
HealthCare.gov deferred final security check, could leak personal data - Cbasedlifeform
http://arstechnica.com/information-technology/2013/10/healthcare-gov-deferred-final-security-check-could-leak-personal-data/
======
generj
Passing this sort of data in analytics requests is mind-boggingly-stupid.

Most analytics providers explicitly tell you not to pass along Personally
Identifiable Information (PII). Their Terms of Contract usually state doing so
is a terminable offense. It's part of the training process to be certified by
most providers.

Basically, this only highlights how terrible the programmers at healthcare.gov
are.

~~~
briandear
We can blame the programmers, but who is ultimately responsible. The
Whitehouse is the executive branch; they are paid to execute and ultimately
this is entirely their responsibility. They are the project managers of this
entire mess. Now imagine those same people deciding your medical treatment.
It's just sheer incompetence disguised as politics. Of course a more
subversive view would suggest that this was engineered in order to pave the
way for single payer. The Soviets built better cars than the US government
builds websites.

~~~
llamataboot
Last I checked, the Affordable Care Act really didn't involve anyone at the
Executive Branch deciding on what medical treatment I could get. Downvoted for
fearmongering and paranoid speculation. (purposely botched implementation of a
large software project to make single payer easier? Because the Tea Party
shutting down the US government to try to block this healthcare bill makes it
likely we will see single payer pass?)

~~~
Shivetya
Actually if the Independent Payment Advisory Board fails to develop a proposal
should costs exceed certain thresholds then the Secretary of Health and Human
services must submit a proposal themselves which they must implement.

Since all appointees to this committee must be agreed upon by the Executive
Branch as well as both minority and majority leaders from each party (hence 12
from Congress with the Presidents approval/recommendation) and 3 from the
President, yes the Executive branch could very well determine what health
options are available too you.

The real issues before us now are.

1) why can the Secretary of Health and Human Services even refuse to divulge
enrollment numbers? 2) why is the same not keeping the President fully aware
or made aware of the problems the site faced before launch and after
(conspiracy advocated claim the President knew) 3) By regulating what must be
covered and not covered they are deciding what you can have and have not.
Remember, there are a lot of gray areas in the law which the Secretary has
shown more than enough interest in creating actual rules.

~~~
cma
You can still by supplemental insurance, so they aren't regulating what you
can have, they are regulating the minimum floor.

~~~
RickHull
> _they aren 't regulating what you can have, they are regulating the minimum
> floor._

This is utter nonsense on its face. If I have (or want) something under the
minimum floor, they have regulated that away from me. They have regulated what
I can have.

~~~
VladRussian2
They also regulated away spoiled beef in stores, non smoke detectors equipped
bedrooms and poisoned tap water. You can't have it. Minimum floor.

~~~
Turing_Machine
Spoiled beef is quite a different thing from requiring a 60 year old man to
buy maternity coverage.

~~~
toomuchtodo
You mean spreading the cost of maternity coverage across all policyholders.
Perhaps you're not aware of how insurance works, spreading risk and all that
jazz.

Have healthcare system where costs are externalized? People complain. Have
healthcare system where costs are internalized and properly accounted for?
People complain.

~~~
Turing_Machine
1) You don't get to tell me what I "mean". 2) I'm quite aware of how insurance
works. Please do share with us the probability of a 60 year old man becoming
pregnant, then explain why that "risk" needs to be "spread".

~~~
ncarroll
I wonder what the probability of a 60 year old man getting his lovely partner
pregnant might be? That looks like a reason for spreading risk to me.

~~~
Turing_Machine
Given that the law also requires the lovely partner to have her own coverage,
I think your "reason" is dubious at best.

~~~
Turing_Machine
Also note that the law requires 60 year old women to buy maternity coverage.
Is their lovely partner going to make them pregnant?

Given that the Guinness record for the oldest natural conception is 59, I
think not (there are a few cases of older women giving birth, but those all
involved in vitro fertilization or the like).

What other astoundingly unlikely events do you guys think people should be
required to insure against? Meteor impact? Virgin birth? All the molecules of
air rushing to one side of the room and suffocating you?

------
programminggeek
I think the only good news about HealhCare.gov is going to come from The Onion
at this point.

------
aabalkan
Seriously I'm thinking that whoever developed HealthCare.gov did not know
anything about web development. I knew that one doesn't simply add usernames
passwords to URLs when I was f*cking 12 years old. I am even more surprised
that no one ever audited their security and US citizens are not asking
government what the heck the money is gone to. That's a reason that many
government officials should immediately resign from their positions.

