Healthcare.gov Security Flaws Could Make Social Security Numbers Publicly Available
Even if it were functioning properly the Federal Health Care Exchange website would still have problems.
In addition to just plain not working for many people, it’s becoming apparent that the structure of the Federal Health Care Marketplace website is also suffering from some serious security vulnerabilities. For example, web security experts are saying the site is vulnerable to a cyber attack that could leave the personal information of everyone who has applied on the site open to the public:
With Healthcare.gov plagued by technical difficulties, the Obama administration is bringing in heavyweight coders and private companies like Verizon to fix the federal health exchange, pronto. But web security experts say the Obamacare tech team should add another pressing cyber issue to its to-do list: eliminating a security flaw that could make sensitive user information, including Social Security numbers, vulnerable to hackers.
According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called ”clickjacking,” where invisible links are planted on a legitimate web page. Using this scheme, hackers could trick users into giving up personal data as they enter it into the web site, potentially placing Americans at risk of identity theft or allowing fraudsters to file bogus health care claims.
(…)
Kyle Wilhoit, a threat researcher at Trend Micro, a Japanese security software company, studied the Healthcare.gov portal with his security team and found a “moderate risk” for hacking due to an easy-to-fix coding problem that leaves the site vulnerable to clickjacking. Nidhi Shah, who works on research and development for Hewlett-Packard’s Web Security Research Group, found the same problem. This wouldn’t be the first time a federal site experienced coding problems: Earlier this year, SAM.gov, a government contracting award management site, automatically revealed companies’ private data, without a hacker lifting a finger, because of bad coding.
“Common clickjacking would be a popular method to attempt to exploit [the site]” says Wilhoit. “Hackers could use this information in the creation of fake identities, fake credit cards, and fake accounts very easily.” He adds that it’s relatively easy to fix, although the fixed code would need to rolled out on multiple Healthcare.gov pages and potentially state websites as well.
Asked about clickjacking concerns, the Department of Health and Human Services (HHS) referred Mother Jones to this security statement, which says that Americans don’t need to worry: ”If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents.”
And it turns out that this security flaw isn’t just limited to the Federal website:
Some state Obamacare sites could be significantly more vulnerable than the federal portal. Healthcare.gov site uses a common form of encryption called Secure Sockets Layer (SSL), which prevents information from being intercepted by a hacker after you click “send” (SSL doesn’t defend against most clickjacking). But the 15 states currently running their own independent Obamacare websites do not have explicit instructions from the HHS to use SSL. According to HHS, these states and the District of Columbia, which also has its own Obamacare site, are independently responsible for ensuring that they “develop standards to protect the privacy and security of consumers’ personal information.”
“These state sites…represent more viable targets for direct attack” than the federal data hub, Budd argues. And hackers have been known to target state healthcare programs—last year, over 280,000 Social Security numbers were stolen from Utah’s Medicaid server.
Hawaii, for example, does not automatically use SSL across its entire website, potentially leaving user information vulnerable to hackers—particularly if a visitor to the site is using an open wireless network, such as one at a coffee shop. The same is true with the online health exchanges created by Minnesota and Colorado. Budd notes that attacking state sites “rather than the more fortress-like data warehouse [like the data hub] can be easier to pull off with a greater chance of success.”
This news comes on the same day that Congress held its first hearings regarding the problems with the Federal website, taking testimony from representatives of the main contractors who helped build the site:
WASHINGTON — Federal officials did not fully test the online health insurance marketplace until two weeks before it opened to the public on Oct. 1, contractors told Congress on Thursday.
While individual components of the system were tested earlier, they said, the government did not conduct “end-to-end testing” of the whole system from start to finish until late September.
The disclosure came at a hearing of the House Energy and Commerce Committee, which is investigating problems plaguing the federal marketplace, or exchange, a central pillar of Mr. Obama’s health care overhaul.
Cheryl R. Campbell, a senior vice president of CGI Federal, a unit of the CGI Group, the main contractor on the federal exchange, said that end-to-end testing of the full integrated system first occurred “in the last two weeks of September.”
Another witness, Andrew M. Slavitt of UnitedHealth Group, said, “We didn’t see end-to-end testing until a couple days leading up to the launch” of the federal marketplace on Oct. 1.
