Healthcare.gov stores none of that data?: Is There A Problem Here?: Healthcare.gov stores none of that data?

20131112

Problem ID: 4120113249525612564
Entered by: Ben Simo

Healthcare.gov stores none of that data?

I would tell you
we are storing the minimum amount of data,
because we think that's very important.
The hub is not a data collector.
It is actually using data centers
at the IRS,
at Homeland Security,
at Social Security
to verify information,
but it stores none of that data.

- HHS Secretary Kathleen Sebelius

Healthcare.gov does not only use data from other sources to verify information, it returns that information to the web browser. Here is some of the data returned to the web browser that I did not enter. This is data retrieved from other systems and returned to my web browser while I was filling out an insurance application on the Healthcare.gov Insurance Marketplace -- also known as "The Hub".

In the below example, I have replaced my personal information with: REDACTED.

{
"csrf" : null,
"identifier" : "REDACTED",
"datetime" : "2013-11-08TREDACTED",
"memberEligibility" : null,
"memberVerification" : {
"csrf" : null,
"requestSentDate" : null,
"resultReceivedDate" : null,
"reasonText" : null,
"resultText" : null,
"indicator" : null,
"sourceName" : null,
"memberVerificationType" : "Income",
"incomeVerification" : null,
"ssaNameControlText" : null,
"timer" : null,
"adjudicator" : null,
"verificationActiveIndicator" : false,
"memberVerificationTypeName" : null,
"memberIncarcerationVerification" : null,
"dataSourceType" : {
"csrf" : null,
"dataSourceTypeCode" : "EDS",
"dataSourceTypeName" : "EDS",
"dataSourceExternalIndicator" : true
},
"dataFoundIndicator" : true,
"verificationDeterminationDateTime" : "2013-11-08TREDACTED",
"memberResidencyVerification" : null,
"addressServicedIndicator" : false,
"medicaidStateIndicator" : false,
"memberImmigrationStatusVerification" : null,
"ssnVerified" : false,
"citizenshipVerified" : false,
"edsResponseExpected" : false,
"dhsResponseCode" : null,
"requestIdentifier" : null,
"dataExpectedIndicator" : true,
"reportedHubErrorTypeCode" : null,
"reportedHubErrorTypeName" : null,
"requestedApplicationMemberNonESIMecVerification" : [],
"mecOtherPublicNonEsiInconsistencyCount" : null,
"memberCurrentIncomeVerification" : {
"csrf" : null,
"preliminaryMedicaidMAGIIndicator" : null,
"preliminaryAPTCIndicator" : null,
"currentIncomeInconsistantExplanationText" : null,
"requestedCurrentIncomeSourceVerification" : [{
"csrf" : null,
"reportedIncomeFrequencyTypeCode" : "REDACTED",
"reportedIncomeFrequencyTypeName" : null,
"classifyingIncomeSourceTypeCode" : "REDACTED",
"classifyingIncomeSourceTypeName" : null,
"currentIncomeVerificationSourceAmount" : REDACTED (my current monthly income),
"currentIncomeVerificationStatusReceivedDateTime" : null,
"currentIncomeVerificationRequestIdentifier" : null,
"currentIncomeVerificationStatusReasonText" : null,
"currentIncomeVerificationStatusIndicator" : "Y",
