#Obamacare site security: worse than we thought?
**Posted by Phineas
I told you there was never “just one roach.” Just two days after learning of at least one easy hack to access private data at healthcare.gov and just one day after HHS Secretary Kathleen Sebelius swore up and down that site security was her department’s top priority, we have the former head of the Social Security Administration telling us the administration deliberately broke privacy laws to rush the site out by October 1st:
In an interview with NBC News, a former top government official raised his own questions about the siteβs security, and about the healthcare.govβs privacy protections. Michael Astrue, the Bush appointee who served as head of the Social Security Administration from 2007 until early this year, said that the Obama administration exempted the website from many federal privacy protections, potentially making the personal data on healthcare.gov accessible to a range of government and private entities, including the Department of Homeland Security to credit agencies.
βThere were shortcuts taken on the information technology,β said Astrue, βand there were shortcuts taken in terms of adherence to the laws that protect our rights.β
According to Astrue, concerns about privacy protections were the subject of debate within the administration before launch. But Astrue said that his warnings that the siteβs design should not contravene the Federal Privacy Act were ignored. βI was extremely upset,β said Astrue. βFirst of all they were violating the statute. Second, there would be real world consequences for Americans.β
Three weeks after healthcare.gov launched, administration officials granted 13 exemptions to the Privacy Act permitting sensitive personal data being entered into healthcare.gov and the state health insurance exchanges to be shared with agency contractors, consultants, the Department of Homeland Security, state and local governments, employers and family members. The exemptions are displayed in fine print on healthcare.gov.
“Don’t worry,” the administration might say. “The people handling this data will only access it at need and would never, ever abuse it. I pinky swear!” Well, after revelations about the IRS leaking confidential tax returns and NSA employees spying on ex-spouses and lovers, let’s just say I don’t have much confidence in this “official promise:”
In a statement, a spokesperson for the Department of Health and Human Services told NBC News, βWhen consumers fill out their online Marketplace applications, they can trust that the information theyβre providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.β
But let’s assume for the moment that all these people at all levels, federal, state, and private, are all honorable and would never misuse their privileges. There’s still the very big question of technological security, itself. We know now the prime contractor, CGI Federal, told the government last summer that it was very concerned about the lack of adequate security testing. The government itself was worried about a “high security risk.” And we know that obtaining user information during the system’s first three weeks of operation was frighteningly easy. Just how secure are all these various computer systems at all these myriad levels? And what about the pipes and hubs through which the data has to flow? How about software bugs no one knows of yet, maybe introduced by the very fixes HHS is working on?
And what about the thousands of users, themselves? How many of them, not malicious but still careless, are using easy to crack passwords? Their child’s first name? Their birthdate? Their driver’s licence number? As Congressman Mike Rogers (R-MI)Β told Sebelius:
βYou have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk,…β
This structure has a million potential holes in it, just waiting for data thieves to strike, and Astrue’s description of the administration’s cavalier attitude toward security turns this from a worry to a disaster in the making.
PS: I don’t know about you, but I’m stunned that it’s NBC reporting this.
(Crossposted at Public Secrets)