Obamacare Website: Slow, Buggy and Waiting to be Hacked
By Hal M. Bundrick
NEW YORK ( MainStreet) While attempting to complete an application for health insurance on Healthcare.gov for his granddaughter, Ben Simo, a Gilbert, Ariz. software tester, encountered not only a sluggish, glitchy site with account creation issues, but a number of security concerns, as well.
"I identified a series of steps that could be easily automated to collect usernames, password reset codes, security questions, and email addresses from the system -- without any kind of authentication," Simo posted on his blog.
Simo reported the issues to Healthcare.gov's customer service and the Centers for Medicare and Medicaid Services (CMS) patched "the most serious hole" the same day.
"While I am appalled that the issue existed in the first place, I applaud the quick response," Simo wrote.
The issues with the website have been so persistent from the outset that Consumer Reports warned users in mid October to "Stay away from Healthcare.gov for at least another month if you can. Hopefully that will be long enough for its software vendors to clean up the mess they've made."
While some of the initial security concerns reported by Ben Simo have been corrected, he still worries about other data risks lurking on the site.
"Both Secretary Kathleen Sebelius and Andy Slavitt, an executive VP at QSSI, the company tasked with fixing Healthcare.gov, have downplayed security concerns," Simo writes. "They have suggested that personal information is not at risk because The Hub, the Healthcare.gov front end, does not store information; but rather, transports information. A system is only as secure as its weakest link.
If front-end security is poor, then no amount of back-end security can protect information passing through the front end."
Simo says that even if the site doesn't store information, it does return the personal data to the user's browser. He says that information can include a user's name, address, date of birth, phone number, and Social Security number.
"It doesn't take a security expert or 'super hacker' to exploit these vulnerabilities," Simo writes. "This is basic web security. Most of these are the kinds of issues that competent web developers try to avoid; and in the rare case that they are created, are usually found by competent testers."
The site experienced a 90-minute outage Monday afternoon. Healthcare.gov will also be taken down for maintenance each evening from 1 to 5 a.m.
Now that a couple of weeks have passed since Simo's first discovery of the security gaps, and with some immediate response from the government, does he feel the matter is mostly resolved?
"It concerns me that these issues existed in the first place, and I'm now even more concerned that they still exist," Simo told MainStreet via email. "I'm not yet convinced they are giving security sufficient attention. I suggest consumers give them some more time to get their security act together."