UnitedHealth, one of the nation’s largest insurers, owns Quality Software Services, which was in charge of “identity management,” including the use of password-protected accounts, in the federal marketplace.
Ms. Campbell and Mr. Slavitt said they would have preferred to have months of testing, as required by industry standards for a project of such immense complexity. The federal exchange must communicate with other contractors and with databases of numerous federal agencies and more than 170 insurance carriers.
The rollout of the Affordable Care Act has been tarnished by technical problems that have made it difficult for consumers to shop in the federal marketplace serving 36 states.
Ms. Campbell said that CGI continually reported to top officials at the federal Centers for Medicare and Medicaid Services, including Michelle Snyder, the chief operating officer of the agency, and Henry Chao, the deputy chief information officer. Those officials made critical decisions about the federal exchange, Ms. Campbell said.
In response to questions, Ms. Campbell said, “We were not responsible for end-to-end testing” of the whole system. The Medicare agency, known as C.M.S., was responsible, she said.
Mr. Slavitt said that his company had tested computer code for the federal marketplace and had found problems. “We informed C.M.S. that more testing was necessary,” he testified.
Lawmakers from both parties expressed anger during the hearing at the performance of contractors hired to build the online health insurance marketplace, which is still limping along after three weeks.
Lawmakers said they were dismayed because the contractors assured the committee on Sept. 10 that they, their computer systems and the online federal marketplace were ready to enroll millions of Americans eager to buy insurance, subsidized by the government.
“Why did they assure us that the Web site would work?” asked Representative Fred Upton, Republican of Michigan and chairman of the committee. “Did they not know? Or did they not disclose?”
“This is more than a Web site problem,” Mr. Upton said. “The Web site should have been the easy part. I’m also concerned about what happens next. Will enrollment glitches become provider payment glitches? Will patients show up at their doctor’s office or hospital only to be told that they aren’t covered, or even in the system?”
The hearing room was packed with spectators eager to witness the confrontation between lawmakers and business executives whose companies have received tens of millions of dollars to build the federal marketplace, or exchange.
Politics pervaded the session. Republicans said that technical problems crippling the federal Web site epitomized fundamental flaws in the 2010 health care law, Mr. Obama’s most significant legislative achievement.
Democrats said that the law was fundamentally sound, but that the Web site needed to be fixed immediately so people could get the insurance promised to them.
Representative Diana DeGette, Democrat of Colorado, said: “Three weeks after the Web site went live, we are still hearing reports of significant problems. These problems need to be fixed, and they need to be fixed fast.”
Representative John D. Dingell, Democrat of Michigan, lamented the sorry state of the Web site and said: “This is unacceptable. It needs to be fixed.”
But Representative Frank Pallone Jr., Democrat of New Jersey, said the hearing was part of “a cynical Republican effort to delay, defund or repeal the Affordable Care Act.”
Representative Tim Murphy, Republican of Pennsylvania, said the contractors “were shockingly unaware of what was happening or deliberately misleading our committee and the public” when they testified last month that their components of the exchange would be ready on time.
Ms. Campbell said all of CGI’s work had been done “under the direction and supervision” of C.M.S.
“We acknowledge that issues arising in the federal exchange have made the process for selecting and enrolling in qualified insurance plans difficult to navigate for too many individuals,” Ms. Campbell said. “Unfortunately, in systems this complex with so many concurrent users, it is not unusual to discover problems that need to be addressed once the software goes into a live production environment.”
She blamed Quality Software Services for problems that consumers have had creating password-protected accounts. These problems “created a bottleneck that prevented the vast majority of users” from gaining access to the federal exchange, Ms. Campbell said.
The exchange, she said, is “not a standard consumer Web site,” but “a complex transaction processor” that must simultaneously help millions of Americans shop for insurance and enroll in health plans. It must communicate instantaneously with computer systems developed by other contractors and with databases of numerous federal agencies and more than 170 insurance carriers qualified to do business in the 36 states where the federal marketplace operates, she said.
Mr. Slavitt said its identity verification tool was just one part of “the federal marketplace’s registration and access management system, which involves multiple vendors and pieces of technology.”