------
danso
Not to diminish the researcher's work here, but even as bad as these security
holes are, as reported, I'm mildly non-surprised...just because they've _got_
to be much worse...the most visible parts of this system were cracking...it
would be hard to believe that the unseen and often skipped-over parts of
engineering would be more solid than what we've experienced, given the
laughably short testing period.

This is going to set back electronic medical records for quite a long time.
Don't forget the Obama admin put aside $20 _billion_ dollars to fund that, and
contractors have been eating up that money for a few years now.

------
spoiledtechie
I blogged about this very problem the other day.

[http://spoiledtechie.com/post/2013/10/23/What-Scares-Me-
abou...](http://spoiledtechie.com/post/2013/10/23/What-Scares-Me-about-the-
Tech-Behind-Healthcaregov.aspx)

If you think the UI is designed badly, just imagine how bad the backend is...

~~~
semerda
"If you think the UI is designed badly, just imagine how bad the backend
is..." \- exactly! A glimpse into the mess that lies behind the curtains.

------
mcone
Former federal IT security contractor here. There's nothing unusual about this
event, except perhaps the fact that it's receiving national attention.

When I worked for the federal agency responsible for providing health care
services to tribal entities, we would routinely accept and issue waivers for
high-level risks discovered in RPMS (called VistA at the VA), the 30-year-old
EHR application we used to store PHI and PII. Honestly, I don't know why we
even bothered performing C&As and penetration tests -- everybody knew we
weren't going to mitigate the vulnerabilities, even before we started testing
for them.

It was an incredibly frustrating environment to work in. Federal law required
us to test for vulnerabilities, but the director and CIO didn't give a shit
about infosec and the CISO just kept issuing waivers for everything.

~~~
generj
> the federal agency responsible for providing health care services to tribal
> entities

Wouldn't that be the IHS, which is underneath HHS? Suggesting a general
disdain for security within the HHS?

Healthcare.gov is underneath CMS, not IHS, but I don't think it's unreasonable
to conclude that the overarching body, HHS, has poor security practices.

------
siphor
Heh, i also wouldn't be surprised for this site to be a high profile target...
Any successful attack to it would completely embarrass the u.s. Which id
imagine is up there on some peoples lists right now

~~~
Turing_Machine
Leaving the embarrassment aside, this thing has to be the Holy Grail for
identity thieves.

------
vincie
I am going to make a stand for all the developers working furiously on this,
although I don't know any of them. I blame it all on management, and they have
the worst kind - politicians. I write this as I am certain it is very similar
to what happened here in Brisbane Australia with the Queensland Health payroll
system fiasco. Under severe pressure from politicians, they pushed out a
system without thoroughly testing it first.

Edit: The Queensland health Payroll system was quoted at $6.19 million, latest
revised cost is $1.2 billion.

~~~
stef25
I'm a dev up shitcreek with no paddle and also blame management ("here take a
couple more projects. And support a couple more", while trying to rewrite a
piece of sh*t that's already months behind).

It's almost always the go-to excuse though, I just don't know if it's the
truth anymore. Of course we'd blame management. Depressing.

~~~
vincie
Darn you sound like you work with me. And I swear to almighty god it is never
my fault. A bunch of idiots get together and promise that I will deliver this
piece of software at this date, without inviting me along to the meeting.
Then, they write the specs (shouldn't it be the other way round at this
point?). In most cases, the specs are incomplete and they want me to start
while they are still finalizing stuff. I go tell them about a roadblock, and
that they should revise the deadline and they tell me I should go ask someone
else how to do it as if I am incompetent. And they always think bringing in
more developers would make things go faster. Damn I am beginning to lose my
cool just writing this.

~~~
GVIrish
It amazes me how often the Mythical Man Month situation comes up in government
IT. Sometimes people even KNOW that adding developers to a late project won't
work but they have to be seen as 'taking action' so they do it anyway.

------
prawn
Physical address of the organisation managing the site is amusingly "7500
_Security_ Boulevard, Baltimore, MD 21244".

------
kaeawc
Maybe HealthCare.gov is just a honey pot by design, except poorly cloaked?

