News

In Exclusive Interview, Cybersecurity Expert Explains How HealthCare.Gov Got Hacked

by John Haltiwanger

Sep. 5, 2014

On September 5, federal officials revealed that the Obamacare website, HealthCare.Gov, had been breached by a hacker in July. No personal data were taken or viewed, but this certainly isn't the kind of press that the Obama administration wants to generate surrounding its flagship program. The server that was breached is used to test software for the site, meaning it doesn't contain people's personal information.

This is the first time that the site has been successfully hacked. In actuality, these types of hacks are not very uncommon, but given the troubled history of the Obamacare website, this incident has raised concerns.

HealthCare.Gov has been plagued with issues since day one, making this yet another embarrassment for a website that the public already views with skepticism. Not to mention, critics of Obamacare now have some fresh material.

The breach was not discovered until late August, when a security team for the Department of Health and Human Services (HHS) noticed an anomaly in department security logs.

This is what HHS had to say on the matter:

Today, we briefed key congressional staff about an intrusion on a test server that supports HealthCare.gov. Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted. We have taken measures to further strengthen security.

Mike Ricotta is the Head of Development at the NYC based Blue Fountain Media digital marketing agency. He specializes in identifying exploits and security holes on every website he helps design. In an exclusive interview, Ricotta explained what made this breach possible, and why it will likely happen again.

According to Ricotta, this was a "rookie mistake," and something that could have been easily prevented had the website administrators paid closer attention to the specific server that got hacked. Likewise, the lack of attention is a large part of the reason that the hack wasn't discovered until a month after it occurred. As Ricotta puts it:

Pretty much what happened was this server didn't have intrusion detection and a firewall on it because it was not intended to be publicly accessible... That doesn't necessarily excuse this breach. This absolutely could have been prevented, the server should never have been connected to a public network to begin with. ...It's basically as if someone for the first time ever decided that they wanted to learn how to install a server. That's the level of complacency and lack of attention to security... Obviously they did not anticipate that to happen... ...It could have very easily been prevented by keeping that server on a private network. That was a massive mistake on their behalf.

Intrusion detection would have ensured that the breach was found earlier, but because it wasn't in place it took the security team a month to notice what had happened. In Ricotta's opinion, this should have been noticed much earlier.

Ricotta feels that the impact of this hack will ultimately be more political than technical. "It reflects very poorly upon Obama and his administration."

Simply put, this looks bad for the Obama administration, and they will be rushing to assure the public that the website works and is safe. There are security measures available that can prevent this sort of thing, thus this incident isn't exactly anything new in terms of cybersecurity.

Likewise, it doesn't take very long to investigate an issue like this once it is discovered. Thus, Ricotta speculates that officials waited a week to speak publicly on it because they wanted to figure out the best way to spin it.

One somewhat disconcerting point that Ricotta made is that federal officials are not legally bound to reveal whether or not personal information is taken during these kinds of breaches. That doesn't mean that personal information was leaked in this specific instance, but that it is a possibility and we may never hear about it.

In Ricotta's view, this website has been poorly executed since the beginning. Starting over completely would have tremendous political implications, and would greatly damage people's already shaky confidence in Obamacare. Accordingly, website administrators have essentially sought out temporary fixes instead of addressing the roots of the problem with the website. As Ricotta puts it, they've basically put Band-Aids over permanent wounds. Simply put, the people running HealthCare.Gov have done an absolutely atrocious job.

Furthermore, Ricotta feels that more security breaches are a very real possibility in the future for HealthCare.Gov. Hopefully, the Obama administration will take the proper measures to ensure that hacking is detected early and prevented as often as possible. This is yet another example of the increasing importance of cybersecurity in a world dictated by technology.

Photo Courtesy: Getty Images