Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Scramble to fix site heightens security risks

Jaikumar Vijayan | Oct. 30, 2013
Haste is the enemy of good security, analysts warn

The ongoing scramble to fix glitches affecting the troubled website could heighten security risks and introduce fresh vulnerabilities into an already fragile system.

The Obama Administration has committed to addressing problems with by Nov. 30 in response to the outpouring of criticism over the $300 million site's error-riddled performance since it went live Oct. 1.

Last Friday, the U.S. Centers for Medicare and Medicaid Services (CMS) -- the agency is responsible for -- appointed Quality Software Services Inc. (QSSI) as the general contractor in charge of making the needed fixes.

Over the next few weeks, QSSI and the several other contractors responsible for building the site are expected to modify or add thousands of lines of code to the system to address the ongoing problems.

The compressed time frame for the changes to be made elevates security risks, said Richard Stiennon, principal at security consulting firm IT-Harvest.

"A secure software development effort takes time," Stiennon said, "I am very concerned that a rush job on the site will introduce new security vulnerabilities."

Adding to the concern is the likelihood the site will be a juicy target for malicious attackers because of all the attention it has drawn this month, he said.

The site is designed to let individuals shop for, compare and enroll in health insurance plans. The site itself stores little sensitive data and instead serves largely to route information between the user, health insurers and databases at the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security, the Department of Veterans Affairs and other federal agencies.

At its core is a data hub, a routing tool operated by the CMS that lets state and federal healthcare marketplaces quickly verify the eligibility of those seeking insurance. The hub itself does not store data and merely connects healthcare insurance exchanges with the numerous federal databases.

The hub and the entire site were the focus of security concerns even before the current problems.

One of the biggest issues has been the speed with which was developed. Many have argued that the Oct. 1 deadline for the site gave developers little time to fully test it for functionality and security risks. In testimony before Congress last week, an executive from CGI Federal, the prime contractor behind the project, maintained that the site could have benefited from several months more testing before it went live.

In August, the Inspector General of the U.S. Department of Health and Human Services had expressed concerns that security testing of the data hub was months behind schedule.

"CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested and implemented by the expected initial open enrollment date of October 1, 2013," the report noted. Any additional delays in security testing would leave the agency's CIO with inadequate information about the scope of vulnerabilities in the hub, the report said.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.