Slashdot Mirror

← Back to Stories (view on slashdot.org)

Preventative Treatment For Heartbleed On Healthcare.gov

Posted by timothy on from the welcome-to-centralized-medicine-dot-gov dept.

As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge

15 of 81 comments (clear)

  1. "no indication ... site has been compromised" by tlambert · · Score: 4, Funny

    "no indication ... site has been compromised"

    I believe them.

    What possible motive would a hacker have for targeting a site containing social security, tax, medical, personal, and financial information?

    I'm sure it's all perfectly secure.

    Just in case, though, you should probably change your one-factor authentication token so that the next time your "keep me logged in" cookie expires, it's hard to remember.

    1. Re:"no indication ... site has been compromised" by davidhoude · · Score: 5, Insightful

      Due to the fact that this exploit leaves no traces in server log files, we have concluded that there is no evidence of an attack on our servers.

    2. Re:"no indication ... site has been compromised" by tlambert · · Score: 2

      If only it could have been prevented via a cheap, preventive program, instead of costing so much later! I know! We should lobby them to create a new agency, one tasked with the security of the nation, and when they knew about risks like this, why, they could step in and ensure that no one would unwittingly deploy vulnerable systems in the first place!

      Perhaps we could call them the Responsible Agency for Intelligently Securing the Interests of the Nation... R.A.I.S.I.N., for short... or National Organization Securing You... N.O.S.Y. for short... I'm still working on the name.

      We could even nominate someone to put in charge of making sure they are doing the job they are supposed to be doing, a kind of Special National Operations Watch Director Executive Nominee... Haven't decided what to call that one yet, either...

    3. Re:"no indication ... site has been compromised" by laird · · Score: 2, Insightful

      The site doesn't have any medical information at all. That's one of the advantages of outlawing the "pre-existing condition" scam - you no longer have to tell insurers your medical history to buy insurance. And the web site only needs enough other information to verify your identity and income (for computing the subsidy you qualify for, if any). And since they don't collect any payments, they have no payment info (no credit card numbers, etc.) or any credit history.

      And on top of that, once the data is passed to the insurance company and accepted by them, the personal data is purged from the web site.

      So all you can get by hacking the site is the partial data from people who haven't completed the process yet. And that's mainly name, social security number, and claimed income. Which is much less information than anyone on the planet can buy about anyone in the US for a few dollars from any credit reporting service - for a few bucks, they'll sell your complete transaction history, credit ratings, income, debt, etc., - all much scarier than the minimal amount of info on the healthcare site.

      --
      Enable 3D printed prosthetics!
  2. oh, sorry by slashmydots · · Score: 4, Funny

    Sorry, heartbleed is actually a pre-existing condition so it's not covered.

    1. Re:oh, sorry by sumdumass · · Score: 2

      I don't see the mention of 12 billion at all on that page or the ones next to it. All I see is that 6 billion are projected to be enrolled through the exchanges this year.

      I did however see where a lot of those enrolled were subsidized through already available health aid like medicaid and medicare (chips and such).

      It is interesting that the claim was made that roughly 15% of Americans didn't have insurance or around 45 million people and this was the reasoning why we needed federal involvement in insurance. Even if we allow your number of 12 million number unquestioned, I don't see it as any success. It is still less that half which by most grading scores would be an F for failing.

      It is even more interesting that you claim someone posting something contrary is lying and it might turn true if they post it enough. I mean I can understand exaggeration coming from disgruntled citizens who now have to purchase something from a third party simply for being a citizen else face a penalty without any due process or right to face their accusers in a court of law or jury trial in which the constitution seems to protect except in this case which also happens to be dished out by the one organization within the government the people already fear- the IRS who has been shown recently to be converted for political purposes and the sitting head at the time of the conversion now claims she doesn't have to say anything to law makers and oversight committees because what she says may incriminate herself if she answers any questions about that conversion. But exaggeration coming from someone who supposedly supports the law seems to indicate something fishy is going on.

    2. Re:oh, sorry by OhPlz · · Score: 2

      If by costing less you mean costing more, and by doing nothing you mean fucking over the Constitution.. you're exactly right.