These were overwhelmed by people trying to use the site, Mr. Slavitt said. One reason for the logjam, he suggested, is that the administration made “a late decision requiring consumers to register for an account before they could browse for insurance products.”
John Lau, a program director for Serco, another contractor, said his company was seeing an increase in paper applications. Serco is supposed to enter data from those applications in the government’s computerized eligibility system, but problems in that system have created challenges for Serco, as they have for consumers, Mr. Lau said.
The same contractors, testifying before the same committee on Sept. 10, assured lawmakers that they were ready to handle a surge of users when the federal exchange opened on Oct. 1.
So, basically what happened is that none of the contracts were willing to take responsibility for what’s gone wrong with the site, or any of the problems with the site. Indeed, for the most part they seemed to push much of the responsibility for what has been happening off onto the Centers For Medicare and Medcaid Services (CMS), the Federal Agency inside the Department of Health And Human Services primarily responsible for the Federal Government’s end of the operation. They blame CMS, for example, for the fact that the architecture of the site needed to be changed less than a month before the site went live so that users would be required to set up accounts, including providing a vast amount of private information right down to Social Security Numbers, before being able to price shop for insurance in their states. It also appears that CMS was largely responsible for the fact that the final system was unable to be tested until some time in mid-September, which seems to be cutting it pretty short for a website that was supposed to debut on October 1st. As I said yesterday, given that this is a system that everyone knew was going to come into existence more than three years ago, the fact that it took so long for the project to get up and running to the point where actual testing was possible seems like a clear failure of project management, both by the government contractors themselves and by the Federal Agency responsible for overseeing the project.
It’s worth noting, of course, that its in the interests of the contractors to point fingers elsewhere. In all likelihood, the work that will need to be done to fix what has gone wrong with the Federal website is going to lead to claims of backcharges against their contracts and, potentially, lawsuits over who was ultimately responsible for what went wrong. There will likely be tens of millions of dollars at stake at the very least, not to mention potential damage to their future ability to secure federal contracts. Nonetheless, as noted above, there were several aspects of today’s testimony that are noteworthy, most especially what seems to be incredibly lax project management by the relevant Federal Agency. This should make next week’s testimony by HHS Secretary Sibelius and other HHS official quite interesting indeed.
If I understand this correctly, they are saying hackers need write privileges for these legitimate pages, in order to place their fake links.
That’s like saying a hacker could get admin privileges on OTB, and then do bad things.
Presumably a big part of OTB (or Obamacare) security is not to hand out admin privileges.
[IOW, if I understand correctly, a very theoretical risk.]
So computers are vulnerable to hackers. Tell me something we don’t already know. And how this is different from any other private company database or computer one the planet I just can’t say.
God the a listing of all the consumer information out there that has been breached would fill volumes.
@john personna: Actually, there are a lot of ways to get new code onto the web page — any of a number of man-in-the-middle attacks would do it.
This is pretty amateurish, and disgraceful. Our government should be competent, and this is quite clearly not. I wish we could get an actual investigation of what went wrong, and what lessons to apply to future government work, but I suspect that the Republicans will be too busy trying to score points to seek this out, and the Democrats will circle their wagons under the idiotic, irrelevant attacks and no one will look for the real problems.
Benghazi, all over again.
@Gustopher:
You can’t just say “man in the middle” and then leave it at that. I mean, did you just say that any website that knows your SSN is equally vulnerable?
And wouldn’t secure ownership of the page, plus SSH connection, prevent insertion of page content?
If true…then it’s definitely a bug that needs to be fixed. No question. Get someone on it.
What else you got?
What a wimpy claim that was! Healthcare.gov uses SSL, and the others if they have any brains surely do, but since they had no “explicit instructions” assume they are idiots?
So a little off topic…but it turns out that Cruz has a $20,000 health insurance policy.
A couple of economists are now saying that amounts to an $8000 or so subsidy from the Government.
Seriously….the guy most responsible for shutting down the Government over Obamacare is getting $8K in Government Health Care Subsidies.
F’ing socialist.
@Gustopher:
I don’t know why this is getting up-votes, because I’m not seeing it.
I’ll admit to being only half-way good at security, with a web site developer’s knowledge, and not a security consultant’s or sys admin’s … but I’m not seeing it.
