Posted November 25, 2013
Since the introduction of the US government’s new Affordable Healthcare Act (ACA) website, healthcare.gov, most of the press coverage has been focused on the difficulties people have had signing up for new “Obamacare” health insurance exchanges and the technical glitches that have plagued the site. Some security experts have even called for healthcare.gov to be shut down until the problems are fixed.
Apart from the obvious lessons around managing expectations and having a strong public relations plan in place, what can your organization learn from this launch?
Here are the first three things to consider:
1. The bigger the website, the more of a target it is. Any popular website with a lot of traffic will attract interest from cyber criminals, and the healthcare.gov website is no exception. Many security experts fear that the site has already been compromised or will be in the near future. Popular online destinations are irresistible to attackers because of the large attack surface and rich data they typically collect. Tip: As your site traffic grows and your customer base increases, budget to increase security measures accordingly.
2. Web application security shouldn’t be an afterthought. Getting important functionality like web applications released on time usually takes precedence over security, and unless there’s a genuine organizational commitment to it versus a “check the box” mentality to meet Payment Card Industry Data Security Standards (PCI DSS) or other compliance requirements, this can lead to painful problems later. Tip: As you design your website or add new functionality, build in separate security checks and protection for critical web applications.
3. Security updates should be included in scheduled releases. In the not-so-distant past, software and websites were released in long development cycles, with lots of new features released just once or twice per year. Most web development teams these days use agile development models, in which work is carried out in much shorter bursts with more modest and achievable goals, and releases may happen every week or every month.
For example, when the healthcare.gov website originally opened for enrollment on October 1, the site was more vulnerable to click-jacking, an attack which tricks users into interacting with a website in a malicious manner when they think they are using some other website. In the weeks since its debut however, healthcare.gov enabled the X-Frame-Options header to mitigate click-jacking, dramatically reducing the likelihood of such an attack.
Small, incremental security improvements like this are the type of behavior that should be engrained into the website teams of any large organization, whether public sector or Fortune 50. Tip: Make security enhancements an explicit part of your ongoing development commitment and roadmap.
Stay tuned for Part II, which will cover 4 through 6.