    3. Re:oh, sorry by Rich0 · · Score: 2

      And before you go all authoritarianism on me, you can't have it both ways. Either you have to allow insurance companies to deny pre-existing conditions, or you have to force people to buy insurance. If you don't do either then people wait until they're sick to buy insurance, and then insurance companies go out of business. Socialist healthcare systems like in Europe do the second one by basically buying insurance for everybody through tax receipts (I didn't say that the insured had to directly pay the premium).

      Such shallow thinking. How about forcing a penalty after needing treatment without insurance or the ability to pay it?

      What happens if you have no insurance for 20 years, and never get sick. Then you sign up for insurance and pay your bills for 5 years. Then you get sick. What is the fine, and what happens if the person doesn't have the money to pay it at this point?

      Why wait 20 years to charge them for 20 years of premiums?

      The most sensible solution would be to just have the government buy insurance for anybody who does not do so, and then tax them for it. That is what happens if you don't mow your lawn - the local government will just mow it for you and send you a bill, and put a lein on your house if you don't pay it.

      However, for whatever reason the government choosing your insurance policy turned people off, so instead we have a tax that people without insurance have to pay. The problem is that the tax is way too low, so for those who are young and healthy it just makes sense to pay the tax.

      You do not need to force insurance purchased or allow preexisting condition exclusions. You can simply penalize the people who do not have coverage when they need it and also do not have the ability to pay for their treatment. You can also mandate as part of that penalty that they maintain coverage for a certain period of time.

      If the penalty is less than the total of all the unpaid premiums, then there is no incentive to buy insurance, and the insurer loses money on the patient (since the premiums are calculated as the amount of money needed to cover losses on average, plus a profit).

      What you propose is like a retirement plan where you tell people to save up for retirement, and then if they fail to do so and have no money you fine them, except they have no money so you can't fine them, and you still have to pay for their retirement. If you want people to invest in the future you have to give them incentive to do it when they can actually do it (whether investment is for retirement, or future health problems, or whatever).

      The thing is, the people who say they don't want/need insurance are more than happy to sign up for it once they get an expensive medical condition, so what they usually really want is to have the benefits of insurance without actually paying for it.

      What people want is to not pay for something until they need it. They don't want to buy new tires for their car until their old ones need replaced, They do not want to buy another gallon of milk until the other is almost empty. Can you blame them for not wanting to be forced into buying something they do not need at the moment?

      This is INSURANCE. The whole point of insurance is that you don't know when you'll need it, so you pay money now so that in the event you need it you know you'll have it. I "waste" money on fire insurance every month. My house will probably never burn down, and thus I'll probably never get anything back. However, if my house does burn down, then I get a new house for very little money.

      The only way to allow people to not buy health insurance is if we as a society refuse to provide care for them when they get sick unless they can pay the full bill themselves. If we were all sociopaths that system would work just fine, and people WOULD buy insurance because they would understand the consequences i

    4. Re:oh, sorry by Rich0 · · Score: 2

      What happens if you have no insurance for 20 years, and never get sick. Then you sign up for insurance and pay your bills for 5 years. Then you get sick. What is the fine, and what happens if the person doesn't have the money to pay it at this point?

      Do you even understand this question? What happens if I purchase insurance for 2 months and get sick. It doesn't matter, I purchased the insurance just the same as if I purchased it 20 years ago.

      The whole point of insurance is that in order for it to work, people need to pay MORE than they consume on average. If people wait until they're sick to sign up, it can't work.

      This is INSURANCE. The whole point of insurance is that you don't know when you'll need it, so you pay money now so that in the event you need it you know you'll have it. I "waste" money on fire insurance every month. My house will probably never burn down, and thus I'll probably never get anything back. However, if my house does burn down, then I get a new house for very little money.

      And some people do not and will not need it. Why are they forced to pay for it when they do not want to? Why are normal law abiding citizens being told they are no longer free and must do as the government says and purchase something from a third party when they do nothing wrong?

      So, your choices are force everybody to buy insurance even if they don't "need" it, or let people die when it turns out that they needed it after all.

      In most cases insurance is voluntary, but then you suffer the loss if you don't have it. That's how health care was supposed to work before the ACA. The problem with that is that insurance companies were scumbags and if there was any lapse in coverage they assumed that your sickness started during the lapse and denied coverage. On the other hand, if you get rid of that loophole then everybody else behaves like scumbags and avoids paying for insurance until they start to feel sick.

      What happens when some gun nut tea party gets elected and declares that anyone who doesn't own a gun has to pay a $2000 a year penalty?

