AP's NEW "HC.gov Security Flaws" story attacks problems FIXED UP TO A YEAR AGO.

UPDATE 3/9/16: For the love of Pete...the WTSP website still has the same article published on their site today, 6 months later.

A huge shout-out to Matthew Martin (aka hyperplanes) for his double-catch on this ongoing mini-saga.

Last night I posted what seemed, at first, to be a merely-amusing (if a bit depressing) story about a Florida news station website accidentally (?) reposting a year-old AP newswire story about potential security vulnerabilities at Healthcare.Gov:

"Critical" flaw found in HealthCare.gov security

WASHINGTON -- The government's own watchdogs tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability - but also came away with respect for some of the health insurance site's security features.

Those are among the conclusions of a report released Tuesday by the Health and Human Services Department inspector general, who focuses on health care fraud.

The report amounts to a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for millions of Americans. Open enrollment season starts Nov. 15.

So-called "white hat" or ethical hackers from the inspector general's office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses.

Yikes! That's definitely a serious issue which needs to be addressed ASAP, right?

Well...you know, except for the part where the actual article specifically states that "when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses."

So...you know, not quite so "critical" after all, I guess.

However, there's one other little problem. You might note that there appears to be a typo in the third paragraph, which lists the start of Open Enrollment as November 15, when in fact it's actually November 1st; the HHS Dept. moved the start date up two weeks this year.

Here's the problem: That's no typo. Or, more accurately the entire article is a typo.

Here's what I mean...check out this AP Newswire article from September 23, 2014...exactly 1 year and one day earlier.

Yep, as it turned out, WTSP in Florida messed up by reposting a year-old story (and yes, it's still posted as of 2:30pm Friday afternoon), but not an earth-shattering development.

As I noted in an update, it turns out the reason why WTSP probably posted this story is because of a different, brand-new AP newswire story, also about security issues at Healthcare.Gov reported by the Inspector General, which was just posted yesterday. Presumably a WTSP staffer confused the year-old story for the new one and republished the wrong one.

HOWEVER, as Martin brought to my attention, it turns out that the new AP story is still about the exact same 2014 report...regarding potential security flaws/issues which appear to have been resolved MONTHS ago.

Here's the NEW story, which includes a rather incendiary headline:

Audit finds slipshod cybersecurity at HealthCare.gov

WASHINGTON (AP) — The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.

The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general's office. But the episode raises questions about the government's ability to protect a vast new database at a time when cyberattacks are becoming bolder.

While the AP article does link to the actual Inspector General's report in question, nowhere in the article does it say anything about when the IG audit was conducted. The entire story makes it sound as though these are new vulnerabilities/security flaws. Anyone who reads the new article, and who remembers the original story from a year ago (including myself) would understandably assume that either a) the year-old flaws weren't fixed until recently (which doesn't look good) or b) that this is a new report about a different batch of problems (which also doesn't look good).

HOWEVER, it turns out that when you read the actual IG report...


We focused our audit on information security controls over operations and systems that support MIDAS’s database servers. The Centers for Medicare & Medicaid Services (CMS) is responsible for providing guidance and oversight for the MIDAS. Therefore, we reviewed CMS’s policies and procedures related to the MIDAS’s information security controls. We also examined documentation related to the MIDAS and conducted interviews with CMS representatives who administer the system. We reviewed contractor reports related to vulnerability scans of the MIDAS, determined whether CMS had fully addressed and remediated the vulnerabilities found, and conducted database vulnerability scans. We limited our review of controls to those that were in effect at the time of our audit. We conducted our audit work from August to December 2014.

Yes, that's right. The year-ago story appears to have been a draft version of the final audit...and according to the new AP story...

In a written response to the audit, Medicare administrator Andy Slavitt said that "the privacy and security of consumers' personally identifiable information are a top priority" for his agency. Slavitt said all of the high vulnerabilities were addressed within a week of being identified, and that all of the IG's recommendations have been fully implemented.

So, is he just blowing smoke up everyone's ass? Nope; the actual IG report confirms Slavitt's statement:


We shared with CMS information about our vulnerability scan findings immediately following the scan and informed CMS about other preliminary findings in advance of issuing our draft report. CMS began remediation efforts before the completion of our fieldwork. In written comments, CMS concurred with all of our recommendations. CMS reported that it remediated all vulnerabilities and addressed all findings we identified before we issued our final report. We have since reviewed the supporting documentation and verified CMS’s remediation.


So, to review:

1. In August 2014, the IG begins an audit/security testing of Healthcare.Gov

2. In September 2014, the IG reports their initial list of security concerns/recommendations to the CMS division.

3. The AP runs a story on the initial (draft) IG report, with a highly misleading "Critical Flaw!!" headline which doesn't match the actual story content (blocked by system defenses).

4. CMS resolves the more serious problems reported by the IG within 1 week of the draft report (no later than September 30th, 2014).

5. The IG continues to run their audit until December 2014. Meanwhile, CMS continues to implement the rest of the IG's lower-priority recommendations.

6. The IG confirms that CMS has indeed implemented every one of their recommendations.

7. One year later, in September 2015, the IG finally issues their final report...which clearly states that the audit in the report was conducted from August - December 2014, and which also clearly states that every one of the issues they reported had since been rectified, with the serious ones having been fixed nearly a year earlier.

8. The AP runs a new story with another Scary, Misleading Headline, claiming "Slipshod Cybersecurity at Healthcare.Gov"

9. FOX News and other right-wing propaganda outfits pounce all over the "new" story just 5 weeks before Open Enrollment 2016 kicks off.

Does that about sum it up?

Note: Here's more from Martin/hyperplanes:

It turns out that the audit actually had the opposite to say about HealthCare.gov: security there is great.

...The main reason for this new report is in fact to say that all of the security vulnerabilities have been fixed to the satisfaction of the HHS Inspector General's security team. The final line of the report:

"We have since reviewed the supporting documentation and verified CMS's remediation."

In other words, the point of the new report is to say that cybersecurity at HealthCare.gov is now excellent. That's the only news here. But none of the News is covering it that way.