Slashdot Mirror

← Back to Stories (view on slashdot.org)

Preventative Treatment For Heartbleed On Healthcare.gov

Posted by timothy on from the welcome-to-centralized-medicine-dot-gov dept.

As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge

5 of 81 comments (clear)

  1. "no indication ... site has been compromised" by tlambert · · Score: 4, Funny

    "no indication ... site has been compromised"

    I believe them.

    What possible motive would a hacker have for targeting a site containing social security, tax, medical, personal, and financial information?

    I'm sure it's all perfectly secure.

    Just in case, though, you should probably change your one-factor authentication token so that the next time your "keep me logged in" cookie expires, it's hard to remember.

    1. Re:"no indication ... site has been compromised" by davidhoude · · Score: 5, Insightful

      Due to the fact that this exploit leaves no traces in server log files, we have concluded that there is no evidence of an attack on our servers.

  2. oh, sorry by slashmydots · · Score: 4, Funny

    Sorry, heartbleed is actually a pre-existing condition so it's not covered.

  3. This does not seem to be news by SuperKendall · · Score: 4, Insightful

    I have no love for Healthcare.gov, but honestly just about every site is sending out notices that people may want to change passwords. Heck, Yahoo *made* me change my password.

    Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Re:Yea right... by Anonymous Coward · · Score: 4, Informative

    FISMA/SCAP regulations are the main ones. Data stored there is likely SBU (sensitive but unclassified.)

    It is a pretty thorough set of regulations. This is why not many cloud providers (if any!) are FISMA compliant, as it requires random audits by the government.

    I'd love to see a standard in the private industry that had planned and random audits of security, with actual consequences (PCI-DSS3 comes close), but most security in the private sector seems to be "does the vendor say it is secure? OK, it is."