Post and Courier
December 17, 2014

Obamacare's worrying security problems

Posted: 12/06/2013 07:59 p.m.

President Obama on Tuesday hailed improvements in Healthcare.gov, the website that must be visited by millions of Americans who have to buy government-mandated health insurance in the next four months. He urged Americans to sign up as quickly as possible.

Mr. Obama also acknowledged that the website will continue to experience problems like those reported by insurance companies that say they don't yet have reliable lists of people who have signed up. These problems, he said, will be fixed.

But what he didn't say is that continuing security flaws in the complex Internet system designed by his administration are likely to expose many Americans to identity theft.

That's a high price to pay for mandatory health insurance.

The Treasury Department's inspector general for tax administration, Russell George, issued an audit Tuesday saying the Internal Revenue System's methods for protecting private information required by the Obamacare website have software flaws. These flaws might expose this information to others and allow identity theft. He also said the IRS does not have a way to prevent Obamacare users illegally seeking health care subsidies from defrauding the government.

Mr. George is far from the only expert blowing a whistle on the poor security of the Obamacare system.

A House hearing last month was told by four Internet security experts that the Obamacare website is not secure. Several of them identified particular flaws different from the concerns raised by Mr. George of the Treasury Department.

One of the experts, Aviel Rubin, a professor of computer science at Johns Hopkins University, was called as a witness by Democrats hoping to discredit the Republican-led probe into Obamacare security.

But Rubin testified that the Obamacare site is not secure and that its design is inherently full of security problems because it is a very large and complex system and "one of the basic principles of security" is that a system's complexity increases its security problems. He added, "One cannot build a system and add security later any more than you can construct a building and then add the plumbing and duct work afterwards."

He also said Obamacare violated one of the cardinal rules for launching large consumer websites, that they should be implemented in steps in order to identify and fix bugs, not all at once.

The administration says Healthcare.gov meets the requirements of federal computer security rules.

But a number of reports that came out during its preparation, including one by security experts issued three days before it was rolled out on Oct. 1, charged that security concerns were not adequately addressed or tested.

The Obama administration is clearly playing catch-up to correct flaws in a system that was not ready for prime time when it was prematurely launched in October. Now it faces a legal deadline of March 31 to enroll all eligible Americans even while it is trying to find and correct all of the myriad and even unknown security flaws in the website that put its clients at risk of identity theft.