"currentIncomeVerificationDataFoundIndicator" : false,
"currentIncomeVerificationDataExpectedIndicator" : true,
"currentIncomeVerificationDeterminationDateTime" : "REDACTED",
"reportedMemberCurrentIncomeSourceSystemError" : [],
"periodCycleTypeCode" : null,
"periodCycleTypeName" : null,
"percentThreshholdCurrentIncome" : null,
"percentThreshholdLimit" : null,
"definingVerificationStatusReasonTypeCode" : null,
"providingIncomeOrganization" : {
"csrf" : null,
"officeSymbolText" : null,
"businessStatusDate" : null,
"organizationStructureType" : null,
"externalOrganizationIdentifier" : [{
"csrf" : null,
"text" : "REDACTED (my employer's tax ID)",
"effectiveDate" : null,
"organizationIdentifierType" : {
"csrf" : null,
"identiferTypeName" : null,
"identifierTypeCode" : null
}
}
],
"issuerOrganization" : null,
"organizationNomenclature" : [{
"csrf" : null,
"effectiveDate" : null,
"text" : "REDACTED (my employer's name)",
"nomenclatureType" : null
}
],
"issuerUser" : [],
"organizationType" : null,
"organizationAddress" : [{
"csrf" : null,
"organizationAddressEndDate" : null,
"addressPlace" : {
"csrf" : null,
"zipPlus4Code" : "REDACTED",
"streetName1" : "REDACTED (my employer's address)",
"streetName2" : null,
"cityName" : "REDACTED",
"stateCode" : "REDACTED",
"countryCode" : null,
"concurrencyHash" : null,
"countyName" : null,
"countyFipsCode" : null
},
"organizationAddressCategoryCode" : null,
"organizationAddressStartDate" : null
}
],
"organizationIdentifier" : null,
"organizationEmail" : [],
"organizationTelephone" : [],
"companyEmailDomainName" : null,
"organizationBusinessStatus" : null,
"organizationURL" : [],
"employerOrganization" : null
},
"calculatedMonthlyIncomeEquivalentIndicator" : false,
"mostRecentHireDate" : "REDACTED (the date I was hired)",
"payPeriodEndDate" : "REDACTED (the date of my last paycheck)",
"employmentTerminationDate" : null,
"payRate" : REDACTED (the amount of my last paycheck),
"payRateFrequencyCode" : REDACTED,
"workHourQuantity" : REDACTED,
"ongoingMonthlyBenefitCreditedAmount" : null,
"personDisabledIndicator" : false
}
],
"currentIncomeInconsistantExplanationIndicator" : null,
"pendingMedicaidReasonText" : null
},
"reportedSourceSystemError" : [],
"taxHouseholdSizeDifference" : null,
"useAnnualIncome" : null,
"supportingPhysicalDocument" : [],
"applicantPregnancyCategoryIndicator" : null,
"applicantChildCategoryIndicator" : null,
"priorNumbersMatch" : false,
"notToBeCheckedStatus" : false,
"priorSSNCitizenshipDataMatch" : false,
"finalizingDataSourceType" : {
"csrf" : null,
"dataSourceTypeCode" : null,
"dataSourceTypeName" : null,
"dataSourceExternalIndicator" : false
},
"statusExpired" : null,
"chipOrMAGIEligibleStatus" : null,
"memberTitleIIWorkQuarterVerification" : null,
"priorUSCitizenIndicator" : null,
"householdSize" : null,
"incomeEligibleUnderRPCIndicator" : null,
"requestedApplicationMemberESCMecVerification" : [],
"relatedApplicationMemberVerificationTask" : null
},
"memberCalculation" : null,
"memberEventType" : "Verification",
"id" : null
}

