Healthcare.gov – Typical Growing Pains or a Security Nightmare in the Making?

At the outset, the #Obamacare website was not only riddled with errors, but it also came with a huge price tag: $600 million.  Most of us in IT cringe due to the fact that we have had our own hopefully-less-public IT disasters.  Projects evolve.  New software, hardware, devices and network designs are introduced to users that have typically been tested, revised, regression tested until ready for release.  The more complex, the further new releases will be from perfection.

When Healthcare.gov went live the cacophony from the public combined with the bright lights of the media would make any IT development team want to curl up in the fetal position – and with good reason.  With $600 million, one can only scratch their head and ask why the development wasn’t outsourced to a US company with a track record of competence.  Why not IBM, HP or NYXT, the chief architects behind the single fault tolerant systems designed for the NYSE?  Why not hire the beleaguered NASA; they’re pretty incredible at getting the impossible done.  Why not tap the expertise of Google and Facebook; they live and breathe immense-scale data handling and user access. The Obama administration didn’t just throw up a faulty website, they emboldened so many that believe the government is incapable of doing big things.  And in doing so, they allowed their detractors to easily conflate a faulty website with a public healthcare policy.

Two years later, the silence is deafening.  The site, like most technologies with staying power and internal support, has evolved.  In October, the site got a face-lift and added new and seemingly useful features.  People don’t seem to be being knocked off mid-session.  Is the user experience perfect?  No.  In an interesting turn, the health insurance providers seem to be faltering under the load of new enrollments.  At the time of this writing, Blue Cross has a 100,000 user backlog it is trying to get on the rolls retroactive to January 1.

Perhaps more importantly, what has occurred on the security front?  At the outset, we saw a security breach on the Vermont Health Connect website in which one user accessed another user’s Social Security number and other personal information. The consumer reported that he received in the US mail a copy of his own application with the note: “VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!”  Similarly in Minnesota, an MNsure employee accidentally disclosed the Social Security numbers belonging to about 1,600 insurance agents.

Users need to trust that their data is secure. The site is ripe with personal user information that hackers covet: social security numbers, income, birth dates, addresses and so on.  In 2014, the White House reported that the site was hacked and infected but that personal information didn’t “appear” to be taken.   With so much at stake, the spotlight will eventually shift to data security.  In an ideal hack, the target doesn’t know they’ve been compromised.  In the late ‘90s, the Pearl Software founders were invited to the White House to confer with then President Clinton on his initiative to protect children accessing the Internet. Over a decade later we received notice from US Customs (overseer of the US Secret Service and the agency responsible for clearing White House visitors) that the hard drive that contained our personal information had gone missing.  How one physically loses a hard drive is hard to fathom.  As it relates to Healcare.gov, unfortunately a serious loss of personally identifiable information is not a matter of “if” but of “when”.

Posted in Cyber Security.