You can’t just throw around words and say that a site is vulnerable. Of if you do, you’ve only made a general claim that any site is vulnerable.
If I’m wrong, educate me with some tech detail here.
I just got a letter from one of America’s leading companies telling me that they had been hacked, and some of my data had probably been compromised. They are paying for me to have credit/identity monitoring for the next three years. Must be serious.
How come the tea party is not coming to rescue me from this danger?
while (website != PPACA) printf("You're still doing it wrongn");
@ ANJIN-SAN….
because the invisible hand can do no wrong…big scary gubmint…not so much
Not sure if this is parody:
Today I just renewed my identity protection service for another year – paid for by the state of South Carolina since all their tax returns were hacked two years ago. The state has had to pay 8 million dollars a year for this yet you don’t hear any Republicans here calling for investigations. I guess it’s okay when it happens under a Republican administration.
pssssst …. Beth….
Don’t know if you have heard, but Obama is….. black.
“
@beth:
Well that depends, was the SC website designed to be open to violations of privacy in violation of the law or was a new vulnerability exploited?
As the link above highlights from the Time article the Obamacare website transmit personal information in the clear.
Not for Jenos and JKB. Think “frightened little rabbit”…
The website does seem to be a problem that needs fixing, pronto.
And I’m sure it will be. Remember…it’s a Republican program. We had to fix Iraq too.
But the FTC says 9M identities are stolen every year.
I doubt JKB has ever shown tremendous concern over this.
What a maroon.
Sorry, not frightened. Just amused. The task was a bridge to far for the non-DoD side of government and doubly so when theoretically overseen by Progressives. Thankfully, we’ve learned that yet again, Obama was not involved in any aspect of this enterprise other than as figurehead and spokesbot. He’s certainly no George Bush, that guy is responsible for everything. That’s what happens when your the Decider, instead of the Sergeant Schultz of American presidents.
this is nothing compared to the grand scheme of ineptness. any site can get hacked, and this half baked piece of junk is no exception.
@john personna: not sure of the exact vulnerabilities healthcare.gov has, but generally clickjacking will rely upon someone creating a frame around the site, or even proxying the entire site, and then tricking people to go to the URL for the frame or proxy — which then communicates with the original site via https, modifies what it needs either before passing it down or via manipulating the dom on the client side via JavaScript.
There are fairly well established techniques to make this harder, and a high-value site (banks, healthcare.gov, etc) needs to actually jump through those hoops. The article strongly suggests that the contractors that we hired have not done so. If true, this is a problem, and it suggests that there are likely other problems (if they cannot get the easy stuff right…)
This is why you get lots of spam telling you to log into paypal, or some bank, etc and you hopefully discover that accounts.evillbank.com has an extra l or something. Healthcare.gov is just as high-value a target, and will face similar threats.
But, I’ll add the caveat that my own knowledge of web security is a bit lacking — I’m not a security engineer, I just know enough to hunt down the security engineers at work, learn the currently recommended best practices, and use them trusting the security engineers to get the details right.
@Gustopher:
OK fine, but I think that might be more hacking the users than hacking the site. (We should all understand how our browsers or local security software give a green light that we have a secure link to the real site.)
I did read the informationweek article above, and it does have some hints but is still kind of could/might.
For instance:
So, they didn’t actually find a flaw in the authenticated site.
And here:
Basically an indictment of every HTML5 site.
It cold be that there are some tweaks to be made, but I’m not really seeing anything found actually _in_ the obamacare secure web pages.
I think we can all agree it’s a really, really bad website. It’s a huge cock-up.
Which has nothing to do with the value of the underlying law. Not a thing. It’s like saying the VA does a terrible job of processing vets, so screw vets. The website serves the law, the website is not the law. A bunch of folks in India are waiting to man call centers. They can follow a script, they can enter data, we can, in short, use technology that isn’t the very latest thing. Telephones did not disappear.
Terrible, terrible website. Irrelevant to underlying value of the law.
Next point. The inevitable “Gubmint cain’t do nothin’ right.” To which I would say that government did a pretty good job knocking off Iranian centrifuges using advanced programming methods. And the government does apparently a hell of a job at busting into emails and listening to German phone calls. Also: the greatest military on earth. Also: the world’s reserve currency. Also: the dominant diplomatic power on earth.
