Update: Dear Healthcare.gov, Please put Privileged Identity controls on that “surge of techies” before there is a serious information breach
October 31, 2013 | Uncategorized | John Worrall
By John Worrall
Update: As soon I clicked “post” on this blog, I knew more information surrounding the failures of Healthcare.gov would arise, but I’m not updating this post just to say “I told you so,”really.
According to CNN, “the administration received stark warnings a month before the launch that the Obamacare site was not ready to go live, according to a confidential report. The caution, from the main contractor CGI Federal, warned of risks and issues for HealthCare.gov, even as company executives were testifying publicly the project was on track.”
The administration admitted that they did not complete adequate end-to-end testing. This means that the system that was stitched together wasn’t tested properly. This is less than comforting when you consider the extremely sensitive data that is being entered in to the system.
We’ve said it once and we’ll say it again, as the pressure continues to bear down on the administration to fix these issues, protecting privileged access must be top of mind when allowing the “surge of techies” to access and fix the site. Key steps in this process have clearly been overlooked and for the sake of our citizens data this can’t happen again.
See more of my thoughts in this video featuring a diagram of Healthcare.gov from NPR:
I have no issue staying away from the heated debate about the new healthcare program, but I do feel compelled to chime in on the “surge of techies” the President is bringing in to fix the online enrollment site. Because frankly, from a security perspective, it feels like the perfect storm.
That being said I have one request for the government: as you move at warp speed to fix Healthcare.gov, please don’t sacrifice the security of consumers’ personal information in the process.
There is plenty of precedence for security to be sacrificed in the name of expediency – and there is also plenty of precedence for contract IT staff to abuse their privileged access.
Remember Edward Snowden? He was a contract systems administrator with broad privileges to roam about the NSA unfettered and access confidential government information.
The reality is, application developers, systems administrators, and other types of “techies” being hired will require significant access to consumer data and system resources as they build, fix and test the website. Without the proper controls and monitoring of these privileged users’ access and activities, consumers’ confidential information will be at risk.
So please, on behalf of those consumers, put the proper tools in place that limit the information the contractors and even employees have access to including privileged account controls to prevent another costly government breach.
Fix the site. Do it quickly. But please do it with the proper, common sense safeguards on consumers’ information.