November 6, 2013

Health website’s security prompts worries

A software fix had to be made this week when a North Carolina man tried to log in but got a South Carolina man’s personal information.

By Ricardo Alonso-zaldivar
The Associated Press

WASHINGTON — Obama administration officials are facing mounting questions about whether they cut corners on security testing while rushing to meet a self-imposed deadline to launch online health insurance markets.

click image to enlarge

The Associated Press Medicare chief Marilyn Tavenner testifies on Capitol Hill in Washington on Tuesday before the Senate Health, Education, Labor, and Pensions Committee hearing. The Obama administration is getting questions about whether it cut corners on security testing while rushing to meet a deadline to launch the website.

Related headlines

Documents show that the part of that consumers interact with directly received only a temporary six-month security certification because it had not been fully tested before Oct. 1, when the website went live. It’s also the part of the system that stores personal information.

The administration insists the trouble-prone website is secure, but technicians had to scramble to make a software fix earlier this week after learning that a North Carolina man tried to log on and got a South Carolina man’s personal information. A serious security breach would be an unwelcome game-changer for an administration striving to turn the corner on technical problems that have inconvenienced millions of consumers and embarrassed the White House.

Two computer security experts interviewed by The Associated Press said that clearly the better option would have been to complete testing.

“The best scenario is to have done end-to-end testing,” said Lisa Gallagher, vice president of technology solutions for the Healthcare Information and Management Systems Society, a medical technology nonprofit. That it wasn’t done “would cause me some mild concern,” she continued, adding she would advise a relative or close friend to wait until the website is stabilized before plunging in.

Asked former White House chief information officer Theresa Payton, “If you haven’t done end-to-end testing, how can we say with certainty how hard or easy it is for cybercriminals to attack at different points in the process?”

“It makes me shudder a little,” said Payton, a former bank security executive who now has her own company.

Payton served in the George W. Bush administration and has been consulted by congressional Republicans but says she has no partisan agenda on the health care law. “We need to help because we have to make this right,” she said.

The website was supposed to provide easy access to a menu of government-subsidized coverage options under President Barack Obama’s health care law. Administration officials say they remain confident it is secure.

“When consumers fill out the online application, they can trust that the information they’ve provided is protected by stringent security standards and that the technology underlying the application process has been tested and is secure,” Medicare administrator Marilyn Tavenner assured the Senate’s Health Committee on Tuesday.

But a short while later, Tavenner acknowledged the Carolinas security breach. “We actually were made aware of that” Monday, she said in response to a question from Sen. Johnny Isakson, R-Ga. “We implemented a software fix.”

It was not immediately clear how the North Carolina man was able to view the personal information of the man in South Carolina. However, a vulnerability that has afflicted websites for years is known as “horizontal privilege escalation,” in which a legitimate user of a website slightly alters the string of random-looking characters in the website’s address or inside downloaded data files known as “cookies,” causing the system to display information about the accounts of other users. It can be protected against by a well-designed website.

The administration has declined to explain what happened and how the problem was fixed. A Health and Human Services department official, speaking on condition of anonymity to discuss operations, said they have no evidence such a scenario was involved.

Tavenner, a respected former hospital executive, has emerged as a key cybersecurity decision-maker for the health care law. Her agency, the Centers for Medicare and Medicaid Services, is charged with carrying out the Affordable Care Act.

According to federal law and policy, all government computer systems must have a security certification before going live.

(Continued on page 2)

Were you interviewed for this story? If so, please fill out our accuracy form

Send question/comment to the editors

Further Discussion

Here at we value our readers and are committed to growing our community by encouraging you to add to the discussion. To ensure conscientious dialogue we have implemented a strict no-bullying policy. To participate, you must follow our Terms of Use.

Questions about the article? Add them below and we’ll try to answer them or do a follow-up post as soon as we can. Technical problems? Email them to us with an exact description of the problem. Make sure to include:
  • Type of computer or mobile device your are using
  • Exact operating system and browser you are viewing the site on (TIP: You can easily determine your operating system here.)