OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Healthcare.gov insecure!

Published November 21st, 2013 at 1:04 PM EST , modified November 21st, 2013 at 1:04 PM EST

This is not a Mac-specific issue, but it’s important. The now-infamous Healthcare.gov website has more problems up its sleeve. Notably, it is shockingly insecure, and data that has been entered there may not be safe. I strongly advise people to exercise extreme caution with the site, and would highly recommend not using it at all, until some unknown time in the future when the problems have been fixed.

Before proceeding any further, I feel that it is important to reveal my biases. I feel very strongly that the Affordable Care Act is poorly thought out and destined to be a drawn-out, expensive and messy failure. Since this blog is not a political platform, I prefer not to discuss such things here. However, this is a topic rooted in politics, and thus it’s only fair to the reader to admit to my thoughts on the matter.

If this bias means that you cannot trust the objectivity of this article, I fully understand. In that case, I would recommend that you see the additional news sources at the end of this article. If nothing else, at least read the Congressional report prepared by David Kennedy, CEO of TrustedSec, who was one of several security professionals tasked with evaluating the security of the site. That report can be found here:

https://www.trustedsec.com/files/CONGRESS_Hearing_HealthCareSEC_FINAL_v1.1.pdf

In a nutshell, this document describes a number of different security issues with the site. Issues include things like unacceptable disclosure of personal information (some of which is available with nothing more than a simple Google search), redirection weaknesses that could be utilized in phishing attempts, vulnerabilities that could allow access to or modification of data in the site’s databases, and vulnerabilities that could allow an attacker to upload malicious content to the site or load malicious content within a page on the site. Basic security of the interface has been ignored to the extent that it is trivial for a brute-force attack to gather a list of valid user names, which could then be attacked by brute-force to gain the password.

These are very serious problems. They could lead to hackers gaining access to accounts or accessing user data through vulnerabilities, and makes phishing scams much more believable. More frightening, though, are the critical vulnerabilities mentioned in the report that could not be responsibly disclosed. Given the seriousness of what was exposed, the imagination goes to a very dark place when contemplating what was too bad to expose!

For these reasons, I strongly advise not creating an account on the Healthcare.gov site for a while. How long it will be until the site is safe is hard to say, but it could be a very long time, from what the conclusion of Kennedy’s report implies. In the meantime, if you need to access these services, use one of the alternate methods listed in the Healthcare.gov Contact Us page, such as a simple phone call to one of the provided 1-800 numbers.

If you already have an account with personal information on the site, I honestly don’t know what to tell you. I have not used the site, as my current health plan is still good under the ACA, so I don’t know whether it is possible to remove personal information or delete an account, and what effects that may have on your health insurance. I would recommend that you contact someone through one of the methods at the HealthCare.gov Contact Us page. Express your concerns and ask about your options for removal of personal information from the site.

Additional information

http://nakedsecurity.sophos.com/2013/11/21/security-pros-if-healthcare-gov-hasnt-been-hacked-already-it-will-be-soon/

http://www.foxnews.com/tech/2013/11/19/healthcaregov-already-compromised-security-expert-says/

http://www.networkworld.com/news/2013/111913-security-panel-to-congress-healthcaregov-276133.html

http://abcnews.go.com/blogs/politics/2013/11/security-experts-warn-healthcare-gov-is-vulnerable-to-hacking/

http://www.pcworld.com/article/2063220/lawmakers-healthcaregov-security-warnings-came-before-launch.html

6 Comments

  • Gabrielle Shakespeare says:

    Don’t believe it. He’s going to kill that bird, and blame Bush.

  • Tim says:

    That you list Fox News as a source tells us all we need to know about YOUR political bias, Thomas. And I thought your site was reliable all this time.

    • Thomas says:

      Did I not admit to my political bias? That does not change the facts as outlined in David Kennedy’s findings. Further, note that my political views do not change the fact that we have to deal with this system now, and I provided information on safe ways to do so. If you feel that the security issues with the Healthcare.gov site do not exist… well, that’s not supported by the evidence, but you’re welcome to your opinion, and I cannot change that.

      • Tim says:

        David Kennedy has been a constant talking head on Fox and Friends on this issue which makes his credibility next to nothing and he heads his own security firm which no doubt means he has his own agenda. Please send YOUR resume to the White House, Thomas!

        • Thomas says:

          Some of the things in his report can be easily verified without fear of prosecution as a hacker, and I have done so. Anyone else who knows how could do the same. I have found nothing in that report that appears to be false. On the other hand, all you’ve done is accuse all parties involved here of bias, as if that is a fact that proves your point.

          If you wish to discuss the details of the vulnerabilities in question, I welcome the debate. Beyond that, I’m afraid that I’m going to have to prohibit any further political commentary. This is not the place for a political discussion.

This post is more than 90 days old and has been locked. No further comments are allowed.