Healthcare.gov still not secure after three months of fixes

Despite the much-touted fixes to the Healthcare.gov after a disastrous rollout on October 1, the federal Obamacare website remains vulnerable to hackers, according to security experts who spoke with Reuters:

David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters that the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1.

Hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee.

“These issues are alarming,” Kennedy said in an interview on Wednesday.
[…]
“The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.

Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.

“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals.

It has been more than three months — 108 days, to be exact — since Healthcare.gov was launched and these serious security issues — which administration were worried about before the website went livestill haven’t been addressed.

The administration, of course, contends that there haven’t been any hacks to the website and that there is no security threat. But Kennedy, who had already raised red flags on this issue, didn’t need to hack it to gain people’s personal information:

One security flaw that Kennedy first uncovered and reported to the government in October exposes information including a user’s full name and email address. He said he wrote a short computer program in five minutes that automatically collects that data, which was able to import some 70,000 records in about four minutes.

 

He said the information was accessible via the Internet and he did not have to hack the site to get it. He declined to elaborate.

What’s amazing about this story, in terms of reoccurring concerns about security issues on the website, is that the White House threatened to veto a bipartisan measure that would require the administration to notify Americans if Healthcare.gov was ever breached. The White House claimed that this basic requirement would be an administration burden.


The views and opinions expressed by individual authors are not necessarily those of other authors, advertisers, developers or editors at United Liberty.