HealthCareDotGov insecuritiy

In response to Security Analysis: State Health Exchanges May Not Be Secure:

I’ve seen reports that at least one Denial-of-Service program targeting ObamaCare has turned up on hacker sites, although no evidence that anyone has tried using it yet.  There have been a lot of chilling descriptions of HealthCareDotGov as a hacker’s paradise, including from the founder of McAfee Antivirus, who is an odd duck, but knows what he’s talking about when it comes to Internet security.

It’s important to remember that security isn’t quite the same thing as the slipshod programming that has been passing around personal data to the wrong people here and there.  There was also an early instance in which the crack team of data managers at Health and Human Services sent a file full of confidential personal data to an ObamaCare navigator, who was fortunately a conscientious fellow, and reported it post-haste.  Their data security response amounted to telling the guy to delete the file and empty his desktop recycle bin.  I say it’s “fortunate” that he was a good guy, because the standards for ObamaCare navigators are famously lax, so the next “oopsie” might send confidential data to anyone from a left-wing political activist to a convicted felon.

Actual security issues – defenses of system integrity against organized hacker attacks – are far more difficult to deal with than crapware written by Obama cronies that occasionally barfs up hairballs of inappropriate data to unsuspecting users.  Real security is much trickier to implement and test.  HealthCareDotGov never got anywhere near the right kind of security testing, and it almost certainly isn’t going to get it now – it would take months.  And you can’t really perform a solid security test on a system that is still being frantically rewritten.  The most recent status update for reporters from CMS delivered the mournful news that their “punch list” of problems is growing, because now that the silly nonsense on the front end is getting cleared up, people can get further into the process and discover all the buried bugs.  ObamaCare was launched before its beta testers could get far enough into the junk system to find that stuff.

The guy who was supposed to sign off on system security refused to do so… or, depending on the behind-the-scenes antics of this utterly opaque Administration, he was permitted to withhold his signature to salvage his reputation.  He just tendered his resignation yesterday.  That’s not a good sign.

What I see coming is a “relaunch” – sometime around the target date of December 1, although there have lately been signs the Administration wants to move it back a bit – that will dramatically improve the number of people who can get further into the system than superficial account creation, even if it’s still not really “working” according to its original promises.  But system security will remain incredibly lax, and the Administration won’t care, because bad security can be politically hidden until a breach occurs.  Hackers probably aren’t too interested yet because so few people are depositing anything useful in the system.  When that changes, the breach will come.