The government cut corners when building Healthcare.gov, the federal marketplace for health insurance, and security was no exception, according to a new report from the Government Accountability Office that will be presented to Congress this week.
The team building the site skipped some privacy risk assessments and did not conduct comprehensive security testing, according to the Wall Street Journal.
That should be no surprise to anyone who's been following the news. The Healthcare.gov launch was a mess: a combination of shoddy, inbred contractors; compressed deadlines; and changing specifications due to politics. It crashed immediately after it launched. On the first day, only six users got through.
The less-visible broken parts were lower priority
There was a scramble to fix the extremely visible broken parts of the site, but the less-visible broken parts were lower priority. Numerous security holes have been revealed by people just looking at the site from the outside, including a vulnerability that exposed user email addresses and a vulnerability that allowed a hacker to upload malware onto a Healthcare.gov server.
Neither vulnerability resulted in user data being compromised, but the revelations showed an unconscionable sloppiness. The Centers for Medicare and Medicaid Services, the agency that oversaw the development of the site, failed on numerous levels to protect consumers. Password-strength requirements were insufficient. At least one contractor hadn't secured its administrative network. There was "inconsistent application of security patches." There are too many to list.
Private companies that fail to protect their customers are deplorable. Governments that fail to protect their citizens are worse.