare.gov website doesn't store anyone's medical information. As usual, the republican lie machine is making up lies about the ACA because the actual problems with it are too complicated for their followers to grasp, and could actually be fixed with a little work.

    ReplyDelete
  4. Well, IF the public realized what's happening. So many people are so completely stupid anymore that they probably wouldn't notice the sun at high noon unless someone pointed it out to them.

    ReplyDelete