A Short Briefing on the Security Vulnerabilities of healthcare.gov
One thing is for certain, I would never put my family’s information on healthcare.gov‘s site, it is not safe or secure. Not even close. Target is known for having the highest cyber and other security in the entire retail industry. Given the sophistication needed to breach Target, there is simply no possible way that healthcare.gov has not already been breached, and the sensitive data of Americans who are trying to comply with the law, has not already been pilfered.
Healthcare.gov is one of the highest priority hacking targets, because it contains income, work history, health history, addresses, social security numbers and birth dates for entire families. It is also the gateway into very high priority databases of bio information for all Americans housed at IRS, Department of Homeland Security and Treasury.
If you have been paying attention to the findings of the House Oversight Committee on cybersecurity and healthcare.gov, you should be very concerned if you’ve signed up. And it is likely among the top reasons (including price and plan design) for many who have been paying attention, for not signing up.
Just the fact that the government granted itself a security waiver to launch the site, and that the security officer did not sign off on the site as being secure, then after the site went live, the same officer resigned, ought to be clues enough.
In fact, the greatest protection Americans have had is the fact the site has not been working, so they simply have not been able to put their data into the site.
There is no obligation, in case you are wondering, for the government to publicly acknowledge the breach or contact those who have had their information compromised. The US government is exempt from this law. Congresswoman Diane Black is trying to change that, but it’s a bill, not a law.
CBS NEWS did some key reporting yesterday, which in the Duck U blitz, has not been really understood.
The site went live with known security vulnerabilities, and there have been breaches, so serious they had to shut down one of the most vulnerable parts of healthcare.gov, and they have not been able to bring it live.
From the CBS NEWS story:
In another security bombshell, Fryer told congressional interviewers that she explicitly recommended denial of the website’s Authority to Operate (ATO), but was overruled by her superiors. The website was rolled out amid warnings Fryer said she gave both verbally and in a briefing that disclosed “high risks” and possible exposure to “attacks”.
Fryer also said that she refused to put her name on a letter recommending a temporary ATO be granted for six months while the issues were sorted out.
“My recommendation was a denial of ATO,” Fryer told Democrats and Republicans who sat in on the day-long interview. According to Fryer, she first recommended denying the ATO to CMS chief information officer Tony Trenkle based on the many outstanding security concerns after pre-launch testing.
“I had discussions with him on this and told him that my evaluation of this was a high risk,” Fryer told the committee. Trenkle retired from his CMS job on Nov. 13. He has not responded to CBS News interview requests.