The system also appears to return Title II Social Security income and incarceration history. As neither of these apply to me, the values are mostly null or false. The above example is the result of one of many verification events I see in the JSON object returned to my web browser. I suspect there may be even more personal data retrieved from the back end systems for people in situations that differ from mine.

I understand that this data may be needed to process an insurance application, but I can think of no good reason to return all this data to the web browser. Returning such data retrieved from back end systems to the web browser increases the damage than can be done (and the value to identity thieves) in cases that accounts are compromised. And, if one has already obtained another's Name, date of birth, and Social Security Number, I suspect that Healthcare.gov could be easily used to gather more information.

Healthcare.gov may have created a web portal into government systems that were previously secured from unauthorized access. This is reckless web design.

Edit

0 Comments:

Post a Comment

Usability Heuristics

• Visibility of system status Visibility of system status: The system should always keep users informed about what is going on, through appropriate feedback within reasonable time.

• Match between system and the real world Match between system and the real world: The system should speak the users' language, with words, phrases and concepts familiar to the user, rather than system-oriented terms. Follow real-world conventions, making information appear in a natural and logical order.

• User control and freedom User control and freedom: Users often choose system functions by mistake and will need a clearly marked "emergency exit" to leave the unwanted state without having to go through an extended dialogue. Support undo and redo.

• Consistency and standards Consistency and standards: Users should not have to wonder whether different words, situations, or actions mean the same thing. Follow platform conventions.

• Error prevention Error prevention: Even better than good error messages is a careful design which prevents a problem from occurring in the first place. Either eliminate error-prone conditions or check for them and present users with a confirmation option before they commit to the action.

• Recognition rather than recall Recognition rather than recall: Minimize the user's memory load by making objects, actions, and options visible. The user should not have to remember information from one part of the dialogue to another. Instructions for use of the system should be visible or easily retrievable whenever appropriate.

• Flexibility and efficiency of use Flexibility and efficiency of use: Accelerators -- unseen by the novice user -- may often speed up the interaction for the expert user such that the system can cater to both inexperienced and experienced users. Allow users to tailor frequent actions.

• Aesthetic and minimalist design Aesthetic and minimalist design: Dialogues should not contain information which is irrelevant or rarely needed. Every extra unit of information in a dialogue competes with the relevant units of information and diminishes their relative visibility.

• Help users recognize, diagnose, and recover from errors Help users recognize, diagnose, and recover from errors: Error messages should be expressed in plain language (no codes), precisely indicate the problem, and constructively suggest a solution.

• Help and documentation Help and documentation: Even though it is better if the system can be used without documentation, it may be necessary to provide help and documentation. Any such information should be easy to search, focused on the user's task, list concrete steps to be carried out, and not be too large.

Consistency Heuristics

-F amiliar Familiar: The product is not consistent with the pattern of any familiar problem.

E xplainable Explainable: The product is explainable.

W orld World: The product is consistent with the real world.

H istory History: The present version of the product is consistent with past versions of it.

I mage Image: The product is consistent with an image that the organization wants to project.

C omparable Products Comparable Products: The product is consistent with comparable systems.

C laims Claims: The product is consistent with what important people say it’s supposed to be.

U ser Expectations User Expectations: The product is consistent with what users want.

P roduct Product: Each element of the product is consistent with comparable elements in the same system.

P urpose Purpose: The product is consistent with its purposes, both explicit and implicit.

S tatutes Statutes: The product is consistent with applicable laws.

FAILURE Heuristics

F unctional Functional: The error detecting, reporting, and handling functions properly.

A ppropriate Appropriate: Errors are reported at the appropriate time in an appropriate manner.

I mpact Impact: The impact of the failure is communicated to those impacted.

L og Log: The error is appropriately logged; or not logged.

U ser Interface User Interface: The error is reported in the user interface in terms that the user understands.

R ecovery Recovery: The user is informed of what they need to do to recover from the error.

E motions Emotions: The error handling and reporting has a positive influence on user emotions.

Security Vulnerabilities

1. Injection Injection: Injection flaws occur when untrusted data is sent to an interpreter as part of a command. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without authorization.

2. Broken authentication and session management Broken authentication and session management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

3. Cross-Site Scripting Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

4. Insecure Direct Object References Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to gain unauthorized access to data.

5. Security Misconfiguration Security Misconfiguration: Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

6. Sensitive Data Exposure Sensitive Data Exposure: Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

7. Missing Function Level Access Control Missing Function Level Access Control: Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

8. Cross-Site Request Forgery Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

9. Using Components with Known Vulnerabilities Using Components with Known Vulnerabilities: Running software components with known vulnerabilities can compromise the vulnerable components and anything those components can access -- undermining defenses.

10. Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards: Using untrusted data, without validation, to determine the destination of redirects and forwards can enable attackers to redirect victims to phisihing or malware sites.

Is There A Problem Here?

20131112

Healthcare.gov stores none of that data?

0 Comments:

Post a Comment

Problem or no problem?

Usability Heuristics

Consistency Heuristics

FAILURE Heuristics

Security Vulnerabilities

Popular

Recent Problems

Recent Comments