Audit finds excellent cybersecurity at HealthCare.gov

9/25/2015 02:57:00 PM
Tweetable
AP posted this story this morning titled "Audit finds slipshod cybersecurity at HealthCare.gov," criticizing security vulnerabilities in the system used to administer the federal Obamacare exchanges. Every media outlet under the sun re-posted it word-for-word:
And still others tried to re-post it word-for-word but screwed up.
You won't find the source in the AP story or any of the copy cats, but it is about this audit by the HHS Inspector General's office published (in redacted form) on 21 September 2015. (By the way, the report is exactly 4 pages long and half of that was just the title so I don't know why it took AP 3 days to cover it.)

Except, the audit did not find "slipshod" security at HealthCare.gov.

There was something screwy about all this coverage because the AP published a piece that, while not verbatim, was nearly identical to this one back in September 2014. By an accident involving a local news affiliate, Charles Gaba from the esteemed acasignups.net pointed me to the previous story here. That prompted me to chase down the HHS Inspector General's audit, no thanks to AP who failed to properly source their article.1 It turns out that the audit actually had the opposite to say about HealthCare.gov: security there is great.

The report released on 21 September 2015 was the formal writeup of an audit that the HHS Inspector General's office had conducted from August through December in 2014. In other words, this is the same audit as the AP covered in it's previous story in September 2014, and that's why the two AP stories are identical--they are literally talking about the exact same audit. The first AP story was based on a preliminary report produced by the HHS Inspector General's office about the preliminary findings in their security audit of MIDAS, a database system that HealthCare.gov and insurers use to store users' information to allow them to buy insurance through the HealthCare.gov interface. The new story is based on the formal write up of the audit (which is short because the actual technical details of the vulnerabilities were redacted to avoid giving hackers any ideas) conducted a year ago.

But here's the thing. The main reason for this new report is in fact to say that all of the security vulnerabilities have been fixed to the satisfaction of the HHS Inspector General's security team. The final line of the report:
"We have since reviewed the supporting documentation and verified CMS's remediation."
In otherwords, the point of the new report is to say that cybersecurity at HealthCare.gov is now excellent. That's the only news here. But none of the News is covering it that way.


1. See what I did there, AP? It's called a hyperlink. It turns out that when you are writing about a thing on the internet, you can "link" to that thing and then users can click it and be redirected to that thing. You do this by typing what's called an "anchor tag" into the HTML code, which looks like this <a href="[insert url here]">[insert display text here]</a>.You should try it sometime.
Max 9/26/2015 12:22:00 PM
"In otherwords, the point of the new report is to say that cybersecurity at HealthCare.gov is now excellent. That's the only news here. But none of the News is covering it that way."

That would be a tendentious way of reporting it. Like declaring that "the safety of the Space Shuttle is now excellent" after Nasa fixed the o-ring problem.
Matthew Martin 9/27/2015 01:51:00 PM
Your analogy isn't very apt. There was an actual vulnerability in the Columbia (the o-ring) and an actual exploit (it blew up). Even in the original audit there were neither vulnerabilities nor exploits in the MIDAS system--the identified a bunch of things that were not in line with security best practices, but nothing that could actually be exploited to compromise the system. The report makes it clear that when they attempted such an exploit, before any of the fixes had been implemented, they were still stopped by the system's other security measures.