Gartner Blog Network


How secure is healthcare.gov?

by Avivah Litan  |  October 31, 2013  |  2 Comments

A posting by blogger Ben Simo, a highly-experienced software tester, brings up many important and valid security issues with healthcare.gov. Ben has done a good job documenting some of the most egregious issues with healthcare.gov that are definitive proof of the fact that security will continue to be a major issue for the Obamacare website. See blog.isthereaproblem.com

More fundamentally, it’s important to note that this could very well be a security disaster in the making because of the following facts:

a) The marketplace healthcare.gov is run by an estimated 500 million lines of code which is about 10 times the lines of code in Windows XP. The mammoth code is managed by multiple system administrators and different components reside on separate servers, according to developer Gabriel Harrop who examined the software.

It’s simply too big a program to manage from a security perspective, given the level of expertise and coordination assigned to the project as we have come to know it. I’ve also been informed by developers who examined the application that it isn’t exactly a model of slick coding practices. For example, I was told that rather than build an array to compute 40 variables, someone cut and paste a program to repeat a task forty times.

b) We all know about the performance problems that have surfaced because of the multiple disjointed and uncoordinated groups of contractors who worked to create different components of healthcare.gov. As security vulnerabilities are discovered, it will be very difficult to push out patches to the marketplace and get them properly tested to ensure that all the disjointed parts work together securely. After all, even CMS admitted they didn’t have time to properly vet the security of the initial code set!

c) Healthcare.gov is surely a prime target for hackers. There is an abundance of sensitive personal information that is being submitted that hackers will want to steal. Based on issues already documented by Ben and others, this will be a much easier hacking target than banks, retailers, payment processors and other enterprises where the crooks are already succeeding, despite billions of dollars being spent on security in order to be compliant with government regulations and the rules of the payment card networks (e.g. PCI).

d) Finally we already know that the knowledge based authentication system that healthcare.gov is using to verify applicant identities has been systematically compromised by identity theft gangs. See krebsonsecurity.com

e) Who’s supervising and examining healthcare.gov? Are there any security standards set for this critically important and sensitive website?

Frankly, I think the Obama Administration should cut their losses and fess up and admit they need to get the system overhauled and rewritten. And that is not going to take one or two months, as they say. The best they will be able to do in that timeframe is fix the performance issues. The security issues are surely much more complex – you can’t just throw horsepower at them. You need intelligent software and layers of defense. That takes time to bake in.

You can be sure the Republicans are going to pounce on any bug they can find. Hopefully they won’t be able to find any really serious ones that compromise the confidentiality of Americans already struggling to get health care insurance.

Category: 

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio


Thoughts on How secure is healthcare.gov?


  1. […] Read the entire post: http://blogs.gartner.com/avivah-litan/2013/10/31/how-secure-is-healthcare-gov/ […]

  2. […] a lot that has been said or written about security that you could find for yourself online (Read this, this). But, according to what I know this website is not secure to the level that you or I are […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.