Experts warn healthcare.gov still has security issues
Several cybersecurity experts warned that security issues still persist on healthcare.gov, according to statements made to news outlets and in testimony provided to a Congressional panel on Thursday.
From NBC News:
Cybersecurity researchers slammed HealthCare.gov’s security during a House hearing on Thursday, saying the site is still riddled with problems that could put consumers’ sensitive health details at risk.
“The reason we’re concluding that this is so shockingly bad is that the issues across the site are so varied,” David Kennedy, founder of the information security firm TrustedSec, told NBC News. “You don’t even have to hack into the system to see big issues – which means there are [major problems] underneath.”
Kennedy was the first of a group of so-called “white-hat hackers” who testified before the House of Representatives Science Committee on Thursday. He previously testified on November 19, when he said he was able to identify 18 major issues with the site – without even hacking into it.
“Nothing’s really changed since our November 19 testimony,” Kennedy said during the hearing. “In fact, it’s worse.”
Kennedy indicated that of those issues previously identified, only half of one has been addressed to date. He also noted in a blog post Thursday that more than twenty additional exposures have since been identified by security researchers. Kennedy additionally indicated that he did not hack the healthcare.gov website in order to identify issues, rather these were issues that could be determined through observation and research of the website.
Included in written testimony submitted by Kennedy for Thursday’s hearing were responses from several other security researchers regarding the existing and previous exposures identified on healthcare.gov.
Well-known former hacker Kevin Mitnick, now the founder and CEO of Mitnick Security Consulting, wrote in one of those responses:
“After reading the documents provided by David Kennedy that detailed numerous security vulnerabilities associated with the Healthcare.gov web site, it’s clear that the management team did not consider security as a priority.
Healthcare.gov retrieves information from numerous third-party databases belonging to the IRS, Social Security Administration, Department of Homeland Security, and other State agencies. It would be a hacker’s wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases. A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen!
It’s shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise or access to consumer proprietary information…”
But one security researcher who provided testimony Thursday was cautious about what he considered to be speculation from people who haven’t worked on the website directly. Waylon Krush, CEO of security firm Lunarline, said, “Just as security critics lack the hands on knowledge necessary to make dramatic claims … I cannot claim to understand all of Healthcare.gov’s security intricacies,” Krush said in written testimony, according to NBC News.
In a separate hearing before the House Oversight Committee on Thursday, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS) indicated that the website passed security testing in December, according to CBS News.
A top HealthCare.gov security officer told Congress Thursday that the Obamacare website passed security testing in December, and she would recommend that its official Authority to Operate (ATO) be extended when the current ATO expires in March.
Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS), told members of the House Oversight Committee that before HealthCare.gov launched, she wasn’t as confident about its security.
In September, “there was a level of uncertainty as to the known risks” Fryer said in a hearing before the committee, reiterating the points she made during a closed-door meeting with the committee last month. Given those concerns, she recommended to Health and Human Services officials in September that the ATO — a document required for the HealthCare.gov’s launch — should not be signed. HHS officials overruled her recommendation and issued a temporary, six-month ATO.
When HealthCare.gov launched on Oct. 1, its major technical problems were exposed, though Fryer and other government officials noted Thursday that there haven’t been any successful attacks on the site.
Since the site’s launch, security testing has continued — and is conducted on a regular basis.
“Given the positive results of the recent security control assessments… I would recommend [HealthCare.gov] be given a new authority to operate” when the current ATO expires, Fryer told the committee. While noting that one can “never guarantee any system is hack-proof,” she noted that “the protections we have put in place have successfully prevented attacks.”
And in another statement, the chief information security officer for HHS indicated that “to date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally-identifiable information (PII) from the site.”
Donations tax deductible
to the full extent allowed by law.
“When HealthCare.gov launched on Oct. 1, its major technical problems were exposed, though Fryer and other government officials noted Thursday that there haven’t been any successful attacks on the site.”
Brought to you by the same administration that said: If you like your health insurance, you can keep your health insurance.
Boy howdy, it’s almost as if HHS just hired a bunch of coders from a politically connected company and didn’t supervise them at all…
why would anyone break into an empty bank?
It is not correct to say the site “has security issues” – it has virtually no security at all.