Failure as a Service : Obamacare site security flaws emerge

The Healthcare.gov technology story isn’t going away anytime soon. As tech rescue teams have come to save the day with what they hope will be a rapid fix for the struggling site, the first of what may be a number of security issues have started to emerge.

It’s a situation so dire that even the consumer website Consumer Reports has advised the public to not submit any information to the system until the fixes are in. They may be waiting a long time. In a recent report, a North Carolina father, Justin Hadley, was using the Obamacare website when, after many attempts to sign up, wound up receiving eligibility letters that were addressed to other people from other states.  It’s among the first of what may be a long list of issues to emerge.  The Foundry recounts Hadley’s sad story:

Justin Hadley logged on to HealthCare.gov to evaluate his insurance options after his health plan was canceled. What he discovered was an apparent security flaw that disclosed eligibility letters addressed to individuals from another state.

Nov 30th deadline

 

 

These security issues, along with the several others that are sure to come, are probably the most disturbing and biggest challenges that the site will have to overcome by their self-imposed Nov 30th deadline, as was determined by Health and Human Services Secretary Kathleen Sebelius.

Security has been a question from the beginning, pointed out very early in this parade of technical site failures. It is difficult to imagine that despite their multiple assurances that the site is secure, that it is actually secure. With 500 million lines of rushed code, an ultra-accelerated development cycle, poor coding, poor software quality assurance and minimal testing, can anyone take the security assurances seriously?

Back to the data problem

 

 

Flaws and vulnerabilities are a guaranteed part of all this, but as pointed out previously, the system is showing signs of a serious data problem, which is much, much worse. This probably best explains Hadley’s receipt of information, and as pointed out before, is likely behind the troublesome ‘834’ data form problems that are preventing insurance companies from giving accurate prices.

Reports are emerging that focus on these ‘834’ forms. These forms are used in the process of direct enrollment, and it appears that they are filled with incorrect information, making purchasing plans for many impossible. The data that is coming to insurers from healthcare.gov is corrupted or sending ‘questionable’ data.

  • Gov’t doesn’t trust the site

Even the government itself has privately shown concern for the security of the site. In a report from the Associated Press, the Centers for Medicare and Medicaid Services reported the site was a high security risk for familiar reasons:

The document, obtained by The Associated Press, shows that administration officials at the Centers for Medicare and Medicaid Services were concerned that a lack of testing posed a potentially “high” security risk for the HealthCare.gov website serving 36 states. It was granted a temporary security certificate so it could operate.

‘Tech Surge’ – The odds are against them

 

Nothing happens quickly in the government. And now, under the gun, they are trying to fix a site that was deployed with a big bang approach in the first place instead of phasing this out in an evolutionary manner. This tech surge crew has an incredible challenge before them, as the project has shown multiple signs of a project that is going to be dead on arrival.

The site went live before the system was ready, and now they’re trying a running fix. Adding manpower post-launch is another issue, because despite whatever skill and experience come into the picture, the simple fact is that they weren’t there when it was built in the first place. You can’t get to where you want to go if you don’t know where you are right now, and that takes time. Where the site is at now is complete failure, from a user experience standpoint, but also a complete data and security failure as well. That’s more than just a site.

This infographic is a visual representation of the millions of lines of code that go into a given project, contextualizing what Healthcare.gov is up against.  See the full infographic here.

On course for another tech failure

 

No one likes bad news, but that’s all there is here – it’s that ugly.  So despite whatever great intent may be put into place with the tech surge and even the law itself, in the end this may not amount to the success they have promised. There are no shortcuts or magic fixes, that’s arguably how we got this site in the first place. The only way this gets fixed is a complete offline rebuild that will take a significant amount of time.

Can you imagine the pressure on the inside right now? Continuing to push to fix and stabilize a system while it is live will only result in pretty modest gains, at best. Logic dictates however that more and more problems will come to the surface as these fixes are introduced.

  • Failure-as-a-Service

It is a never-ending process and can only be described as destined for failure, Failure as a Service (FaaS).  That’s a borrowed term that seems to fit this situation uncomfortably well.  Every element of this site is unfit for production.  The only way out of this is going back to the beginning or somewhere close to it, let’s be generous and say early 2013 somewhere. No matter how you cut it, that’s way beyond Nov 30th.

In the meantime, note that despite the presence of alternative methods that have been put in place to sign up via mail and via phone, that ultimately this information still ends up going into the very same system that is behind Healthcare.gov. There’s no way around it. And that’s the system we’ll probably end up with for some time – data collection without plan-comparisons and ultimately without enrollment – until at some point the whole thing is rebuilt.  Don’t forget, you’re paying for this.

About John Casaretto

SiliconANGLE's CyberSecurity Editor - Have a story tip or feedback? Please reach out to me! Security is as critical as ever and our mission is to uncover those stories that will help our industry be more secure.