In fact, the government is so good at their job they just informed me that I underclaimed income in 2011 (an honest oversight) and strongly suggested I give them a bunch of money. So, they seemed pretty damned competent at that.
This obvious fiasco of a website does not prove Obamacare is a bad idea, or that the government is doomed to fail.
@michael reynolds:
I agree that it’s a bad website (glass below half full), but how bad will be determined over say the next two months (one down, two to go).
It’s possible, just possible, that a few core errors produce dramatically bad results. They should be found and fixed within a month. If it’s medium bad, two months. If it can’t be fixed in three, then it is as bad as you say.
But we gotta give the guys some time to work.
Bummer.
@michael reynolds:
I think we can also agree that if our government functioned properly, there would be investigations as to why this was such a huge cock-up. Both internal investigations in the administration, and likely external investigations through congress. And maybe, just maybe, some recommendations to be followed to prevent future cock-ups.
Alas, this will be Benghazi all over again, where any actual systemic problems will be lost in the wailing of Republican congress-critters who have no interest in the actual problems, they just want to hang an albatross around Obama’s neck.
@Gustopher:
I asked in one of the first [Obamafail] threads when government (Congress) would be smart enough to design in a beta period and measured rollout.
Possibly this is worse than the the “typical” big-bang launch with millions of day-one users … but I can’t think of any others this big.
One cite was that Obanacare had more users in the first 24 hours than Twitter in the first 24 months (or similar).
What this desperately needed was invitational users in a beta program. Blame for not having that spreads very wide.
@Gustopher: You’re actually doing quite well.
They seem to be upset that this site has vulnerabilities that even your bank’s site has. Mostly the vulnerabilities are user errors.
@ JKB
Ah, so the part of the government that YOU like is competent. Hack-proof even. I see.
http://www.technewsworld.com/story/70699.html
http://www.businessinsider.com/pentagon-admits-24000-files-were-hacked-declares-cyberspace-a-theater-of-war-2011-7
Seriously dude, you may be the most clueless mofo on the planet.
And of course, corporate America is uber-competent.
http://www.foxbusiness.com/technology/2013/07/25/major-companies-victims-in-biggest-hacking-case/
When is Issa going to investigate?
OH tens of millions of CC info are stolen yearly..
This is not a bug, it’s a feature.
Maybe the problem all along has been that the system is corrupted with spyware. Just install a good spyware program and its fixed.
@Jack: i.e. a Secondary Software Characteristic.
This rollout was an unmitigated disaster in IT terms. There’s no other honest way to look at it. Whether or not some corporations also have flaws in their sites is entirely irrelevant.
Nobody knows how long it will take to fix. Not even the people working to fix it know. It’ll probably take a couple weeks just to figure out exactly what parts are broken, and who knows how long to fix it all. This is more than just some client-side tweaking–there are problems on the back end that are far tougher onions to peel. And those have to get fixed first–you can’t have a nice, pretty customer portal that LOOKS like it’s working well and a back end that’s still a spaghetti mess.
I don’t say any of this as an opponent of the PPACA. I think it’s flawed, but it’s also very important, and I want to see it work well. Healthcare.gov isn’t the whole PPACA, but it’s the most important customer-facing piece.
The apologists are turning the volume all the way to eleven.
Somewhat off topic – as all PII must be protected on a site such as this – but why the heck are SSNs still a ‘secret’? I would love for the Social Security Administration to announce everyone’s SSN will be published on their website Jan 1st 2016. Too long banks and others have misused them as identifiers and treated them like computer passwords.
Um…I don’t see that many apologists. Everyone recognizes and acknowledges the problem.
As per usual it appears…if you can actually read….that the Benghazi, Parkghazi, APghazi, IRSghazi, Webghazi bunch is again making a molehill into Mt. Everest.
But you are entitled to your partisan delusions.
@Mikey: It was reported this morning that several people who did manage to get enrolled have discovered that their applications and information were somehow lost or deleted. So now they have the choice of going through the process again, or just forget the whole thing.
@ Tyrell….
“…several people…”
You don’t say. Several whole people? Oh my.
Clearly the apocalypse is upon us. Republican predictions have come true. Obamacare is truly the end of civilization.
