Security and Compliance Concerns for Obamacare: Checking the Checker

Chris Gida

November 19, 2013 - Posted by Chris Gida to Security Insight

cyber crime

The news has been filled with comments regarding the implementation of the new website to support the Affordable Care Act, popularly known as Obamacare. On the first day of deployment, the website experienced issues, including functionality concerns such as users not able to complete applications, slow page loads and capacity overloads leading to several outages. Then we found out that a Health and Human Services official signed off on a waiver that allowed the site to skip (or at least delay) security testing and approval.

In recent news we also found out the website has been the target of at least sixteen known cyberattacks between November 6th and 8th. Other reports denied the attacks, but now, Department of Homeland Security officials are slowly releasing details. As a health care compliance assessor, these issues trigger several concerns and make me think, who is checking the government (the checker)?

Several weeks after the roll out of, Health and Human Services Secretary Kathleen Sebelius was required to testify before the Senate Finance Committee. She noted that there were several reasons for the website issues. These issues included: last minute changes to requirements, the fact that the project was piecemealed to different contracting organizations and insufficient testing. These are common problems I see in the health care space. (Actually, these are common problems I see in pretty much any space. Nothing like a real-world gut check for the government).

It’s common for organizations to run out of time, budget and resources on a development project then outsource development to third parties and make last minute additions (call it scope creep). These types of issues can easily lead to application faults which can result in operational and information security concerns. It seems that when time, budget or resources are constrained, the first items to get cut from development projects are non-functional requirements. Non-functional requirements, such as security requirements, are typically left out in order to meet business requirements. This makes me wonder what was cut out of the website?

With my background as a health care security assessor, I can’t help but think “How far down does the rabbit hole go?” A good assessor always tries to look past symptoms and find root cause. Given the disclosed issues with the website, the similarities of issues in the health care space and now the reports of attacks against the website, what has really happened? Why were officials slow to report the attacks? More importantly, were any of the attacks successful? From what has been disclosed so far, the answers are consistently “no”, but mixed information continues to be released.

One report stated there is no sensitive information on the site. Others say that, at the very least, the website is a gateway site which gathers some personally identifying information. From a health care perspective there are several significant implications if the website were breached. For example, in recent years the government has been pushing organization to protect Protected Health Information (PHI) with the addition of the HITECH and Omnibus Rules. If recent cyber attacks were successful, and information was actually breached, who would the government answer to?

It is never good practice to have the entity itself check the checker. Who is responsible for ensuring that the Department of Health and Human Services website is in alignment with security best practice requirements, securing any sensitive information, and disclosing data breaches similar to the requirements of organization in the health care industry? It would be incredibly ironic if the site was breached and data compromised, because who would the government fine, the government?


Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)