Glitches and outages have been the main focus thus far in the scrutiny over the HealthCare.gov website - but a bigger problem could be looming on the horizon for Americans who wish to enroll on the site: hacking.
Every coding flaw on a website presents an opportunity for hackers to get in. The main worry with the Affordable Care Act website is that it could serve as a major target for hackers who are looking to steal personal identities. Although HealthCare.gov doesn't store this information directly on the website, it only links to it through a maze of third-party government sites (Internal Revenue Service, Department of Homeland Security, Social Security Administration, Department of Veterans Affairs, etc.), that doesn't make it any less risky for consumers. A hacker can just as easily compromise a website that transmits personally sensitive data, as it can one that actually stores that data. This data may have been safe on the original website (e.g., IRS.gov), but once it travels through an insecure platform, it can become vulnerable to attack.
The concern with HealthCare.gov is that officials have basically conceded in Congressional hearings that they went live with the website in spite of numerous coding errors and security oversights - that means it's potentially vulnerable to a wide-range of cyber attacks that could hurt users.
In order to ensure the safety of consumers, the HealthCare.gov team needs to do more than just check all the millions of lines of code on the site - they also need to bring in outside security experts to run "ethical hacking" tests (also known as "penetration testing") to see if it really does block hackers from getting in.
Here are five ways that HealthCare.gov or one of the 15 state-run exchanges could be hacked:
1. Code Injection Attacks - When a website is poorly designed, it's often vulnerable to what is referred to in the security industry as "injection attacks." This means a hacker can go onto the website and write a malicious code which she then tricks the website into accepting and running as its own. What the heck does that mean? Well, let's say there's a search box, or any type of feedback form, on the website. Instead of typing in a real question, the hacker could enter a small amount of code that the web server executes. This code might be designed to get access to private information stored on the site (such as user profiles) or maybe even to install malware that will infect anyone who visits the website in the future. One of the most widely used code injection attacks is SQL injection, or SQLi.
What You Can Do: You can't protect your information on the website, but you can protect your computer from getting infected by malicious code that may at some point run on that website. The best way to do this is to use a "sandbox," like Sandboxie or SecuBrowser, to keep your browser isolated. This will stop hackers from being able to make changes to your computer or infect it with malicious scripts.
2. Cross-Site Scripting - One specific type of injection attack that deserves special attention is "cross-site scripting" or XSS. This may sound technical, but the basic idea behind it is pretty easy to understand. A hacker goes in, and just like in the cases above, tricks the website into accepting malicious code through an input field, such as a web request or form field. The next time a person visits the site, a cross-site scripting attack will run against their web browser, stealing saved passwords and cookies from that browser. This type of attack is very common.
What You Can Do: You can block this type of attack by installing a third-party extension in your browser - like NoScript on Firefox or NotScripts on Google Chrome. Also, don't allow your Internet browser to cache passwords.
3. Insecure or Weak Authentication - Websites that are poorly designed often struggle with inadequate "authentication" and "session management" - these are important security features that, when done right, protect the integrity of your account. When they're weak or inadequate, a hacker can impersonate users and take over their accounts.
What You Can Do: Don't try to register or login to a HealthCare.gov account, or other suspect sites, from a public WiFi hotspot or any unsecured location. Tools like Hotspot Shield can be used to help secure wireless connections. Additionally, try to use a virtual private network (VPN) when accessing these sites. A VPN will encrypt your communication with the website, better protecting your account.
4. Clickjacking - In this type of attack, hackers take advantage of poor security on a website to slip invisible frames over seemingly innocuous items or features on a webpage - such as an entry form, a video, or a 'like' button. When a person clicks on this button (for instance, "submit form"), they're actually clicking on the hidden link slipped over the real web page - so their information is redirected to a malicious website or sensitive information is stolen. This is a complex hack and difficult for users to spot.
What You Can Do: As with the cross-site scripting threat, you can install a third-party browser extension like NoScript on Firefox or GuardedID on Internet Explorer.
5. Sensitive Data Exposure - Some websites make it easy for hackers: they accidentally leak sensitive data or fail to properly encrypt it. We've seen this before, even with well-designed commercial websites and mobile apps. For example, the site does not properly encrypt its users' passwords (using methods like "salting" to make them harder to crack) or transmits information in clear text. Twitter and Gmail used to have this problem before they switched to default SSL encryption for all users - and Yahoo Mail just announced it's doing the same thing. In the case of HealthCare.gov, the real risk is likely to be in how it relays data back and forth between the various third-party websites it's linked to (e.g., IRS, Veterans Affairs, etc.) and how well it encrypts those communications.
What You Can Do: There's nothing you can do to protect your data on the website. But you can take steps to avoid exposing this data yourself when logging in or using the site. For instance, there are browser extensions available - like HTTPS Everywhere on Firefox and Chrome and ForceTLS on Firefox - that will automatically revert every website to the encrypted HTTPS version if that option is provided. (A lot of websites offer limited HTTPS settings, but don't always enforce it and may even make it difficult to use. These tools automatically interface with them to enforce encryption.) Additionally, don't login from a public WiFi hotspot, try to use a VPN and make sure you log out of the site when you're finished. Also, don't allow your browser to cache passwords.
These five items represent real threats that attackers use to target thousands of websites each year. However, the U.S. has some of the best minds in the world when it comes to cybersecurity, and there's no doubt HealthCare.gov can be fixed if the right people are given the chance to test it. It's also important for the state-run exchanges to undergo this testing - some of them aren't even using SSL encryption for all of their transactions, but that's another story.