Forgot your password?
typodupeerror
Government Bug Medicine Privacy United States

Preventative Treatment For Heartbleed On Healthcare.gov 81

Posted by timothy
from the welcome-to-centralized-medicine-dot-gov dept.
As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge
This discussion has been archived. No new comments can be posted.

Preventative Treatment For Heartbleed On Healthcare.gov

Comments Filter:
  • by tlambert (566799) on Saturday April 19, 2014 @10:20PM (#46797719)

    "no indication ... site has been compromised"

    I believe them.

    What possible motive would a hacker have for targeting a site containing social security, tax, medical, personal, and financial information?

    I'm sure it's all perfectly secure.

    Just in case, though, you should probably change your one-factor authentication token so that the next time your "keep me logged in" cookie expires, it's hard to remember.

    • by davidhoude (1868300) on Saturday April 19, 2014 @10:45PM (#46797787)

      Due to the fact that this exploit leaves no traces in server log files, we have concluded that there is no evidence of an attack on our servers.

      • by tlambert (566799)

        If only it could have been prevented via a cheap, preventive program, instead of costing so much later! I know! We should lobby them to create a new agency, one tasked with the security of the nation, and when they knew about risks like this, why, they could step in and ensure that no one would unwittingly deploy vulnerable systems in the first place!

        Perhaps we could call them the Responsible Agency for Intelligently Securing the Interests of the Nation... R.A.I.S.I.N., for short... or National Organizati

    • Re: (Score:3, Insightful)

      by laird (2705)

      The site doesn't have any medical information at all. That's one of the advantages of outlawing the "pre-existing condition" scam - you no longer have to tell insurers your medical history to buy insurance. And the web site only needs enough other information to verify your identity and income (for computing the subsidy you qualify for, if any). And since they don't collect any payments, they have no payment info (no credit card numbers, etc.) or any credit history.

      And on top of that, once the data is passe

      • by tlambert (566799)

        The site doesn't have any medical information at all. That's one of the advantages of outlawing the "pre-existing condition" scam - you no longer have to tell insurers your medical history to buy insurance.

        No, you still have to tell them; that provision of ACA doesn't occur until the end of this year, after you are already enrolled (by which time, it's too late). Until then, they have to let you enroll, they don't, however, have to charge you a reasonable monthly rate if you have a pre-existing condition. They said they had to let you buy it, not that it wouldn't be expensive. That one of the reasons the first 'A' in 'ACA' is a bit misleading.

        • by laird (2705)

          The pre-existing condition exclusion was outlawed starting 1/1/2014. And that applies to all insurance plans sold through the exchanges, including all of the plans sold through the healthcare.gov web site, which is what we're discussing.

          The extension until 2015 was to allow insurance companies to keep keep existing customers on insurance plans that aren't up to the standards, but those are sold directly by the insurance companies, not through the exchanges, so aren't relevant to this discussion. And since i

  • by Anonymous Coward

    The word you are looking for is "preventive".

    • The word you are looking for is "preventive".

      No, it's not. The usage you're complaining about is perfectly valid.

      "Preventative" has been in use since 1666 as an alternate pronunciation and spelling for "preventive".

      In some regions (including where I grew up - almost in the center of the region natively speaking the "radio accent", which has been the de facto standard speech for the U.S. since the advent of commercial broadcasting) it is the preferred form.

      If you want to be a spelling NAZI, you should avoid

  • oh, sorry (Score:5, Funny)

    by slashmydots (2189826) on Saturday April 19, 2014 @11:20PM (#46797873)
    Sorry, heartbleed is actually a pre-existing condition so it's not covered.
    • That would have been funny if the law hadn't eliminated that insurance company scam.
      • Wroooooooong. It's illegal to not accept you as a health insurance customer due to a pre-existing condition. It's not illegal to make you sign a waiver saying they won't cover it, like for example seasonal allergies, like for example my policy.
        • Well you convinced me! You can't be wrong - you dipped into your emergency supply of o's to put *8* of them in one word.

          I'm thinking Claritin overdose. Am I right?
  • by SuperKendall (25149) on Saturday April 19, 2014 @11:28PM (#46797891)

    I have no love for Healthcare.gov, but honestly just about every site is sending out notices that people may want to change passwords. Heck, Yahoo *made* me change my password.

    Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.

    • by mwvdlee (775178)

      This.
      Every single site that was vulnerable to heardbleed should be resetting all passwords.
      There are a LOT sites that were vulnerable, but very few have done large scale password resets.
      The only bad thing Healthcare.gov is doing, is letting people choose to change passwords; they should do like Yahoo did.

    • by dkf (304284)

      Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.

      As I understand it, the majority of the implementation of healthcare.gov is Java. Java's SSL implementation doesn't have the heartbleed bug at all (and implementing this bug would actually take a lot more work than doing it right). If there's a problem, it's most likely in a front-end load balancer; I don't know if you'd see a lot of user credentials in that case, as the damage wouldn't be in systems that handle client authentication.

      The database(s) might be affected too, but you probably can't reach them f

  • This is completely absurd. They have to know right away whether or not their website logins were vulnerable (that is, were they running OpenSSL with the bug) or whether they were running other versions of SSL without heartbleed. It's a black and white situation. There's no gray middle ground.
    • by Anonymous Coward

      Vulnerable is not the same as compromised (even though best practices dictate it should be treated as such when rebuilding systems). You can be vulnerable to a security issue without that issue having been exploited -- or, in most cases, vulnerable without having any evidence that issue was exploited.

  • Nobody can type "yum update openssl"?

    • by Anonymous Coward

      Does `yum update openssl` generate new keys, generate new CSRs, submit CSRs with payment information to the CA, update sites with the new certificates once the CA has signed them, and then notify all users that they should change their passwords? Didn't think so.

  • Because with Heartbleed being introduced early 2012, long before that website launched, it would have been one hell of a pre-existing condition. :P

There's a whole WORLD in a mud puddle! -- Doug Clifford

Working...