------
disposition2
Maybe they should've ran the site through the 'meaningful use' certification
process first...

~~~
hga
Very funny.

I have a friend in this general field. Last time I checked, he told me those
two words in the "Stimulus" bill expands in ~ 700 pages of regulations and it
has made a bunch of consultants on it quite wealthy. Per Michelle Malkin, who
lost her Primary Care Physician to this insanity, talking about another
([http://michellemalkin.com/2013/10/23/dont-forget-
obamacares-...](http://michellemalkin.com/2013/10/23/dont-forget-obamacares-
electronic-medical-records-wreck/)):

" _Dr. Michael Laidlaw of Rocklin, Calif., told EHR Practice Consultants that
he abandoned the Obamacare EMR “incentive” program “when I realized that I
spent the first two to five minutes of each visit endlessly clicking a bunch
of garbage to make all the green lights show up on the (meaningful use) meter.
I said to myself: ‘I’m not wasting precious seconds of my life and my
patients’ time to ensure some database gets filled with data. I didn’t go into
medicine for this. It is not benefiting my patients or me. I hate it.’ I
actually refused to take the $10K-plus this year. I have even accepted that I
would rather be penalized in the future. What is worth the most to me is
AUTONOMY._ "

The later refers to the concept that this is firmly inserting the visible foot
of government into the physician patient relationship.

------
garthdog
Move fast and break things!

------
outside1234
everyone is probably using "health" for their password anyway, amiright?

------
joezydeco
Somewhere in America, Harper Reed is breathing a massive sigh of relief.

------
ck2
So if all 50 states created their own exchanges, healthcare.gov would have
just been an info splash page?

I mean even DC created their own exchange, what was the excuse of the other
30+ states?

~~~
peterstjohn
It was part of an organised plan to try and sabotage Obamacare, having lost
the legislative battle and the Presidential election.

~~~
hga
These Blue or Purple states are not doing one: New Hampshire, New Mexico for
the moment for individuals, Utah permanently for individuals, Arkansas, Iowa,
Michigan, Illinois.

Plus my Purple home state of Missouri isn't doing one based on a citizen
initiative in 2012, where 62% of us voted to outlaw the creation of a state
exchange unless authorized by the people or the legislature
([http://ballotpedia.org/wiki/index.php/Missouri_Health_Care_E...](http://ballotpedia.org/wiki/index.php/Missouri_Health_Care_Exchange_Question,_Proposition_E_\(2012\))
).

I also find it highly questionable to score elections like you have. Not only
are you ignoring Scott Brown and 2010, but the one in 2012 was between Mr.
Obamacare and Mr. Romneycare, the eGOP handed voters the _single_ worst
possible candidate to have a referendum on Obamacare about.

More generally, you should acknowledge this is the first ever major
entitlement program that didn't pass on a widely popular bipartisan basis,
from FDR's Social Security to Bush's Medicare Part D prescription one. It
would be remarkable if that didn't have consequences we've never seen before.

Or more specifically, how did not building an exchange "sabotage"
Healthcare.gov? Sounds like you're trying to magic a perceived by you sin of
omission into a sin of commission.

Can't be a volume problem, seeing as how the site failed in integration
testing a week before launch before achieving 200 simultaneous logins, and so
much has to go through it for every exchange (remember when Verizon's goof
shut them all down) and perhaps one day if they get around to it insurer (it's
the only allowed source of subsidy calculations, which does make some sense).

------
gesman
I think we had enough punch bagging on this.

~~~
InclinedPlane
Until it's fixed, until it's worthy of the hard earned money spent on it
(which is a considerable sum), no, we haven't had enough.

This is government accountability 101.

~~~
toomuchtodo
Wait wait wait. 2 failed wars costing over a trillion dollars, near-economic
collapse due to the rollback of financial regulations, and NOW we're holding
the government accountable?? Over healthcare.gov? Where the hell was everyone
for the last 13 years?

~~~
InclinedPlane
Pretty sure the public voted a different party into the WH and senate due to
some of those issues.

Regardless, it's not as though bigger problems make it so that smaller but
still very large problems should be ignored. Similarly, one does not need to
decide between foreign policy mistakes, nsa wiretaps, and bailouts to be angry
about, you can be angry about all of them, and hold government officials
responsible for all of them.

Besides which, healthcare.gov is a cornerstone of the affordable care act,
which is a multi-trillion dollar endeavor.

~~~
roboneal
The public also voted in a Republican House majority and flipped Ted Kennedy's
seat to prevent a filibuster proof Senate majority to essentially prevent
Obamacare being implemented without amendments.

Yet, it was "deem and passed" and here we are. Power to the people?

~~~
peterstjohn
And remember when they were so angry at that they voted in the candidate that
vowed to repeal Obamacare in the next election.

Wait.

~~~
hga
Who was Mr. Romenycare, and prior to the election was notorious for being
willing to say _anything_ to get elected?

Coming from the "extreme right wing" side of the political spectrum, I assure
you that few of us considered any "severely conservative" promise from
Hairpiece Q. Motherf----- credible. The eGOP managed to hand us the single
worst possible candidate in every way to run against Obamacare.

