Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

HealthCare.gov still has major security problems, experts say

Democrats question whether outside security experts can tell what defenses are being deployed

Article comments

HealthCare.gov remains riddled with security vulnerabilities and is ripe for ID theft three and a half months after its launch, two cybersecurity experts told U.S. lawmakers Thursday.

But a third cybersecurity expert and Democratic members of the U.S. House of Representatives Science, Space and Technology Committee questioned those warnings, saying Republican critics of the Affordable Care Act, the 2010 law with HealthCare.gov as its insurance-shopping centerpiece, are trying to scare U.S. residents and keep them from using the site.

Still, security at HealthCare.gov appears to have gotten worse in the past two months, said David Kennedy, CEO of TrustedSEC, a cybersecurity consulting firm. Since Kennedy first talked to the committee in November, he and other security researchers discovered multiple vulnerabilities, he said, through passive scans of the website.

"The website is not getting any better," he said. "TrustedSec's opinion still holds strong that the website fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of

protection for the website itself."

Security researchers have found 18 possible security problems at HealthCare.gov, including JSON (JavaScript Object Notation) injection, unsanitized URL redirection, user profile disclosures, cookie theft and exposed sensitive APIs (application programming interfaces), Kennedy said. "I don't understand how we're still discussing whether the website is insecure or not," he said. "It is, there's no question about that."

With HHS rushing last year to launch the site Oct. 1, it's "hard to believe" that HealthCare.gov wouldn't suffer from many of the same security problems that commercial websites encounter, added Michael Gregg, CEO of IT security firm Superior Solutions.

"To think that HealthCare.gov could be built so quickly and then be secured, to me is very hard to believe," he said.

But none of the witnesses at Thursday's hearing has insider access to HealthCare.gov or the security measures taken by the U.S. Health and Human Services Centers for Medicare and Medicaid Services (CMS), the agency running HealthCare.gov, and its security contractors, noted Representative Eddie Bernice Johnson, a Texas Democrat. CMS has reported no majority security breaches at the site, she said.

"If none of us here built HealthCare.gov, if ... we're not doing penetrations and running that exploitable code on HealthCare.gov, we can only speculate whether or not those attacks will work," said Waylon Krush, cofounder and CEO of IT security firm Lunarline. "Nobody here, at this table, can tell you that they know there's vulnerabilities."

CMS has reported meeting several federal government security standards, some of which surpass most security measures taken at private companies, Krush added.

While critics of the website may see it as a prime target for hackers, it may not be, Krush said. Hackers may be more interested in intellectual property, military secrets and in commercial credit card information than the limited information available through HealthCare.gov, he said.

Still, Republican members of the committee repeated their long-standing concerns about possible breaches at the site.

"When the Obama Administration launched HealthCare.gov, Americans were led to believe that the website was safe and secure," said Representative Lamar Smith, a Texas Republican and committee chairman. "This was not the case."

The House Science Committee hearing was one of two on HealthCare.gov security convened by House Republicans Thursday morning, with the second hearing, in the House Oversight Committee, focused on security concerns raised by HHS officials before the site's launch.

"In my view, this is about confidence the American people have in their government, and whether or not their government is going everything they can to protect their privacy," said Representative Larry Bucshon, an Indiana Republican. "In the minds of the American people ... this is the biggest threat target in the federal government."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *