HealthCare.gov still has major security problems, experts say

Democrats question whether outside security experts can tell what defenses are being deployed

HealthCare.gov remains riddled with security vulnerabilities and is ripe for ID theft three and a half months after its launch, two cybersecurity experts told U.S. lawmakers Thursday.

But a third cybersecurity expert and Democratic members of the U.S. House of Representatives Science, Space and Technology Committee questioned those warnings, saying Republican critics of the Affordable Care Act, the 2010 law with HealthCare.gov as its insurance-shopping centerpiece, are trying to scare U.S. residents and keep them from using the site.

Still, security at HealthCare.gov appears to have gotten worse in the past two months, said David Kennedy, CEO of TrustedSEC, a cybersecurity consulting firm. Since Kennedy first talked to the committee in November, he and other security researchers discovered multiple vulnerabilities, he said, through passive scans of the website.

"The website is not getting any better," he said. "TrustedSec's opinion still holds strong that the website fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of

protection for the website itself."

Security researchers have found 18 possible security problems at HealthCare.gov, including JSON (JavaScript Object Notation) injection, unsanitized URL redirection, user profile disclosures, cookie theft and exposed sensitive APIs (application programming interfaces), Kennedy said. "I don't understand how we're still discussing whether the website is insecure or not," he said. "It is, there's no question about that."

With HHS rushing last year to launch the site Oct. 1, it's "hard to believe" that HealthCare.gov wouldn't suffer from many of the same security problems that commercial websites encounter, added Michael Gregg, CEO of IT security firm Superior Solutions.

"To think that HealthCare.gov could be built so quickly and then be secured, to me is very hard to believe," he said.

But none of the witnesses at Thursday's hearing has insider access to HealthCare.gov or the security measures taken by the U.S. Health and Human Services Centers for Medicare and Medicaid Services (CMS), the agency running HealthCare.gov, and its security contractors, noted Representative Eddie Bernice Johnson, a Texas Democrat. CMS has reported no majority security breaches at the site, she said.

"If none of us here built HealthCare.gov, if ... we're not doing penetrations and running that exploitable code on HealthCare.gov, we can only speculate whether or not those attacks will work," said Waylon Krush, cofounder and CEO of IT security firm Lunarline. "Nobody here, at this table, can tell you that they know there's vulnerabilities."

CMS has reported meeting several federal government security standards, some of which surpass most security measures taken at private companies, Krush added.

While critics of the website may see it as a prime target for hackers, it may not be, Krush said. Hackers may be more interested in intellectual property, military secrets and in commercial credit card information than the limited information available through HealthCare.gov, he said.

Still, Republican members of the committee repeated their long-standing concerns about possible breaches at the site.

"When the Obama Administration launched HealthCare.gov, Americans were led to believe that the website was safe and secure," said Representative Lamar Smith, a Texas Republican and committee chairman. "This was not the case."

The House Science Committee hearing was one of two on HealthCare.gov security convened by House Republicans Thursday morning, with the second hearing, in the House Oversight Committee, focused on security concerns raised by HHS officials before the site's launch.

"In my view, this is about confidence the American people have in their government, and whether or not their government is going everything they can to protect their privacy," said Representative Larry Bucshon, an Indiana Republican. "In the minds of the American people ... this is the biggest threat target in the federal government."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Eddie Bernice JohnsonWaylon Krushindustry verticalsinternetLamar SmithSpace and Technology CommitteeMichael GreggLarry BucshonTrustedSECsecurityhealth caredavid kennedygovernmentU.S. House of Representatives Sciencedata protectionSuperior SolutionsLunarlineGovernment use of IT

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?