November 7, 2013
Security Concerns with Healthcare.gov Website
Healthcare.gov website has been encountering some technical difficulties lately. After the launch of the website, many visitors who paid a visit to the website were extremely disappointed with the site’s slow and sluggish operation. Some people were greeted with a blank screen, some spoke to misleading call center representatives or received error messages and some even had their personal data compromised. On top of all these technical glitches, an issue related to the security of the website was revealed recently. The security flaw was discovered by Arizona based Software Tester Ben Simo. According to Simo’s research, gaining access to user accounts by exploiting the security loopholes in the websitewas extremely simple.. Initially he found out a flaw in the site’s password reset function, where anyone can reset your Healthcare.gov password without your knowledge and can potentially hijack your account. Apart from that he lists some of the other possible ways by which your sensitive information (like birthdate, Social Security number and estimated income range) could have been compromised. A hacker could have accessed your personal information by:
- Guessing an existing user name, and the website would have confirmed it exists.
- Claiming that you forgot your password, and the site would have reset it.
- Viewing the site’s unencrypted source code in any browser to find the password reset code.
- Plugging in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
- Answering the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted
Anyone with basic knowledge about website coding can conduct such attacks and compromise your personal and healthcare information. The software quality researcher also found flaws with the coding done to integrate the site. Personally identifiable information was embedded both in Web addresses sent to reset user passwords and in data being sent to third-party sites not directly involved in the health insurance certification process. While the data is being sent over an encrypted connection still then it could be vulnerable to exploits targeting the website users.
Some security researchers say that the website is vulnerable to a hacking technique called “clickjacking” (planting invisible links on legitimate websites.) According to the researchers, Healthcare.gov, portal where the consumers of 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to use clickjacking technique. The hacker could trick users to give their personal data as they enter into the website leaving them vulnerable to identity theft or allowing fraudsters to file health care claims. As mentioned earlier the website uses Secure Socket Layer encryption (SSL) which prevents hackers from intercepting data in transmission. However the 15 states running their own independent Obamacare websites do not have any explicit instruction from HHS (Health and Human Services) to use SSL. They are individually responsible for developing their standards to protect the privacy and security of consumers’ personal information.
The reason behind these security flaws in the website could be the long-delayed security testing of the entire integrated exchange system. According to an internal memo, the administrators knew that the Obamacare website has security flaws days before the launch of the website. The memo warned that the system hadn’t been sufficiently tested, “exposing a level of uncertainty that can be deemed high risk”. The site was only given provisional security approval before the launch because a substantial amount of testing had not been completed just days before the site’s October 1 launch date. Health and Human Services Secretary Kathleen Sebelius told a House committee last week that temporary authority was granted because a security risk “mitigation plan” was in place. “The personal information going into HealthCare.gov includes birth date, Social Security number and an estimated income range. Sebelius emphasized that the additional security controls gave the agency confidence in going ahead with the launch, despite the audit showing a security gap”.
Keep your health information secured
Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.
SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!