@Tony W:
No one really has a secure on-line ID. And so banks and other serious sites rely on knowing a number of semi-secure things like SSN, phone number, mother’s maiden name, to “safely” identify us. And so an identify thief tries to gather enough of those things to be convincing.
In the current system, SSN is a big one.
@Tyrell:
Or they can get their insurance on the open market, which…no hassle there.
It’s kind of funny. We were warned that old people would die. That young people would game the system. That employers would cut jobs. That government debt would destroy the economy.
But no one warned us about this website thing. The Cassandra of Greek myth had a better predictive record, and she was more believable.
@john personna: SSN: think about this. Years ago many of the public school systems used student SSN on everything from test score sheets to school id’s. A lot of that stuff wound up in dumpsters, no shredders back then.
@john personna: Ya, I get how it works, just lamenting that we have allowed a crappy system of non-secrets to be sufficient to steal identity, because “business!”.
Technology exists that could do much better, but some actuary somewhere has determined that the loss from fraud is lower than the gain from ease-of-business. Chip & pin is pretty good for example, and is used widely by the credit card industry, except in the exceptional USA.
Sorry to highjack the thread with this, but it is potentially relevant to the problem at hand. If we had such an identity system available, it would be much harder for tea-drinking sympathizers to sabotage the system – either from the outside, or perhaps from the inside as well.
Arnold Kling echoes something I wrote at OTB earlier:
I framed that as a reminder that the project was a public-private partnership, and that the “exchange” depends on real-time response and bids from insurance providers..
In retrospect we can say that less ambitious goals would have made the top-level exchange sites more robust … basically enter your information, and then expect email offers from area providers.
@Tyrell, @Tony W:
We could use retinal scanners … but then they just tear out your eye!
(Biometrics help, but like bank card/pins they can be intercepted by hackers and re-used.)
@this:
Another way to make the system more robust would have been to require any participating insurance company to turn over a rate table. Then the comparison shopping could be done with simple database look-ups. (You could let each provider send updated tables every night, or whatever.)
I imagine though that the providers demanded interactive control of the offers they were sending back, in response to each customer query.
@michael reynolds:
In California people just go to the State Exchange site. I’m still not sure why anyone goes to the Federal site, it does not seem necessary.
@al-Ameda:
Not every state has an exchange, quite a few are only in the federal system.
Some very dim people elected republicans to run their states. Those republicans then refused to set up state exchanges.
Florida’s one of 30 states that only have the fed exchange. My state is so petty as to have banned its already hobbled state insurance regulators from enforcing all health insurance laws on the books (as explicit retribution for PPACA)
Wifey nevertheless managed to sign on to the fed system. Suck it, gov.
http://talkingpointsmemo.com/dc/gop-medicare-part-d-obamacare
@anjin-san:
Lest anyone forget, that Bill was passed by way of Hastert holding the door open until they got the vote count (no Democratic votes needed) necessary to pass it.
I do not recall that when Democrats took over the House that they (Speaker Pelosi) demanded that Part D be defunded or repealed, do you?
@rodney dill:
And the other side’s apologists are deflecting and counter-attacking at eleven. Wouldn’t it be nice to have a discussion at, say, 6?
Yeah, lets have a conversation at 6…
Of course that would require some honesty…
http://www.youtube.com/watch?v=hJxjFicAG90#t=44
@Pinky:
Am I not hitting the middle note?
I acknowledge problems, understand general web technology, but I wouldn’t presume to know what’s going on inside someone else’s app. We’ve seen neither the code nor the error logs.
Possibly they bit off too much, but possibly they’ll get it all working.
TBD.
@john personna: I dunno. This thread was too hard to stomach.
@Pinky:
Wouldn’t it have been nice if states with Republican governors and legislatures had been implementing their Exchanges instead of delaying, obstructing and interfering with implementation of ACA?
That would have been nice, and it would also be nice if the questioning of the current ACA website problems wasn’t being done by the same malevolent hypocrites who have done everything they can to oppose and obstruct ACA.
That said, let’s be sure it is a civil discussion. By the way, with Republicans the discussion level is never going to be 6, it’s inevitably going to be 666.
