Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Scramble to fix Healthcare.gov site heightens security risks

Jaikumar Vijayan | Oct. 30, 2013
Haste is the enemy of good security, analysts warn

However, shortly before Healthcare.gov went live, CMS announced that the Hub had successfully passed an independent security audit conducted by a third-party auditor.

Even so, many people, including groups like the Heritage Foundation, Citizens Council for Health Freedom and even a few lawmakers have expressed concerns about vulnerabilities that could enable identity theft and other kinds of fraud.

The rush to fix the problems will likely heighten those concerns, said Jason Polancich, co-founder of security firm HackSurfe. The CMS needs to put in a concerted effort to ensure that new vulnerabilities are not introduced with all of the fixes now being made, he said.

"In all the coverage (of the glitches) and [at] all the official press conferences, I have heard them talk about how they are going to fix the technical glitches," Polancich said. "But I have not heard anyone talk about what they are doing from a cyber defense standpoint or of identifying and fixing vulnerabilities. I have not heard them talk about how they are going to address persistent cyber threats."

The fact that a lot of disparate groups and people appear to be working on the fixes is also troubling, said Dwayne Melancon, chief technology officer at security vendor TripWire.

"Coordinating complex application and infrastructure changes is challenging under the best of circumstances and it's even worse during a mad scramble," Melancon said. "Haste is the enemy of good security. Security is complex and requires a lot of forethought and planning to be effective, so I'm concerned that trying to scramble and fix things quickly -- especially on a live system -- will introduce unintended security issues."

One of the ways the CMS can mitigate risks is to enlist independent experts to review the architecture, changes and implementation prior to letting the changes take effect. The agency should also avoid working directly on the live system and instead integrate and test all changes in a pre-production environment, Melancon said.

Having a security "Red Team" conduct penetration tests on the system is also a good way to identify potential risks, he said.

"Don't use a 'big bang' approach for implementing changes, as that can cause a 'big fail' outcome," Melancon warned.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.