A Trip to OZ: Security and the Affordable Care Act Website, Part I
November 19, 2013
This set of articles explores factors from a security perspective that contributed to the ACA (Affordable Care Act) website derailing in its opening days. I identify a variety of security related issues that contributed to the problem and give advice for corrections. This story is a cautionary tale for any company integrating software systems with vendors or tying together enterprise-wide systems.
Like the movie, “The Wizard of Oz”, there is a wondrous cast of characters. Hopefully in the end the security dangers I highlight can be cleared up and a happy ending found.
Let’s introduce our cast:
Dorothy – The American People. Innocent and just wanting to get to a safe home. The Wizard – The US President. Scarecrow – The agencies, states, and companies supporting the ACA website. Tin Man – Congress. Lion – The ACA contract companies. Wicked Witch – Hackers and the Department of Health and Human Services. Good Witch – ?? Dorothy’s House – The ACA website. Land of OZ – The mysterious land of technology and security.
The story of the ACA website issues is a story about security failures.
Numerous editorials have labeled the cause of the ACA website woes as due to bad coding and contractor oversight, detractors out to defund the ACA, and simply just the unrealistic expectations that a huge government program work flawlessly on day one. While those factors are true to a degree, at the heart of this story is security failures that intertwine throughout everything.
The tornado that uprooted Dorothy’s House (aka the ACA website) was the opening days of the ACA website being online, when stories began to pour in of web sites crashing, freezing, and responding slowly. Then users reported seeing other people’s data when accessing their own accounts. The final gust of wind to uproot everything was the reports by insurance carriers that incomplete data, duplicate accounts, and errors in data fields were being fed to their systems.
The Department of Health and Human Services (HHS) tried to calm fears that the issues were just due to server capacity needing to be boosted. However, the damage had been done and the house landed firmly on top of HHS (HHS now transformed by bad press into a witch with ruby slippers). Dorothy (aka The American People) were now in OZ – a land affected by magic, (actually, security-based issues coupled with technology).
I sadly shook my head when I heard of the first server crashes on the news. I had been here before on business projects that did not follow the security tenants of CIA: Confidentiality, Integrity, and Availability. Even if the server crashes were just scalability, the result was a Denial of Service (DoS) attack that made the services unavailable to customers. The man who saw the data of another person from South Carolina was experiencing a confidentiality issue. And the insurance companies receiving the bad data then had integrity issues.
House Falls, End of Story. Right?
The damage was indeed like a house falling on HHS. The ACA website crashes undermined faith that the system would even work, causing by some estimates as many as 400K+ Americans to abandon efforts to use the ACA site. With low numbers of completed applications for care plans through the site, detractors to the ACA pointed out that the Affordable Care Act itself should be repealed. Users seeing other participant data begged a bigger issue of violations of federal laws under HIPAA, potentially exposing the data to the wider Internet. And finally, what could only be described as corrupt data feeds from the ACA website threated to corrupt state and commercial insurance companies receiving data. Dorothy (aka The American People) was lucky not to be hurt when the house landed in OZ with stolen data or identities.
Unlike business that might stop a project in trouble, the government is pushing on with the ACA website because it currently is at a point of no return. The ACA website and electronic exchanges are now a critical mechanism for meeting the ACA law to go into effect. Now as Dorothy (aka American People) starts through OZ (aka The Mysterious Land of Technology and Security), things become strange. What would normally shut down a business effort due to security is not stopping the ACA website rollout.
In business, a situation with multiple rollout and integrity issues within the project and to partner systems might warrant a partial or full rollback effort. However, because the ACA is a law that applies across the entire country, the ACA website was put online as a “throw the big switch” approach and not a phased effort (such as by state). A single point of failure was established – something to be avoided in software and especially security design. Issues with server and website uptime would not have necessarily stopped the effort. The “glitches” like those cited in the news and by the President (The Wizard) early on are often experienced in large projects. But repeated downtime issues point to deeper security issues.
However, exposures of customer data protected by law (ie HIPAA) is an issue that would stop a business project quickly and dead in its tracks. Despite fines for data exposure, numerous states require that the affected customers be notified that their data was compromised. This issue alone would halt a software rollout.
What about the data integrity issues? Partners receiving corrupt data would not allow their down-stream systems to become tainted and would insist that systems be re-examined? I’ve said for years that the one of the worst hacks is not one that steals data, but one that taints data and causes you to forever doubt your own systems. If anything, there would be a last known good point where system data could fall back to in case of data issues. In the case of the ACA, many of the existing policies offered to customers will discontinue or millions of people will have never had policies before. This situation complicates being able to rollback to any previous “good state”. Compensating controls such as longer review times will be needed to reduce the risk of inaccurate data, causing added availability issues for issued policies.
But unlike many corporate initiative that can be scaled back until issues are corrected or even a limited rollout done, the ACA required policy coverage. And with the ACA website and its integration with the existing state exchanges, scaling back or ending the ACA website is not an option. Dorothy is firmly on a journey through The Land of OZ.
What Will Dorothy Do?
Dorothy (aka The American People) was lost in The Land of OZ (aka the Mysterious Land of Technology and Security), had no choice but to take the ruby slippers (aka hope of a fixed ACA website), and seek The Wizard (The President) for safety and home. And just like Dorothy, The American People will need to rely on fixes to the security issues in the ACA website if they are to get home to healthcare.
What will need to be done to identify and address some of the security issues in the ACA website project? Read my next installment as Dorothy navigates OZ and encounters the answers to those questions.