Thursday, January 23, 2014

Eye Recommend --- About That Four-Minute ACA Hack...

ABOUT THAT FOUR-MINUTE ACA HACK..., by Steve Benen --
http://www.msnbc.com/rachel-maddow-show/about-four-minute-aca-hack
This is a confusing story. The far right tries, once again, to scare people away from accessing health care through the Affordable Care Act.  (Why are they so frightened of people having health insurance?)  But then, maybe they're right...or maybe not.

"Just last week, the chief information security officer for the Centers for Medicare and Medicaid Services was able to boast a bit to the House Oversight Committee.  Healthcare.gov has been subjected to 'end-to-end security testing and passed with flying colors.'

Not so fast, conservative media responded.

The Daily Caller, The Washington Times, Fox News and others pointed to David Kennedy, the head of a computer security consulting firm, who reportedly claimed he could use a standard web browser to access 70,000 personal records belonging to consumers who enrolled through the ACA system--after just four minutes of effort...

...Except, that's not quite what happened, and those reports from conservative media painted a deeply bogus picture.

The Washington Post's Brian Fung discovered 'It turned out the reports were nothing more than simple confusion.'

'We never accessed 70,000 records nor is it directly on the Healthcare.gov website,' wrote Kennedy in an update to an earlier blog post.  'No dumping of data, malicious intent, hacking, or even viewing of the information was done.'...

...Okay, but if Kennedy didn't access 70,000 personal records, as  conservative media claimed, what did he access?  There were 70,000 results of what, exactly?  As best as I can tell, he hasn't elaborated on this point, except to say, 'We do not support the statements from the news organizations.'
I have to admit, I'm confused.  Someone appears to be lying--or at least tainting the truth--either the information officer from Medicare/Medicaid or cyber-security expert and Republican media darling David Kennedy.  Is the report from the government office trying to make the ACA's site security look better than it is?  Or is Mr. Kennedy, fearful of having publicly admitted to hacking a government website , (a legal no-no), just trying to back away from his original statement in order to protect himself?
"Consider this exchange between Fox News' Chris Wallace and David Kennedy over the weekend:

WALLACE:  You say you did not hack the site and, yet, you say you could access 70,000 records of various people who have signed up for health care under--at the website within four minutes.  How do you know that if you haven't hacked the site?

KENNEDY:  That's a great question.  There is a technique called--what we call passer reconnaissance, which allows us to...look at how the website operates and performs.  And these type of attacks that, you know, I'm mentioning here in the 70,000 that you're referencing is very easy to do."
Well, that certainly clears things up.
"...This is the point conservatives still struggle to understand--even if healthcare.gov were somehow hacked, the hackers couldn't gain access to private medical records.  Why not?  Because there are no private medical records stored on healthcare.gov." 
I think we have to look at the possibility that we are seeing a government vs. Kennedy version of apples-to-oranges.  Perhaps it is easy, as Mr. Kennedy says, to access some information on the ACA site.  If he means information like names and addresses, that is information easily found all over the web, including other government sites. 
Confession:  Last week, while paying our property tax bill on-line, I accidentally typed in the wrong address. Just an incorrect address was all I needed for my neighbor's tax bill to pop up on my screen--no pass code, no identity verification.  I now know his middle names, (he has two), how much he paid for his house and that his property taxes for the last half of last year are past due.  
This is not to say that I defend the ACA for leaving my information readily available to any bad typist, or good cyber investigator; but being able to access the names of people with ACA health care insurance does not seem like an end-of-the-world personal security threat to me. 
And this is where the apples-to-oranges analogy comes in .  I doubt that Mr. Kennedy made up his Healthcare.gov "non-hack" out of whole cloth, so  have to believe that he was able to access some degree of information on 70,000 ACA customers.   (Apples = customer identities.)  At the same time, the government may also be correct in saying the site passed their security check with flying colors because health care provider names and/or type of plan purchased were protected.   (Oranges = specific health care information.)  
I would like to believe that the government's security check also found my financial information was protected, but then I remember what I know about my neighbor's property taxes.
As I said, this a confusing story

No comments:

Post a Comment