Scramble to fix site heightens security risks

Haste is the enemy of good security, analysts warn

The ongoing scramble to fix glitches affecting the troubled website could heighten security risks and introduce fresh vulnerabilities into an already fragile system.

The Obama Administration has committed to addressing problems with by Nov. 30 in response to the outpouring of criticism over the $300 million site's error-riddled performance since it went live Oct. 1.

Last Friday, the U.S. Centers for Medicare and Medicaid Services (CMS) -- the agency is responsible for -- appointed Quality Software Services Inc. (QSSI) as the general contractor in charge of making the needed fixes.

Over the next few weeks, QSSI and the several other contractors responsible for building the site are expected to modify or add thousands of lines of code to the system to address the ongoing problems.

The compressed time frame for the changes to be made elevates security risks, said Richard Stiennon, principal at security consulting firm IT-Harvest.

"A secure software development effort takes time," Stiennon said, "I am very concerned that a rush job on the site will introduce new security vulnerabilities."

Adding to the concern is the likelihood the site will be a juicy target for malicious attackers because of all the attention it has drawn this month, he said.

The site is designed to let individuals shop for, compare and enroll in health insurance plans. The site itself stores little sensitive data and instead serves largely to route information between the user, health insurers and databases at the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security, the Department of Veterans Affairs and other federal agencies.

At its core is a data hub, a routing tool operated by the CMS that lets state and federal healthcare marketplaces quickly verify the eligibility of those seeking insurance. The hub itself does not store data and merely connects healthcare insurance exchanges with the numerous federal databases.

The hub and the entire site were the focus of security concerns even before the current problems.

One of the biggest issues has been the speed with which was developed. Many have argued that the Oct. 1 deadline for the site gave developers little time to fully test it for functionality and security risks. In testimony before Congress last week, an executive from CGI Federal, the prime contractor behind the project, maintained that the site could have benefited from several months more testing before it went live.

In August, the Inspector General of the U.S. Department of Health and Human Services had expressed concerns that security testing of the data hub was months behind schedule.

"CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested and implemented by the expected initial open enrollment date of October 1, 2013," the report noted. Any additional delays in security testing would leave the agency's CIO with inadequate information about the scope of vulnerabilities in the hub, the report said.

However, shortly before went live, CMS announced that the Hub had successfully passed an independent security audit conducted by a third-party auditor.

Even so, many people, including groups like the Heritage Foundation, Citizens Council for Health Freedom and even a few lawmakers have expressed concerns about vulnerabilities that could enable identity theft and other kinds of fraud.

The rush to fix the problems will likely heighten those concerns, said Jason Polancich, co-founder of security firm HackSurfe. The CMS needs to put in a concerted effort to ensure that new vulnerabilities are not introduced with all of the fixes now being made, he said.

"In all the coverage (of the glitches) and [at] all the official press conferences, I have heard them talk about how they are going to fix the technical glitches," Polancich said. "But I have not heard anyone talk about what they are doing from a cyber defense standpoint or of identifying and fixing vulnerabilities. I have not heard them talk about how they are going to address persistent cyber threats."

The fact that a lot of disparate groups and people appear to be working on the fixes is also troubling, said Dwayne Melancon, chief technology officer at security vendor TripWire.

"Coordinating complex application and infrastructure changes is challenging under the best of circumstances and it's even worse during a mad scramble," Melancon said. "Haste is the enemy of good security. Security is complex and requires a lot of forethought and planning to be effective, so I'm concerned that trying to scramble and fix things quickly -- especially on a live system -- will introduce unintended security issues."

One of the ways the CMS can mitigate risks is to enlist independent experts to review the architecture, changes and implementation prior to letting the changes take effect. The agency should also avoid working directly on the live system and instead integrate and test all changes in a pre-production environment, Melancon said.

Having a security "Red Team" conduct penetration tests on the system is also a good way to identify potential risks, he said.

"Don't use a 'big bang' approach for implementing changes, as that can cause a 'big fail' outcome," Melancon warned.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about government it in Computerworld's Government IT Topic Center.

Copyright © 2013 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon