HealthCare.gov still has major security problems, experts say

HealthCare.gov remains riddled with security vulnerabilities and is ripe for ID theft three and a half months after its launch, two cybersecurity experts told U.S. lawmakers Thursday.

But a third cybersecurity expert and Democratic members of the U.S. House of Representatives Science, Space and Technology Committee questioned those warnings, saying Republican critics of the Affordable Care Act, the 2010 law with HealthCare.gov as its insurance-shopping centerpiece, are trying to scare U.S. residents and keep them from using the site.

Still, security at HealthCare.gov appears to have gotten worse in the past two months, said David Kennedy, CEO of TrustedSEC, a cybersecurity consulting firm. Since Kennedy first talked to the committee in November, he and other security researchers discovered multiple vulnerabilities, he said, through passive scans of the website.

“The website is not getting any better,” he said. “TrustedSec’s opinion still holds strong that the website fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of

protection for the website itself.”

Security researchers have found 18 possible security problems at HealthCare.gov, including JSON (JavaScript Object Notation) injection, unsanitized URL redirection, user profile disclosures, cookie theft and exposed sensitive APIs (application programming interfaces), Kennedy said. “I don’t understand how we’re still discussing whether the website is insecure or not,” he said. “It is, there’s no question about that.”

With HHS rushing last year to launch the site Oct. 1, it’s “hard to believe” that HealthCare.gov wouldn’t suffer from many of the same security problems that commercial websites encounter, added Michael Gregg, CEO of IT security firm Superior Solutions.

“To think that HealthCare.gov could be built so quickly and then be secured, to me is very hard to believe,” he said.

But none of the witnesses at Thursday’s hearing has insider access to HealthCare.gov or the security measures taken by the U.S. Health and Human Services Centers for Medicare and Medicaid Services (CMS), the agency running HealthCare.gov, and its security contractors, noted Representative Eddie Bernice Johnson, a Texas Democrat. CMS has reported no majority security breaches at the site, she said.

“If none of us here built HealthCare.gov, if … we’re not doing penetrations and running that exploitable code on HealthCare.gov, we can only speculate whether or not those attacks will work,” said Waylon Krush, cofounder and CEO of IT security firm Lunarline. “Nobody here, at this table, can tell you that they know there’s vulnerabilities.”

CMS has reported meeting several federal government security standards, some of which surpass most security measures taken at private companies, Krush added.

While critics of the website may see it as a prime target for hackers, it may not be, Krush said. Hackers may be more interested in intellectual property, military secrets and in commercial credit card information than the limited information available through HealthCare.gov, he said.

Still, Republican members of the committee repeated their long-standing concerns about possible breaches at the site.

“When the Obama Administration launched HealthCare.gov, Americans were led to believe that the website was safe and secure,” said Representative Lamar Smith, a Texas Republican and committee chairman. “This was not the case.”

The House Science Committee hearing was one of two on HealthCare.gov security convened by House Republicans Thursday morning, with the second hearing, in the House Oversight Committee, focused on security concerns raised by HHS officials before the site’s launch.

“In my view, this is about confidence the American people have in their government, and whether or not their government is going everything they can to protect their privacy,” said Representative Larry Bucshon, an Indiana Republican. “In the minds of the American people … this is the biggest threat target in the federal government.”

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s email address is grant_gross@idg.com.