Obamacare Chaos: HealthCare.Gov Website Glitches Explained By Ben Simo [Interview]
The Obamacare website HealthCare.gov is notoriously slow, buggy, and has major security problems.
But why is this so and what caused the implementation of the Affordable Care Act to be delayed in such a noticeable fashion?
To answer that question, we’ve turned to Ben Simo, a web expert who has been helping create and test quality software for over 20 years. Ben has recently attracted attention due to his testing of Healthcare.gov, which he has been chronicling on his blog, Is There A Problem Here.
For example, Ben Simo points out that the Obamacare website sends some personal information to 3rd party analytics and advertising companies. He’s also found instances where personal information can be gleaned from the system. Ben claims this means HealthCare.gov poses a security risk for personal information and violates their own privacy policies:
“Not only does this violate Healthcare.gov’s stated privacy policy, it likely also violates the privacy policies of these 3rd parties. Even if the 3rd parties receiving the data can be trusted to not abuse the data, they may not protect it as personally identifiable information should be protected — especially if they are not expecting to receive personal information…. The FTC has previously fined MySpace, Facebook, and others for doing just this: sending private information to 3rd parties that they promised to not share.”
The focus of our interview is intended to be on the technical issues plaguing the Obamacare website. But politics is unavoidable. For example, 40 percent of doctors are said to have serious concerns about Obamacare, even though many may not be directly effected. We began with a political question to see where Ben Simo stood on the issues surrounding the Affordable Care Act.
It has been reported that Obamacare state exchanges need 2.7 young Americans to sign up in order to break even. Do you think HealthCare.gov can be made to work in time or is Obamacare in trouble right from the start? Do you support efforts to defund Obamacare or do you think the ACA be fully implemented and let Obamacare fail or succeed on its own merit?
I’m staying out of the political side of this. I just want whatever exists to work and be secure.
That’s fair. In what context has your expert opinion been used in the past by Congress and other government officials?
The “skilled hacker” referenced by Secretary of Health and Human Services (HHS) Kathleen Sebelius during the House Oversight Committee hearings is me. I didn’t hack anything, but I did discover and report a security vulnerability that was fixed over the weekend.
I’m assuming you’re referencing reports where you claimed bad coding crashed the Obamacare website and that there is a password reset security glitch on HealthCare.gov.
Yes. There was (I don’t know if it still exists) an issue in which users could not login to the system because the website created more cookie data than it could accept.
The issue that has gotten the most attention is a security problem. The system design made it possible to get the username, password reset code, security questions, and the email address of for an account. This information could then be used to stage a phishing attempt or other social engineering to get users to reveal the information needed to gain unauthorized access to accounts. Much (if not all) of this process could be automated. When notified of this issue, HHS plugged the biggest part (revealing the password reset codes) the same day.
The security issues I’ve observed appear to be the result of sloppy work. They are the sorts of basic things that competent web developers will try to prevent, and that competent security testing will most likely discover. While this may suggest incompetence, it could also be a symptom of a fractured development team — one in which those building the web services that return personal info weren’t aware that their creations would be used externally. Whatever the cause, someone made conscious decisions to assemble the parts into a working system. Based on what I can see from the outside, it appears that security was not given sufficient prominence in design, implementation, and testing.
Do you think the website was rushed? If so, why didn’t the government let the pros do their job and debug it?
It appears so. CNN released an internal report from August that listed a lack of time for testing as the biggest risk to the project – a risk to which they assigned as probability status of “near certainty.”
How long did HHS test the Obamacare website? Previous reports have claimed two weeks. Why didn’t they test it for longer?
In testimony before the House Oversight Committee, both Secretary Sebelius and the contractors have stated that they only had two weeks for system testing – testing of the assembled parts as a whole.
Any idea why it was so last minute?
They weren’t ready? Bad project management? Last minute changes? Fractured development teams? Political pressure making schedule more important than quality?
I suspect some combination of all of the above. These aren’t uncommon issues in large software projects. We’ll hopefully learn more in the coming days.
And I hope that the people building the system are learning to put security at the forefront of their design and testing.
Thank you for your time.
You’re welcome.
What do you think about the Obamacare website HealthCare.gov now that you’ve heard from the expert Ben Simo?