      If people who didn't own guns cost the average citizen money, then I'd be fine with such a law. People without health insurance DO cost others money, unless we as a society choose to let them die.

      The only way to allow people to not buy health insurance is if we as a society refuse to provide care for them when they get sick unless they can pay the full bill themselves. If we were all sociopaths that system would work just fine, and people WOULD buy insurance because they would understand the consequences if they didn't.

      lol.. so the last 200+ years of this country didn't happen and everything starts right now because you though of something you pretend is the only possible logic?

      Yeah, I guess everything being peachy is the reason Obama won the election... The previous system worked reasonably well for anybody with a job with a large employer. The problem is that costs are spiraling out of control and the model just wasn't sustainable, and MANY people had no healthcare at all.

      They would call 911 with chest pains, the call center would be set up to do an automatic insurance/credit check, and the guy on the phone would tell them that if they'd like an ambulance they need to get somebody else to provide a credit card number if the credit check isn't good. That isn't the society most voters want to live in.

      And that happens every day in the previous 200+ years of our country's existence? Am I right or are you making things up in order to justify your worldview?

      200 years ago if you dialed 911 you wouldn't get an answer, because you didn't have a phone. We hardly have 200 years of experience with modern medicine. Go take a l

  3. Re:Yea right... by Penguinisto · · Score: 3, Interesting

    Leads to an honest question that cropped up... does the federal government have to abide by any sort of data-breach reporting laws (be they state or federal)?

    (maybe they have their own, maybe they're exempt... I'm not a lawyer, but it'd be worth looking up...)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  4. This does not seem to be news by SuperKendall · · Score: 4, Insightful

    I have no love for Healthcare.gov, but honestly just about every site is sending out notices that people may want to change passwords. Heck, Yahoo *made* me change my password.

    Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:This does not seem to be news by dkf · · Score: 2

      Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.

      As I understand it, the majority of the implementation of healthcare.gov is Java. Java's SSL implementation doesn't have the heartbleed bug at all (and implementing this bug would actually take a lot more work than doing it right). If there's a problem, it's most likely in a front-end load balancer; I don't know if you'd see a lot of user credentials in that case, as the damage wouldn't be in systems that handle client authentication.

      The database(s) might be affected too, but you probably can't reach them from a normal system; the heavily firewalled approach is a favorite of Big Software Contractors and is actually right in this case. I suppose if they were affected, processing the update to them (carefully as you don't want to lose data!) would count as preventative treatment while still properly supporting the assertion that no real damage was done.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
  5. Re:Yea right... by Anonymous Coward · · Score: 4, Informative

    FISMA/SCAP regulations are the main ones. Data stored there is likely SBU (sensitive but unclassified.)

    It is a pretty thorough set of regulations. This is why not many cloud providers (if any!) are FISMA compliant, as it requires random audits by the government.

    I'd love to see a standard in the private industry that had planned and random audits of security, with actual consequences (PCI-DSS3 comes close), but most security in the private sector seems to be "does the vendor say it is secure? OK, it is."

  6. Grandparent had it right. by Ungrounded+Lightning · · Score: 2

    The word you are looking for is "preventive".

    No, it's not. The usage you're complaining about is perfectly valid.

    "Preventative" has been in use since 1666 as an alternate pronunciation and spelling for "preventive".

    In some regions (including where I grew up - almost in the center of the region natively speaking the "radio accent", which has been the de facto standard speech for the U.S. since the advent of commercial broadcasting) it is the preferred form.

    If you want to be a spelling NAZI, you should avoid being provincial about it. Check the online dictionaries before correcting others, to distinguish between being helpful and imposing your local speech on others.

    Unlike French ("a dead language spoken by millions"), American English does not have a regulatory body prescribing an official standard (though some educators have tried, since at least Daniel Webster). It grows and changes by usage. Dictionaries play a game of catch up and try to document how it's realy used.

    (Yes, I know how it grates on your nerves when someone uses a different spelling or pronunciation than you're used to. I feel the same way when my wife pronounces "legacy" as if she was talking about a ledge. But apparently that's actually the first pronunciation listed in The Oxford.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  7. Re:Yea right... by Oysterville · · Score: 2

    They traditionally haven't paid much attention to the law, so I'm not certain that they would do much different here.