You’ve probably heard that President Obama signed up for Affordable Care Act (a.k.a. ObamaCare) health care. Well, sort of. He won’t actually be using it because he already receives dandy federal government coverage, as well he should. And as would be expected, he didn’t actually sign up himself because some staff did that for him, Nor in doing so, did they use the HealthCare.gov website. Even if they had somehow managed to get through, his Social Security number and income information wouldn’t have been found. Reportedly, as president that would have presented a national security problem.
But don’t you have to sort of wonder why, with the website being so secure and all, they would have to worry about that? Okay, maybe they just have to be extra careful so that someone won’t steal his identity and run up his credit card accounts.
Apparently lots of other people do worry about that sort of thing. According to a November IBD/TIPP poll, 78% of those who responded expressed concern about ObamaCare exchange website security, and 53% said they were “very concerned.” Investor’s Business Daily reported that security concern was shared across party lines, with 69% of Democrats agreeing. Fears were greatest at 82% among those aged 18-24, the group most desperately needed on-board to disproportionately pay the freight on older, sicker subscribers.
Four tech security experts who testified before a November hearing of the House Science, Space and Technology Committee agreed that such concerns are warranted, putting millions of website users at risk. Asked by Representative Chris Collins (R-NY) “Do you think today that the site is secure?” they all answered “No”.
When Collins queried as a follow-up “Would you recommend today that this site be shut down until it is?” three of the experts answered “Yes”. The fourth, Avi Rubin who directs the Information Security Institute at John Hopkins University said he did not have enough information to make the call. Rubin told Reuters reporters after the hearing that “Bringing down the site is a very drastic response.” Yet he also said that he wouldn’t use it out of concern about security bugs that have not been made public.
Morgan Wright, CEO of Crowd Sourced Investigations, explained that HealthCare.gov contained more than 500 million lines of code — more than 25 times as much as Facebook, one of the world’s busiest sites. Wright emphasized “When your code base is that large it’s going to be indefensible.” He also warned that there was no “clearly defined and qualified security lead” at the site, pointing out that this was “inconsistent with accepted practices.”
Another witness, David Kennedy, a former U.S. Marine Corps cyber intelligence analyst who heads the computer security consulting firm TrustedSec LLC, provided lawmakers with a 17-page report highlighting website problems. Kennedy said in written testimony that it would take a minimum of seven to 12 months to fix the problems… and that’s with the site shut down given its complexity and size.
House science panel chair Representative Lamar Smith (R-TX) said: “The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure… Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals.” The website collects personal data such as names, birth dates, Social Security numbers, email addresses and other information that criminals could use for a variety of scams.
Following the hearing, White House spokesman Jay Carney said: “The privacy and security of consumers’ personal information are a top priority…When consumers fill out their online marketplace applications they can trust that the information that they are providing is protected by stringent security standards.”
A government memorandum issued by two HHS officials which had surfaced only one month earlier reported that site created “a high risk” due to incomplete security tests. HHS spokeswoman Joanne Peters stated later that steps were subsequently undertaken to ease such concerns. One involved fixing a security bug in a password reset function.
Henry Chao, HealthCare.gov’s chief project manager at the Centers for Medicare and Medicaid Services (CMS) said he was unaware of the Sept. 3 memo’s warning that “the threat and risk potential [to the system] is limitless.” The memo presented deadlines of mid-2014 and early 2015 to address two high-risk issues. Instead, Chao testified to the House Oversight and Government Reform Committee that he had been told the opposite. He said “What I recall is what the team told me, is that there were no high findings.”
In a Sept. 27 memo he and another official sent to CMS management, Chao recommended that it was safe to launch the website on Oct. 1 even though security testing was “only partly completed.” He testified that it was “disturbing” he hadn’t been told about security risks, and was “surprised” when shown the Sept. 3 memo.
The final decision by CMS Administrator Marilyn Travenner to proceed with the website launch despite inadequate security testing and known glitches drew strong criticism by committee chairman Darrell Issa (R-CA). He said “This wasn’t a small mistake, this wasn’t a scaling mistake, this was a monumental mistake to go live and effectively explode on the launchpad. Efforts were taken to cut corners to meet political deadlines in the end.”
Remarkably, unlike private and state insurance exchanges, the federal government is not required to report website security breaches. In other words, Americans who buy health insurance through the HealthCare.gov exchange website could have their personal information stolen long before they find out. Although HHS was asked to include a notification provision in the rules drawn up to establish the new federal exchange, it refused to do so.
Devon McGraw, director of the Health Privacy Project at the Center for Democracy and Technology believes that “The notification requirement is a very important part of overall security.” Accordingly, “People should be told when their information is at-risk.”
Bending even farther in the opposite direction, it seems that the HealthCare.gov website coding makes no pretense of ensuring user security. Appearing before the House Energy and Commerce Committee, Cheryl Campbell, a senior vice president of CGI Federal Inc which built the website admitted that it contains a hidden source code which says applicants have “no reasonable expectation of privacy.” When Representative Joe Barton (R-TX) showed her an image of that coded warning she confirmed knowledge that it was there.
And just how remote is such a risk? In April of 2012 the Utah Department of Health (UDH) reported that Medicaid hackers stole about 500,000 personal records including 280,000 compromised SSNs. The culprits accessed approximately 24,000 claim files from the Utah Department of Technology Services, each potentially containing information on hundreds of individuals.
The good news in this case, if there really is any, is that being a state agency, UDH immediately notified the public of the breach. All Medicaid clients were warned that they might be a victim if they had been in contact with health care providers within four months and were advised to monitor credit cards and bank accounts for suspicious activity.
Speaking of suspicious activity, what about growing public distrust of Big Government? IRS targeting of conservative and religious organizations deemed unfriendly to the Obama administration and liberal causes in general have done little to bolster confidence. Nor have secret Department of Justice subpoenaing of personal phone records of Fox News reporter James Rosen on a trumped-up information leak charge; or spying upon Associated Press journalists.
There’s also the matter of concern surrounding metadata collection of communication patterns involving millions of American citizens by the NSA. Its director James Clapper falsely testified “No” when asked during a House Judiciary Committee meeting if his organization had collected “any type of data at all on millions of Americans.”
Susan Rice then told CBS “60 Minutes” correspondent Lesley Stahl that this and other statements about NSA programs were merely “inadvertent false representations.” This is the very same Susan Rice who repeatedly made false representations attributing the deadly Sept. 11 attack on our Benghazi embassy to spontaneous violence fueled by an obscure video.
Finally, let’s recall those serial promises that sold ObamaCare in the first place. Remember the ones about everyone being able to keep their present insurance plans, doctors and hospitals…Period? Many millions who believed that are now finding out differently. PolitiFacts honored those fabrications with their “Lie of the Year” award.
Yes, HealthCare.gov website integrity has lots of people worried. But perhaps even more troubling is what will happen if and when those problems are ultimately fixed. With government in charge, will that really make you feel more secure?
— Larry Bell
This article originally appeared here on Forbes.com.