The recent news that the Vermont Health Connect website has suffered more privacy breaches should remind us of the admission months ago by national and state governments that computer system security was not part of the initial design of the Obamacare Healthcare.gov site. Computer professionals agree that, if security is not the first order of business when designing a system, hackers always will have innumerable ways to get into it. If you try to add security as an afterthought, as the Obamacare’s system designers are trying to do, experts agree: It’s a hacker’s paradise.
Think of a secure computer system as looking like an onion. At the onion’s core are a few basic functions of the system, called the operating system, to handle all the memory allocation, record input/retrieval functions, user identity verification and so on. The core is surrounded by layers of user and system level procedures used to access your personal financial information.
Each core function has a gatekeeper that guards the only way into that core function and the only way out. For example, you must ask a core gatekeeper to store data for you and ask another gatekeeper to retrieve data for you. You cannot do that yourself. Everything in a secure system is in the custody of these thoroughly tested and understood core gatekeepers, which means the gatekeepers validate all the data going in and out, as well as validate the identity and access rights of every user requesting access to your data, i.e., every request for data must go through the core operating system functions. When the gatekeepers are in place at the beginning of system design, the designer is forced to comply with all security requirements to build the system.
This did not happen on the insecure Obamacare system, and government contractors are now trying to strap a security system onto the outside of the onion. Why can’t this work? Think of the onion again: How many ways are there to circle around the onion to get from one point on the outside to any other point on the outside, let alone any point on any other layer inside the onion? That’s how many unauthorized access points a “security-as-an-afterthought” computer designer has to defend against to prevent a hacker’s getting into the system. That’s how many gatekeepers need to be designed and tested. On a huge system like Obamacare, the onion is extraordinarily large, the largest in the world, which makes the number of access points and corresponding gatekeepers equally large. Any official assurances that this can all be fixed at this late stage with a few gazillion gatekeepers is so unlikely as to qualify for the definition of a lie.
To make matters worse, none of these technical security problems includes the human security problem: Who is going to be authorized physical access to this computer system? Can you say, “Edward Snowden”? And he had a top secret security clearance.
The ramifications of this one system’s lack of security are spectacular because the Healthcare.gov site is connected to the computers of at least 17 other agencies. Sneaking into those agencies via the insecure Healthcare.gov site by pretending to be someone else lets thieves potentially ask for financial and/or personal information from any agency on any American, even people not enrolled in Obamacare. Does anyone think this pot of gold hasn’t already captured the imagination of the most skillful hackers in the world?
Allan Wylie is a retired Air Force officer whose career included many assignments as a computer systems analyst and manager. Bob Frenier owns a firetruck brokerage firm in Chelsea.MORE IN Commentary
- Most Popular
- Most Emailed