@al-Ameda:
“That would have been nice, and it would also be nice if the questioning of the current ACA website problems wasn’t being done by the same malevolent hypocrites who have done everything they can to oppose and obstruct ACA.”
And the ones who have again and again made oversized charges on Fast & Furious, Benghazi, IRS, etc., only to see when facts come out there was far far less than promised.
@ Pinky
Find Seth Rogan and smoke some dope with him. It can often settle the stomach.
WTF….
Reynolds, myself, john personna, anjin-san…all saying yeah, it’s messed up. It’s gotta be fixed.
I guess it just turns Pinky’s stomach that we aren’t all going full WEBGHazziii!!!!
Good luck with that.
@ anjin-san…
among other things…..
I learned yesterday that CGI had “turned off the flag” to allow anonymous price shopping in the exchange…
However, apparently it is now turned back on, so for those who are interested in doing some shopping:
https://www.healthcare.gov/find-premi…
Very simple and fast, information is non-specific, you only need enter State, County, age ranges, family or individual coverage.
In my county County there are 43 estimates available, ranging in price from 194 to 522 per month for individuals from 5 or 6 different insurers.
IMPORTANT NOTE: The estimates shown on this tool don’t reflect the lower costs you may qualify for based on household size and income.
@C. Clavin: Actually, it was your first comment that stood out. Your comment, to the effect that you’d just read an article that you didn’t care about and you just wanted to say that you didn’t care about it, struck me as grossly insincere. I mean, “what else you got?”? I could be wrong. Maybe you’re not defensively saying whatever you think would be best for your political side. But it comes off that way.
The irony is, if this was just a system to go onto a website and sign up for insurance from one provider … oh say the Federal Goverment medicare office … then building (expanding) that website/system probably would have been much more simple; relatively speaking … and probably much less expensive for all involved too.
It’s the fact that this has to be a “market” that’s making it complicted.
… and it is a VERY complicated undertaking. To be honest, I’m actually surprised that the system is functioning as (again relatively) well as it is.
@Pinky:
The weird thing about it is, that while the website in general has problems, many liberals took the first assertion of these security problems as a real thing. “OK, you got us.”
They might actually have been slower, on that particular aspect.
@Todd:
Definitely. The requirement for real-time data sharing, because this is a big public-private partnership, makes it a bear.
Further thought …
Has anybody asked why we even need heathcare.gov?
.. or at least why we need it to have all this functionality? Why couldn’t it have just been a portal to the approved insurance providers; who would then be responsible for “selling” their plans, plus calculating and applying for the proper subsidies for customers who qualify?
Pinky…
We all agree it’s f’ed up.
What’s to discuss?
Some of the security discussions are interesting…but I know nothing about it…and those offering opinions aren’t involved so they are just informed opinions.
Unless you want to blow it all out of proportion.
And I think that’s BS.
@Todd:
I think it is sadly, a conflicted idea. I think the ACA architects hoped that it would be an easy way for people to cut across all those individual insurance offers. The problem is that insurance companies want to keep fine grained control on the price they offer an individual applicant.
So, how can you put up a “results” page in a second or two which has all the custom tailored offers from a number of vendors, each exercising dynamic pricing strategies on the applicant pool?
Maybe you can’t.
As I say, forcing insurance companies into published rate tables would make the site much easier, but then they’d lose an opportunity on the back-end … to say ask Google if you’ve searched “chest pains” lately, and adjust your rate as a consequence.
@Todd:
As a reminder, the federal exchange was not expected to cover 30+ states. It was the GOP that decided that they wanted the federal government to run the exchange because they didn’t think the federal government should take over health care. The (relative) success of the state-based exchanges shows that this attempt to sabotage the Obamacare implementation was moderately successful.
Paraphrasing (because I’m too lazy to go find the link) something I read on Wonkblog (or maybe TPM):
American politics at it’s finest.
