WASHINGTON, December 5, 2013 – The foundation of any security process involves three things: confidentiality, integrity, and availability. This is a foundational security principal called the C-I-A Triangle. Probably the most challenging of the three security controls for Obama care so far has been the “availability” issue. Based on the drastically under-estimated server capacity, this government healthcare site was more suited for a small business than a site with traffic rivaling Facebook and twitter.
All three security challenges from the C-I-A triad are equally important. However, the need for availability, or ability to handle all the traffic and information requests, must also be tempered not to compromise users’ data integrity [accuracy] and confidentiality or privacy.
Issue 1: Confidentiality
Probably the most dangerous of all security challenges is maintaining confidentiality. Healthcare.gov is a poster-child for PII Security or Personally Identifiable Information as well as Sensitive Health Care data or HIPAA (health information protection act) regulatory data.
Technical Challenges of Confidentiality:
How healthcare.gov plans to continually protect the security and privacy of user data depends on the encryption requirements set forth on the site. According to Nidhi Shah, who works on research and development for HP’s Web Security Research Group, healthcare.gov uses an HTML5 header that opens the door to cross-site forgery and invisible malware scripts.
This allows other malicious scripts or sites to pull data from a victim site, potentially exposing sensitive information from the healthcare portal.
The obamacare site will need to protect data stored on users’ computers from past sessions. This residual data is referred to as “cookies.” The cookies on a users computer must not be in plain text nor able to be pulled from one’s computer onto a hacker’s site or computer. The risk associated with this is having an eavesdropper view in plain text someone’s previous log in data.
This stored information could contain sensitive health information that should remain private only to that user.
Not encrypting or scrambling this data is a major confidentiality threat and risk to obamacare site users.
Need to know:
It has been widely documented that the authentication [or login process] for users involves several other validation checks. Who and what validates legitimate users trying to get into the system?
Background checks for all data administrators as well as a strong “need to know” access administration policy for each agency connected to the healthcare.gov portal will need to be transparent to the public, especially following the public’s response to the NSA’s access to private data.
The more “hands in the pot” when it comes to authentication of a user decreases the privacy of a single user.
Security Challenge 2: Integrity
We all get junk mail and phishing scam attempts. The challenge facing Obamacare will be delineating the fake third party healthcare sites from the fake scam artist sites. Confidentiality of social security numbers and PII data must be protected as users look to connect to the new virtual healthcare environments.
Healthcare.gov will need to ensure their list of certified partner sites are made available and advertised effectively. Ensuring users are aware of the legitimate sites and defending against (i.e. taking down) the fraudulent sites will be an ongoing challenge of the healthcare.gov initiative.
The Healthcare.gov team must ensure any legitimate third party site is SSL certified.
Healthcare.gov doesn’t solely handle health care data. The website collects personal data such as names, birth dates, social security numbers, email addresses and other information that criminals could use for a variety of scams. This information needs to be accurate and inter-connected for the site to be useful.
Healthcare.gov validates a user’s identity and data integrity through the Social Security Administration and the IRS verification. Citizenship is also checked through the ICE- Immigration and Customs Enforcement Agency. These checks are all necessary but involve more back-end validators from several different agencies.
Maintaining data integrity as it is passed from agency to agency will be an ongoing risk. Securing the data in transit between agencies as well as “data at rest”, within each Agency repository, will be an ongoing issue facing each organization involved or connected to the obamacare site.
Any change or alteration of the data integrity should, in theory, become flagged and reported to the user and agency involved.
Security Challenge 3: Availability
How Healthcare.gov’s infrastructure handles the volume of users has a drastic affect on the general public. Once launched, the site has health service obligations that are certainly not a one time or once-in-a-while thing. This site will be used several times a year by most users. Maintaining the availability of the site, regardless of the number or users, regardless of the attacks from the outside, and despite the technical interoperability challenges facing authentication and data integrity, the site has to keep running- and for a very long time.
Data Availability is not exempt from the impact of security threats and attacks. All three security principals are involved in any single attack or IT security threat.
The most common data availability issue stemming from an attack is through a Denial of Service attack. In 2008, a distributed denial of service attack was initiated against the Georgian government following a political dispute between Georgia and Russia. Taking down a server through organized overloading of requests will bog down a host server and cease all data transmission and functionality for everyday site users. How the Obama care site will defend and guard against bot-net or distributed denial of service attacks will be a constant challenge, especially during times of international conflict.
The security processes must be initiated and sustained throughout the system lifecycle. Processes evolve and patches are issued as security threats emerge. Building a strong and common-sense security approach based on solid principals will pay dividends as this health care portal grows. No single operational challenge can be over-shadowed by other security controls.
As the Healthcare.gov site works to achieve regulatory and government compliance, each of the three tenants of Information Security will continually need risk mitigation. Data Integrity, Confidentiality, and Availability will never go away throughout this site’s life span, regardless of political promises, congressional deadlines, or regulatory compliance.
This article is the copyrighted property of the writer and Communities @ WashingtonTimes.com. Written permission must be obtained before reprint in online or print media. REPRINTING TWTC CONTENT WITHOUT PERMISSION AND/OR PAYMENT IS THEFT AND PUNISHABLE BY LAW.