Biggest Security Risks Yet To Come - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
05:00 PM
Connect Directly
50% Biggest Security Risks Yet To Come

Push to fix by the end of November might create more problems, says security expert.

For the security and integrity of, the date that scares Mac McMillan is November 30. There is already evidence that in addition to failing to perform at the required scale, the federal health insurance portal is riddled with security problems -- and a rush job to "fix" the site will likely only make matters worse.

McMillan is CEO of CynergisTek, a healthcare-focused information security firm and chair of the Health Information Management Systems Society (HIMSS) Privacy and Security Policy Task Force. He warned about the dangers of a lack of testing back in September in the blog post, "Health Insurance Exchanges: Ready or Not, Here They Come," on He worried about developers rushing then, and it concerns him at least as much now. Once again, the site could be on a path to fail.

A month before the site went live on October 1, there were news reports that testing of the website hadn't begun because the developers were still rushing to get the software done and stable. Right away, that set off alarm bells.

"They were behind in testing, rushing to get it done, and somebody needed to say, 'It's more important to get it right,' " McMillan said. "The problem was it was all political -- it's still political, that's why it hasn't been taken down." The website really should have been taken offline for repairs once the extent of its problems were obvious, he said.

[ Could this be a way out? Read How To Get Obamacare Moving Now. ]

To him, the mystery is that after winning such an important, hard-fought legislative battle over "the biggest issue in politics for the last 30 years" with the Affordable Care Act, the Obama administration seems to have been so careless in failing to line up the right talent to bring the technical infrastructure for it online. The smarter thing to do would have been to bring in experts in building high-traffic, transactional websites rather than the usual government contractors, he said.

Illustration: Mike Licht (CC BY 2.0)
Illustration: Mike Licht (CC BY 2.0)

Even if the software development had been essentially complete in early September, one month would have been an awfully tight timeframe for such a complex system with multiple dependencies on other state and federal IT systems. McMillan's perspective comes from serving in a Department of Defense Designated Approving Authority role, where he oversaw the certification of defense IT systems as secure and correctly implemented. There, the process typically took a month to a month and a half, he said, "and that was just for a regular system," not a monster system like the insurance portal.

"That's where I said there's no way in hell they're going to get this all done -- they're rushing it, and they're going to put it up, come hell or high water," McMillan said. "The question is, how much risk have they introduced into the whole process?"

Since then, we've learned that internal warnings about security risks were ignored as project leaders pushed toward the October 1 launch. And of the many stories to have come out about the website's shortcomings, some have featured breaches of confidential information, like the one highlighted by The Foundry, a conservative blog from The Heritage Foundation, about a man who tried to register on the site and got back a confirmation message containing another individual's private information.

The Obama administration's response to the embarrassment of the under-performing website has been to promise that it will be fixed by the end of November. That's yet another deadline set by politics, rather than careful planning, and will result in developers churning out more code that ought to be properly tested -- but probably won't be, McMillan said.

"I hope that somebody who knows what they're doing is now part of that process," he said. "You need someone who will be responsible at end of this month to say if it's not ready, it's not ready -- and do the right thing."

Despite all his concerns, McMillan said he believes with the right leadership and the right team in place, the website could be fixed within the allotted time. "It's doable that it could be fixed and correct," he said. "Whether it could be thoroughly tested in such a short period of time -- I don't know about that."

Also, one of his underlying concerns is with the sprawling nature of the program, which goes beyond to include websites set up by the states, which integrate with a federal data hub for access to eligibility information. The decentralized nature of the program introduces that many more places for cybersecurity breaches to occur, he said. Moreover, it gives more people in more places access to sensitive information, and some of those people will inevitably turn out to be untrustworthy.

"That's where the real issues are going to be down the road," McMillan said. "At the end of the day, it's a question of what are the American people willing to put up with. It appears we're willing to put up with a hell of a lot."

Follow David F. Carr on Twitter @davidfcarr or Google+. He is the author of Social Collaboration For Dummies (October 2013).

Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Author
11/19/2013 | 9:59:38 AM
Re: Unacceptable
I'm not making a political statement. Personally, I want to see Obamacare work. I'm just disappointed in the lack of follow-through from winning a policy victory to taking the practical details of implementation seriously and putting them in the hands of competent people.
Alex Kane Rudansky
Alex Kane Rudansky,
User Rank: Author
11/18/2013 | 10:01:57 AM
The wrong approach
Those in charge of took a backwards approach, introducing a flawed product on schedule. It's better to delay a launch and get it right than launch a disaster of a site on time. I'm eager to see how the Nov. 30 deadline will shake out.
Tom Murphy
Tom Murphy,
User Rank: Author
11/15/2013 | 5:35:04 PM
Lock the Door
Great column, David. Thanks.  Security is certainly my no. 1 concern when it comes to storing the most-personal facts about hundreds of millions of Americans online.  In the black market, personal health records fetch the highest price -- more than $10 a person.  I've always wondered who would want to buy it -- other than big pharma and insurance companies that stand to gain billions from such info.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll