Preventative Treatment For Heartbleed On Healthcare.gov 81
As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page."
Also at The Verge
Re:Yea right... (Score:4, Interesting)
Leads to an honest question that cropped up... does the federal government have to abide by any sort of data-breach reporting laws (be they state or federal)?
(maybe they have their own, maybe they're exempt... I'm not a lawyer, but it'd be worth looking up...)
Re:Yea right... (Score:4, Informative)
FISMA/SCAP regulations are the main ones. Data stored there is likely SBU (sensitive but unclassified.)
It is a pretty thorough set of regulations. This is why not many cloud providers (if any!) are FISMA compliant, as it requires random audits by the government.
I'd love to see a standard in the private industry that had planned and random audits of security, with actual consequences (PCI-DSS3 comes close), but most security in the private sector seems to be "does the vendor say it is secure? OK, it is."
Re: (Score:2)
Probably one of the smarter things the government has done.
Re: (Score:3)
Re: (Score:2)
Yeah, they do, or the Meta-cops will bust them for not doing the right thing.
There are meta-cops, right?
The Fed is answerable, right?
Someone is big enough to do something about it, if they dont , right?
If there is a law they have to obey it or face consequences, right?
We have a long list of examples of this , right?
Bush? Clinton? Reagan? Carter? Ford? NIXON... see, someone got caught, feel better? Johnson didnt get caught because he was funny and Kennedy didnt get caught because he was a soap opera. Only h
Re: (Score:2)
Meanwhile Kathleen Sebelius sneaks back to Kansas and hides in the basement of an outhouse.....
In Union of the Soviet Socialist States of Amerika (Score:2)
we bleed hearts..
"no indication ... site has been compromised" (Score:5, Funny)
"no indication ... site has been compromised"
I believe them.
What possible motive would a hacker have for targeting a site containing social security, tax, medical, personal, and financial information?
I'm sure it's all perfectly secure.
Just in case, though, you should probably change your one-factor authentication token so that the next time your "keep me logged in" cookie expires, it's hard to remember.
Re:"no indication ... site has been compromised" (Score:5, Insightful)
Due to the fact that this exploit leaves no traces in server log files, we have concluded that there is no evidence of an attack on our servers.
Re: (Score:3)
If only it could have been prevented via a cheap, preventive program, instead of costing so much later! I know! We should lobby them to create a new agency, one tasked with the security of the nation, and when they knew about risks like this, why, they could step in and ensure that no one would unwittingly deploy vulnerable systems in the first place!
Perhaps we could call them the Responsible Agency for Intelligently Securing the Interests of the Nation... R.A.I.S.I.N., for short... or National Organizati
Re: (Score:2)
Re: (Score:3, Insightful)
The site doesn't have any medical information at all. That's one of the advantages of outlawing the "pre-existing condition" scam - you no longer have to tell insurers your medical history to buy insurance. And the web site only needs enough other information to verify your identity and income (for computing the subsidy you qualify for, if any). And since they don't collect any payments, they have no payment info (no credit card numbers, etc.) or any credit history.
And on top of that, once the data is passe
Re: (Score:2)
The site doesn't have any medical information at all. That's one of the advantages of outlawing the "pre-existing condition" scam - you no longer have to tell insurers your medical history to buy insurance.
No, you still have to tell them; that provision of ACA doesn't occur until the end of this year, after you are already enrolled (by which time, it's too late). Until then, they have to let you enroll, they don't, however, have to charge you a reasonable monthly rate if you have a pre-existing condition. They said they had to let you buy it, not that it wouldn't be expensive. That one of the reasons the first 'A' in 'ACA' is a bit misleading.
Re: (Score:2)
The pre-existing condition exclusion was outlawed starting 1/1/2014. And that applies to all insurance plans sold through the exchanges, including all of the plans sold through the healthcare.gov web site, which is what we're discussing.
The extension until 2015 was to allow insurance companies to keep keep existing customers on insurance plans that aren't up to the standards, but those are sold directly by the insurance companies, not through the exchanges, so aren't relevant to this discussion. And since i
Wording... (Score:1)
The word you are looking for is "preventive".
Grandparent had it right. (Score:3)
The word you are looking for is "preventive".
No, it's not. The usage you're complaining about is perfectly valid.
"Preventative" has been in use since 1666 as an alternate pronunciation and spelling for "preventive".
In some regions (including where I grew up - almost in the center of the region natively speaking the "radio accent", which has been the de facto standard speech for the U.S. since the advent of commercial broadcasting) it is the preferred form.
If you want to be a spelling NAZI, you should avoid
oh, sorry (Score:5, Funny)
Re: (Score:1)
Re: (Score:1, Flamebait)
The latest CBO report [cbo.gov] shows that the law is on track to reduce the total number of uninsured people by 12 million this year. Page 8 of the PDF.
And if you check page 14, you'll see that that estimate was based on just enrolling 6 million people in the exchanges this year. The actual number is 8 million.
But keep lying. Maybe if you repeat it enough, it'll turn true!
Re: (Score:3)
If by costing less you mean costing more, and by doing nothing you mean fucking over the Constitution.. you're exactly right.
Re: (Score:2)
Yeah, even the ridiculously activist Supreme "corporations are people and money is speech" Court didn't think they could get away with that one.
Try another talking point. Benghazi maybe?
Re: (Score:2)
They have no credibility on that case. It's either a tax or a fine. The court allowed the feds to use either throughout the testimony. It's one or the other, not both. The court gave the administration a free pass.
The courts aren't always right. Now it's up to the people.
Re: (Score:2)
The founding fathers passed a mandatory healthcare plan (for sailors) with government-collected penalty for non-payment. So I doubt that they'd agree with your "logic".
Re: (Score:2)
The non-partisan CBO says that ACA is saving the budget $billions, and is saving more money than originally projected (http://www.cbo.gov/publication/44176). For example, the 80/20 rule (that caps insurance company overhead at 20%) has already saved consumers $4 billion by itself. And healthcare costs went up less this year than any year in decades.
And many millions of Americans have healthcare that didn't before, which saves lives. And, interestingly, it also saves money, because people with regular health
Re: (Score:3)
I don't see the mention of 12 billion at all on that page or the ones next to it. All I see is that 6 billion are projected to be enrolled through the exchanges this year.
I did however see where a lot of those enrolled were subsidized through already available health aid like medicaid and medicare (chips and such).
It is interesting that the claim was made that roughly 15% of Americans didn't have insurance or around 45 million people and this was the reasoning why we needed federal involvement in insurance.
Re: (Score:2)
I suspect that a big part of the problem is that the fine for not having insurance is too low. That discourages healthy young people from signing up, since they can always sign up later with little penalty (pre-existing conditions must be covered).
And before you go all authoritarianism on me, you can't have it both ways. Either you have to allow insurance companies to deny pre-existing conditions, or you have to force people to buy insurance. If you don't do either then people wait until they're sick to
Re: (Score:2)
Re: (Score:3)
Such shallow thinking. How about forcing a penalty after needing treatment without insurance or the ability to pay it?
What happens if you have no insurance for 20 years, and never get sick. Then you sign up for insurance and pay your bills for 5 years. Then you get sick. What is the fine, and what happens if the person doesn't have the money to pay it at this point?
Why wait 20 years to charge them for 20 years of premiums?
The most sensible solution would be to just have the government buy insurance for anybody who does not do so, and then tax them for it. That is what happens if you don't mow your lawn - the local gove
Re: (Score:2)
Do you even understand this question? What happens if I purchase insurance for 2 months and get sick. It doesn't matter, I purchased the insurance just the same as if I purchased it 20 years ago.
Re: (Score:3)
Do you even understand this question? What happens if I purchase insurance for 2 months and get sick. It doesn't matter, I purchased the insurance just the same as if I purchased it 20 years ago.
The whole point of insurance is that in order for it to work, people need to pay MORE than they consume on average. If people wait until they're sick to sign up, it can't work.
And some people do not and will not need it. Why are they forced to pay for it when they do not want to? Why are normal law abiding citizens being told they are no longer free and must do as the government says and purchase something from a third party when they do nothing wrong?
So, your choices are force everybody to buy insurance even if they don't "need" it, or let people die when it turns out that they needed it after all.
In most cases insurance is voluntary, but then you suffer the loss if you don't have it. That's how health care was supposed to work before the ACA. The problem with that is that insu
Re: (Score:1)
You might as well just give it up. All you arr doing id regurgitsting the same yhing differrnt ways. You think it is fine that i am compelled to lose my money and freedom for the financial security of some third party because you might use that third party and it might cost you slightly more if i didn't.
I believe that is a crock of crap and that just like anything else in a free country, you arent penalized and lose your freedom until you actuslly do something wrong. I doubt i will ever agree your concept i
It's a tax. Not a fine (Score:1)
Re: (Score:2)
A tax on living.
