(12-20-2013, 01:22 AM)Softy Wrote: While “user experience” may have been improved, security expert David Kennedy insists there has been no improvement to data security, and the rapid pace of the fixes may have even made matters worse.
“It doesn’t appear that any security fixes were done at all,” Kennedy said. “They said they implemented over 400 bug fixes. When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code.”
Kennedy, CEO of the security consultancy TrustedSec, testified before congress recently about the security lapses he found after conducting a fairly routine, low-intensity penetration test of the government run website, saying that the developers took little to no care in producing a secure portal.
“I’m a little bit more skeptical now, and I would still definitely advise individuals to not use the website because it’s definitely something that I don’t believe is secure and neither did the four individuals that testified in front of Congress,” Kennedy continued.
Government does not approach security the same way a commercial sites does.
The Centers for Medicare & Medicaid Services (CMS) has built a tool called the Data Services Hub (the Hub) that will help verify information used to determine eligibility for enrollment in qualified health plans and insurance affordability programs. The Hub will provide one connection to the common federal data sources needed to verify consumer application information for income, citizenship, immigration status, access to minimum essential coverage, etc.
It is a critical priority that all systems are secure and personal information is protected. The Hub was specifically designed to minimize security risk, by developing a system that does not retain or store Personally Identifiable Information.
These efforts provide a security framework to safeguard consumer data, allowing eligible Americans to confidently and securely enroll in quality affordable health coverage starting on October 1, 2013. The following describes some of the steps taken to ensure the security of the Hub.
CMS has designed the Hub, a routing tool that helps Marketplaces provide accurate and timely eligibility determinations. The Hub will verify data against information contained in already existing, secure and trusted Federal and state databases. CMS will have security and privacy agreements with all Federal agencies and states connecting to the Hub. These include the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security, the Department of Veterans Affairs, Medicare, TRICARE, the Peace Corps and the Office of Personnel Management.
The Hub increases efficiency and security by eliminating the need for each Marketplace, Medicaid agency, and CHIP agency to set up separate data connections to each database. Risk increases when the number of connections to a data source increase – which is why CMS has designed the Hub to prevent such liabilities. The Hub provides one highly secured connection to trusted federal and state databases instead of requiring each agency to set up what could have amounted to hundreds of independently established connections.
The Hub and its associated systems have several layers of protection in place to mitigate information security risk. For example, Marketplace systems will employ a continuous monitoring model that will utilize sensors and active event monitoring to quickly identify and take action against irregular behavior and unauthorized system changes that could indicate a potential incident.
If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents. This allows CMS and the Department of Health and Human Services (HHS) to quickly identify security incidents and ensure that the relevant law enforcement authorities, such as the HHS Office of Inspector General Cyber Crimes Unit, are notified for purposes of possible criminal investigation.
The privacy and security of consumer data is a top priority for HHS and CMS. The Hub and its associated systems have been built with state-of-the art business processes based on federal and industry standards. CMS has developed an extremely strong enterprise information security program to protect consumer information in a secure and efficient manner during open enrollment and beyond.
Data Hub Testing
Every federal information technology system must comply with rigorous standards before the system is allowed to operate. The Hub completed its independent Security Controls Assessment on August 23, 2013 and received an authorization to operate on September 6, 2013. The completion of this testing confirms that the Hub complies with federal standards and that HHS and CMS have implemented the appropriate procedures and safeguards necessary for the Hub to operate securely on October 1.
As with all systems, the responsibility to safeguard information is an ongoing process, and HHS and CMS will remain vigilant throughout operations to anticipate and protect against evolving data security concerns. The marketplace monitoring program will continually be reviewed for effectiveness of the systems’ security controls, through methods that include independent penetration testing, automated vulnerability scans, system configuration monitoring, and active web application scanning.
CMS developed the marketplace systems consistent with federal statutes, guidelines and industry standards that ensure the security, privacy, and integrity of systems and the data that flows through them. All of CMS’ marketplace systems of records are subject to the Privacy Act of 1974, the Computer Security Act of 1987, and the Federal Information Security Management Act of 2002. These systems must also comply with various rules and regulations promulgated by HHS, the Office of Management and Budget, the Department of Homeland Security, and the National Institute of Standards and Technology.
If I understand their hub properly it seems to me that at most a hacker could phish just information of a few individuals as their data moves through the system and their intrusion is detected countered and traced... meaning those hackers may get a knock on their door.
If you understood anything at all about government approach to security you would know that they intentionally leave many systems open to a degree to let the intruders in so they can be dealt with and caught ...they also know that no cyber security system is hack proof so to rely on such to protect large amounts of sensitive data is foolish and only causes additional problems.
Familiar with the Gary Mckinnon case? Wide open network accessed from a secret door right out in the open. Did he managed to even copy a single piece of information? Was he found out? They let him roam to see what he would do... they watch and when and if they see large amounts of information attempted to be downloaded(which isn't stored in the healthcare hub as the fact sheet makes clear) They block it and confront. They didn't make a stink until he went public with what he saw. The security is "eyes on". Which means when intrusion is detected you are being watched and your crimes are being recorded for prosecution. The systems are often set up as a kind of "labyrinth" so as to make movements easily detectable and trackable ...as the intruder attempts to collect data, data about the intruder is being collected.
...ya sure it might be relatively easy to get in for a hacker with moderate skill but you have access to very little (and they are not going to be allowed to sit their gathering data off the pipes)That IS the security!!! This isn't some commercial site. This is a government website and as I tried to make clear above they do things a bit differently... a commercial site does not have the assets to monitor intruders and send agents to their door. Their approach is to build thicker doors with stronger locks which can always be broken some way some how by some one.