This is simple: Congress created a procurement system that contracts out the heavy lifting and leaves the goverment to be middle management. IT security engineering and integtation/interoperatbility testing are not middle managment functions. Those functions are quality controlled in house by the contractor. So unless one is lucky enough to have a contractor win a contract AND have 1st rate production processes in place—there is not much than can be done other than roll something out and patch it up after the fact.The government doesn’t sit at the contractor facility and look over people’s shoulders. There is a contract deliverable that is presented to the government after the contract ends. There are few options for multi-system/multi agency contract models that allow for centralized quality control and collaboration at the worker bee level. If two contractors are competetors but working on seperate pieces of a tasks…they aren’t going to collaborate directly…they will cooperate with each other through the middle manager (a level too high to solve problems before they snowball.) The only error I see that could have minimized the damage is if they hired an Integrator and have all the other companies as sub-contractors to the prime integrator. You limit your options when you do that though because companies that have good talent…don’t want to be subs to their competetor….unless there is a stupid amount of money on the table. My guess is they wanted the best programmers so went without an integrator/sub model.
The procurement process is the problem…it makes it virtually impossible to efficiently do large scale projects. Alot of private companies get paid a lot of money though so that’s a win in Congresses eyes.
As for the security vulnerabilities, Im not seeing it. Any site can be spoofed and trick users into entering personal data. Thats a user education issue.–what’s most important is the back-end-server security and the transmission of the bits after the user submits the form. Healthcare.gov does encrypted transmission so they are good there. There is no such thing as 100% security for anything on the web. The goal is to deny an attack surface to small-timers using the MOST likely attacks known. There is a small elite portion of attackers, mostly employed by governments and organized crime that actually create specialized attacks custom for a target. They are a threat but frankly, they tend to go after bigger fish. Individual SSNs are high value targets. For these guys/gals the only real security is in consistently reconfiguring your security approach to either ruin the attack they’re crafting to go against your system…or its keeps them from coming back in after they’ve gotten access previously. They then have to start the long process of figuring out how to get back in. Its a lot of work being a high-end hacker so it requires a big payoff.
@john personna:
This program was always just going to be a bridge to something like medicare for all (the only question is how long it takes us to get there). That said, once the public option was ruled out, I think the idea that these exchange websites would be anything more than just portals to the insurance companies was overly ambitious (and quite possibly totally unnecessary).
But then I’m just a guy on the Internet with an opinion. I sure am glad it’s not my job to make actual decisions about this sort of thing.
… the Monday morning quarterback never throws a bad pass 🙂
@Pharoah Narim: I generally agree with your comment, but one thing that can be done is providing sufficient testing time to work out the bugs before a product goes online. You can’t test everything – site volume and the sheer ingenuity of human error can’t truly be simulated – but you can test a lot.
Democrats frustrate Republicans because we refuse to do what they’d do under identical circumstances: ignore reality.
We are not the party of epistemic closure. This was demonstrated after the first Obama-Romney debate when Democrats insisted that Obama got his ass kicked. Republicans assumes we’d descend into fantasy-land. When we didn’t, they were disgruntled.
Same here. We admit this is a huge screw-up and Republicans get cranky because supposedly we won’t talk about it. Well, what is there to discuss after we agree that it is obviously a screw-up?
See, my GOP friends, when you live in the real world you occasionally find yourself agreeing with the other side. Put down the rage-o-hol and try it some time.
@Bob @ Youngstown:
Well of course the website folks have changed the page address in the last several hours.
As of 7:30 pm eastern the new address is:
https://www.healthcare.gov/find-premium-estimates/
Happy shopping!
@michael reynolds: it’s not just a river in egypt, even diehard liberoids are disgusted at this piece of junk web site, and they don’t even know what’s on the other side. good for you that your rate went down, but someone who makes less than you got a rate increase- at least have the dignity to thank them for voting the stupid line. and while you’re all in here sucking each others dicks, look outside the window- it’s bad!
@Bob @ Youngstown: thx, 2x the rate i pay now- grand.
@ bill
Damn, he’s right. On the CA website, my rate went up $3.
Oh my, you sound quite frustrated…calm down, sweetie…perhaps you need some of the same activity that you describe above, and it ain’t looking out the window…
@An Interested Party: it’s actually a quote from a zappa tune, this site doesn’t frustrate me at all, it’s my down time- as a working guy i can’t really hang out in here all day, someones gotta pay the bills/taxes for the rest of y’all! party on party girl!
Spare me, a$$hole…many people who whine about having to pay the bills and taxes of others are often feeding at the government trough themselves, in ways they don’t even recognize…
I really enjoyed this article, thanks. The comments are quite heated