Democrats question whether outside security experts can tell what defenses are being deployed HealthCare.gov remains riddled with security vulnerabilities and is ripe for ID theft three and a half months after its launch, two cybersecurity experts told U.S. lawmakers Thursday.But a third cybersecurity expert and Democratic members of the U.S. House of Representatives Science, Space and Technology Committee questioned those warnings, saying Republican critics of the Affordable Care Act, the 2010 law with HealthCare.gov as its insurance-shopping centerpiece, are trying to scare U.S. residents and keep them from using the site.Still, security at HealthCare.gov appears to have gotten worse in the past two months, said David Kennedy, CEO of TrustedSEC, a cybersecurity consulting firm. Since Kennedy first talked to the committee in November, he and other security researchers discovered multiple vulnerabilities, he said, through passive scans of the website.“The website is not getting any better,” he said. “TrustedSec’s opinion still holds strong that the website fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of protection for the website itself.”Security researchers have found 18 possible security problems at HealthCare.gov, including JSON (JavaScript Object Notation) injection, unsanitized URL redirection, user profile disclosures, cookie theft and exposed sensitive APIs (application programming interfaces), Kennedy said. “I don’t understand how we’re still discussing whether the website is insecure or not,” he said. “It is, there’s no question about that.” With HHS rushing last year to launch the site Oct. 1, it’s “hard to believe” that HealthCare.gov wouldn’t suffer from many of the same security problems that commercial websites encounter, added Michael Gregg, CEO of IT security firm Superior Solutions.“To think that HealthCare.gov could be built so quickly and then be secured, to me is very hard to believe,” he said.But none of the witnesses at Thursday’s hearing has insider access to HealthCare.gov or the security measures taken by the U.S. Health and Human Services Centers for Medicare and Medicaid Services (CMS), the agency running HealthCare.gov, and its security contractors, noted Representative Eddie Bernice Johnson, a Texas Democrat. CMS has reported no majority security breaches at the site, she said.“If none of us here built HealthCare.gov, if … we’re not doing penetrations and running that exploitable code on HealthCare.gov, we can only speculate whether or not those attacks will work,” said Waylon Krush, cofounder and CEO of IT security firm Lunarline. “Nobody here, at this table, can tell you that they know there’s vulnerabilities.”CMS has reported meeting several federal government security standards, some of which surpass most security measures taken at private companies, Krush added.While critics of the website may see it as a prime target for hackers, it may not be, Krush said. Hackers may be more interested in intellectual property, military secrets and in commercial credit card information than the limited information available through HealthCare.gov, he said. Still, Republican members of the committee repeated their long-standing concerns about possible breaches at the site.“When the Obama Administration launched HealthCare.gov, Americans were led to believe that the website was safe and secure,” said Representative Lamar Smith, a Texas Republican and committee chairman. “This was not the case.”The House Science Committee hearing was one of two on HealthCare.gov security convened by House Republicans Thursday morning, with the second hearing, in the House Oversight Committee, focused on security concerns raised by HHS officials before the site’s launch.“In my view, this is about confidence the American people have in their government, and whether or not their government is going everything they can to protect their privacy,” said Representative Larry Bucshon, an Indiana Republican. “In the minds of the American people … this is the biggest threat target in the federal government.” Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s email address is grant_gross@idg.com. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe