Menu
HealthCare.gov still has major security problems, experts say

HealthCare.gov still has major security problems, experts say

Democrats question whether outside security experts can tell what defenses are being deployed

HealthCare.gov remains riddled with security vulnerabilities and is ripe for ID theft three and a half months after its launch, two cybersecurity experts told U.S. lawmakers Thursday.

But a third cybersecurity expert and Democratic members of the U.S. House of Representatives Science, Space and Technology Committee questioned those warnings, saying Republican critics of the Affordable Care Act, the 2010 law with HealthCare.gov as its insurance-shopping centerpiece, are trying to scare U.S. residents and keep them from using the site.

Still, security at HealthCare.gov appears to have gotten worse in the past two months, said David Kennedy, CEO of TrustedSEC, a cybersecurity consulting firm. Since Kennedy first talked to the committee in November, he and other security researchers discovered multiple vulnerabilities, he said, through passive scans of the website.

"The website is not getting any better," he said. "TrustedSec's opinion still holds strong that the website fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of

protection for the website itself."

Security researchers have found 18 possible security problems at HealthCare.gov, including JSON (JavaScript Object Notation) injection, unsanitized URL redirection, user profile disclosures, cookie theft and exposed sensitive APIs (application programming interfaces), Kennedy said. "I don't understand how we're still discussing whether the website is insecure or not," he said. "It is, there's no question about that."

With HHS rushing last year to launch the site Oct. 1, it's "hard to believe" that HealthCare.gov wouldn't suffer from many of the same security problems that commercial websites encounter, added Michael Gregg, CEO of IT security firm Superior Solutions.

"To think that HealthCare.gov could be built so quickly and then be secured, to me is very hard to believe," he said.

But none of the witnesses at Thursday's hearing has insider access to HealthCare.gov or the security measures taken by the U.S. Health and Human Services Centers for Medicare and Medicaid Services (CMS), the agency running HealthCare.gov, and its security contractors, noted Representative Eddie Bernice Johnson, a Texas Democrat. CMS has reported no majority security breaches at the site, she said.

"If none of us here built HealthCare.gov, if ... we're not doing penetrations and running that exploitable code on HealthCare.gov, we can only speculate whether or not those attacks will work," said Waylon Krush, cofounder and CEO of IT security firm Lunarline. "Nobody here, at this table, can tell you that they know there's vulnerabilities."

CMS has reported meeting several federal government security standards, some of which surpass most security measures taken at private companies, Krush added.

While critics of the website may see it as a prime target for hackers, it may not be, Krush said. Hackers may be more interested in intellectual property, military secrets and in commercial credit card information than the limited information available through HealthCare.gov, he said.

Still, Republican members of the committee repeated their long-standing concerns about possible breaches at the site.

"When the Obama Administration launched HealthCare.gov, Americans were led to believe that the website was safe and secure," said Representative Lamar Smith, a Texas Republican and committee chairman. "This was not the case."

The House Science Committee hearing was one of two on HealthCare.gov security convened by House Republicans Thursday morning, with the second hearing, in the House Oversight Committee, focused on security concerns raised by HHS officials before the site's launch.

"In my view, this is about confidence the American people have in their government, and whether or not their government is going everything they can to protect their privacy," said Representative Larry Bucshon, an Indiana Republican. "In the minds of the American people ... this is the biggest threat target in the federal government."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Eddie Bernice JohnsonWaylon Krushindustry verticalsinternetLamar SmithSpace and Technology CommitteeMichael GreggLarry BucshonTrustedSECsecurityhealth caredavid kennedygovernmentU.S. House of Representatives Sciencedata protectionSuperior SolutionsLunarlineGovernment use of IT

Featured

Slideshows

Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
An Evening With Eugene Kaspersky for Kiwi partners in Auckland

An Evening With Eugene Kaspersky for Kiwi partners in Auckland

​New Zealand partners came together for An Evening With Eugene Kaspersky in Auckland, an invitation only event as part of Kaspersky Lab Partner Engage. Following an evening of insights and executive networking with the founder of Kaspersky Lab, Eugene Kaspersky, Kiwi partners got up close and personal with Eugene in an unprecedented​ panel discussion. Facilitated by Reseller News, this panel explored channel relationships, successful business strategies, and the latest ground breaking technologies to impact the security market. Photos by Maria Stefina.

An Evening With Eugene Kaspersky for Kiwi partners in Auckland
Show Comments