Health care website

Avi Rubin, professor of Computer Science at Johns Hopkins University, pointed out (PDF), "One cannot build a system and add security later any more than you can construct a building and then add the plumbing and duct work afterwards." He then discussed the challenges faced in necessarily doing exactly that with the federal exchange.

Dr. Frederick R. Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security at Southern Methodist University, was similarly critical (PDF).

The fact that there is not one single place to sign up for health care coverage will lead to confusion by the public. There is the main federal site, individual state sites, as well as legitimate third party sites. As I understand it, there is no official designation or marking that a consumer can use to determine whether they are on the correct site or not. As people seek to register for health care coverage they may find that there are a dizzying array of websites to select from. When it comes to typing in information like a social security number into a web form, many people might be cautious about doing so, but given that it has do with health insurance coverage people might be more inclined to do so (particularly if they think the request is coming from a legitimate website). These two factors could combine to create a ripe circumstance for personal information to get into the wrong hands. It is difficult to estimate how much traffic these fake websites will siphon off, but it could be significant

David Kennedy, CEO and Founder of TrustedSec, cautioned (PDF) that existing reports of hacking attempts on Healthcare.gov are incomplete and that, because of poor security precautions, "in the event that the website is hacked (or already has been), the attacks would go largely unnoticed and the website would remain compromised for a long period of time." He went on to detail a series of vulnerabilities his company discovered on the site, and then alluded to others he said he was unwilling to publicly reveal.

Kennedy recommended building an entirely new Healthcare.gov website while the first one is up and running (including its flaws) and replacing the existing one when it's ready. If, instead, the already bought-and -paid-for site is taken down for a full fix, "the remediation process will span seven to twelve months at a minimum."

Fixing the exisiting site while it's being used would take even longer.