Guess that makes large numbers of the homeless etc into tax evaders too now.
What do you think socialized healthcare is? Socialism only works if you don't let people opt-out.
Granted, the homeless folks aren't really the problem, since for the most part they're the recipients in any socialized benefit. The issue is the person who makes plenty of money and doesn't feel they need to pay taxes (which mostly benefit others).
Re: (Score:2)
Required purchase of health insurance is NOT Socialism!
Many will still not be able to afford it or obtain sufficient assistance to do so.
True, on its own it isn't. ACA does include subsidies for the poor which is a form of socialism, though limited in scope.
Prices will continue to go up.
Well, they don't have to under a system like this if it is done right (aside from inflation, or rising levels of service). I don't think the ACA was really done right - it was a compromise all-around. The US health system is a nest of problems, and ACA really only hits a few of them. There is no one thing that you can do to fix it.
Re: (Score:2)
If it was a fine the Supreme Court would have struck down the law. But they recognized Congress' authority to impose taxes, so the law stands.
Semantics. But, whatever. s/fine/tax and my argument stands. You can't force insurance companies to treat pre-existing conditions unless you make people pay for insurance when they're healthy (or have somebody else pay for it for them).
If you want to understand how insurance works, first look at what the insurance pays for. Then figure out the total annual US cost of paying for that thing. Then divide that by the total population of the country, and add a few percent. That is the cost per-person of in
Re: (Score:2)
The vast majority of medical spending is on chronic illness for the elderly. You should have your argument focus on this type of common outcome rather than "suddenly gets sick/hurt".
Sure, but it doesn't really change anything. In fact, most people become elderly so it only stands to reason that most people are going to need insurnace, and the money they pay in when they're young makes up for the money they take out when they're old.
Re: (Score:2)
Of course you mean 12 million, not 12 billion.
The reason you can't find the number is because you are (quite correctly) looking at the page labeled as number 8. Unfortunately the PDF was not formatted correctly and the numbering is not restarting after the four-page preamble. Because of that, @artor3's PDF reader is incorrectly telling him that the page he is looking at is number 8, while you will find it's labeled as number 4
You're not too good at reading comprehension (Score:1, Informative)
nor at understanding the CBO, are you?
First, let me explain something about the CBO: The CBO is an accounting organization (NOT a true policy analysis organization) that serves the congress by running whatever numbers the congress asks it to run. In other words, if a member of congress asks for a report that says "Assuming I have a warp drive that can propel any mass through space for free at up to 10 times lightspeed, and assuming Jupiter has a solid surface at a height above the planet's core where 1G wo
Re: (Score:2)
Re: (Score:2)
I don't have the time to read your response, but don't let that stop you from posting more nonsense.
Re: (Score:2)
Re: (Score:2)
I'm thinking Claritin overdose. Am I right?
This does not seem to be news (Score:5, Insightful)
I have no love for Healthcare.gov, but honestly just about every site is sending out notices that people may want to change passwords. Heck, Yahoo *made* me change my password.
Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.
Re: (Score:2)
This.
Every single site that was vulnerable to heardbleed should be resetting all passwords.
There are a LOT sites that were vulnerable, but very few have done large scale password resets.
The only bad thing Healthcare.gov is doing, is letting people choose to change passwords; they should do like Yahoo did.
Re: (Score:3)
Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.
As I understand it, the majority of the implementation of healthcare.gov is Java. Java's SSL implementation doesn't have the heartbleed bug at all (and implementing this bug would actually take a lot more work than doing it right). If there's a problem, it's most likely in a front-end load balancer; I don't know if you'd see a lot of user credentials in that case, as the damage wouldn't be in systems that handle client authentication.
The database(s) might be affected too, but you probably can't reach them f
Absurd position by the government (Score:1, Interesting)
Re: (Score:1)
Vulnerable is not the same as compromised (even though best practices dictate it should be treated as such when rebuilding systems). You can be vulnerable to a security issue without that issue having been exploited -- or, in most cases, vulnerable without having any evidence that issue was exploited.
And... (Score:2)
Nobody can type "yum update openssl"?
Re: (Score:1)
Does `yum update openssl` generate new keys, generate new CSRs, submit CSRs with payment information to the CA, update sites with the new certificates once the CA has signed them, and then notify all users that they should change their passwords? Didn't think so.
Re: (Score:2)
Good thing the ACA passed (Score:2)
Because with Heartbleed being introduced early 2012, long before that website launched, it would have been one hell of a pre-existing condition. :P