"We believe", concludes the 8-page statement, "we have met the goal of having a system that will work smoothly for the vast majority of users." It is all about the user experience. "There is more work to be done to continue to improve and enhance the website and continue to improve the consumer experience in the weeks and months ahead." But the announced achievements include system response less than 1 second; error rate well below 1%; uptime above 90%; 24/7 performance monitoring; and capacity for 50,000 concurrent users with more than 800,000 users per day.
However, TrustedSec notes this morning, "Out of all of the reports, there were no mention to security concerns or addressing the vulnerabilities identified in the healthcare.gov website."
In mid-November TrustedSec's CEO David Kennedy presented a report on HealthCare.gov to Congress. That report notes, "One of the more alarming trends is that the actual security testing of the website was deferred due to project delays. The website was launched without formal testing and with known risks around the security of the applications. Even further, there was little to no security built into the website or through the development. With the complexity of the website, this would indicate that the website will suffer from significant security concerns for a long period of time unless significant action is taken to address the issues and flaws within it."
Now TrustedSec reports that little if anything has yet been done to address the systemic flaws it and other researchers have found on the website. It is careful not to reveal any of these vulnerabilities in detail, but gives one example that actually has been fixed: an open redirect identified by Gillis Jones (independent security researcher). "This exposure has since been fixed", writes TrustedSec, "however very similar ones on the healthcare.gov and healthcare.gov sub-sites still exist. An example of what can happen in these scenarios is an attacker can send a targeted email to an individual that has signed up for healthcare.gov or is looking to and have it appear valid and legitimate and originate from the healthcare.gov website."
The problem appears to be that the political necessity of having a smoothly working website has overshadowed the need to have a secure website. Indeed, there are even concerns that while the visible front-end appears to function, the less visible back-end does not. On the day before the DHHS announcement, the New York Times noted, "large parts of the vital 'back end' that processes enrollment data and transactions with insurers remain unbuilt." This prompted The Atlantic to ask, "Does a broken back end render the front-end fix useless to some consumers? The progress report's narrow focus on the front end leaves me pessimistic."
But for TrustedSec, the underlying problem goes deep into government procurement practices. The company believes that government could learn from private industry: "Microsoft, Twitter, and others are not impervious to flaws within software, but are much less susceptible and reduce the risk based on solid security practices. Security needs to be integrated into every aspect of development and infrastructure support on all levels of the government", suggests the company.
"The rules need to be tightened as we continue to see both federal and state websites defaced, compromised, and sensitive information stolen or posted online," it concludes. "It’s time for the federal and state government to step up and invest in the appropriate controls to protect sensitive information that conforms to industry best practices and most importantly, practices that work."