More is coming to light in recent days and weeks to suggest that concerns about potential security issues with the healthcare.gov website may be justified.

In an article today from CNN, it was revealed that lack of testing of healthcare.gov presented a security risk, according to an internal government memo written by IT officials at CMS days before the launch.

An internal government memo obtained by CNN and written just days before the start of open enrollment for Obamacare warned of a “high” security risk because of a lack of testing of the HealthCare.gov website.

“Due to system readiness issues, the SCA (security control assessment) was only partly completed,” said the internal memo from the U.S. Center for Medicare and Medicaid Services. “This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations.”

The memo goes on to explain that the Center for Medicare and Medicaid Services would create a “dedicated security team” to monitor the risk, conduct weekly scans and, within 60 to 90 days after the website went live, “conduct a full-scale SCA test.”

The memo did not detail the security concerns. It was written by IT officials at the Center for Medicare and Medicaid Services, and was sent to and signed by the agency’s director, Marilyn Tavenner, who testified on Capitol Hill on Tuesday that she thought the website was ready to go when it began its crash-riddled rollout on October 1.

And in an earlier article at CNN Money titled Security hole found in Obamacare website, it was also reported that a cybersecurity expert discovered a security flaw that went unaddressed for more than three weeks after healthcare.gov’s launch.

Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account.

The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have:

  • guessed an existing user name, and the website would have confirmed it exists.
  • claimed you forgot your password, and the site would have reset it.
  • viewed the site’s unencrypted source code in any browser to find the password reset code.
  • plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
  • answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted.

Armed with the account holder’s email address, a person with malicious intent could easily track down their target on social media, where they’d likely discover the answers to those security questions.

The report further indicated that only minimal comprehension of viewing programming code was necessary to have potentially exposed a target’s address and phone number.

The existence of such a security issue is indicative of what many others have expressed – that hackers and those with savvy social engineering skills are likely to find plenty of other vulnerabilities not yet discovered or publicized.  Via CNN, Simo points out a similar concern.

Still, Simo fears that a savvy hacker could find other holes and Obamacare applicants’ data will be compromised on a mass scale.

“This seems really sloppy,” Simo said. “Either the developers were incompetent and did not know how to do the basic things to protect user information, or the development was so fractured that the individuals building the system didn’t understand how they fit into the bigger picture.”

CNN Money reported that when Simo attempted to bring the security issue to the attention of officials, a healthcare.gov operator referred him to law enforcement.

That issue has since reportedly since been fixed, but that seems to be little assurance for many who still have concerns about the site’s security and protection of Americans’ privacy.

During today’s hearing with HHS Secretary Kathleen Sebelius, Republican Congressman Mike Rogers raised the issue that adequate end-to-end testing may not have been conducted to address security issues as new code has been added.  HHS has maintained that security testing is conducted on an ongoing basis as new functionality is added, according to CBS News, but did not seem to specify whether or not that testing refers to full end-to-end testing.

From CBS News:

“You accepted a risk on behalf of every user of this computer that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of this system,” Rogers said. “Amazon would never do this, ProFlowers would never do this, Kayak would never do this. This is completely an unacceptable level of security.”

“You have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk.”

Sebelius assured Rogers that the site is secure, that Americans’ personal information is secure and that it’s operating with a temporary security certificate until full testing can be completed.

An HHS official pointed out that Security Control Assessments of the enrollment and eligibility functions of the Marketplace and the datahub have been conducted and that “We continue to conduct security testing on an ongoing basis as we add new functionality.”

In her testimony today, Sebelius maintained that the personal information of Americans is secure.

Given the government’s performance on this project to date, and the unwillingness of officials to be entirely forthcoming about issues surrounding the project, I think it’s difficult to take such reassurances seriously.