The PJ Tatler

Cyber Security Experts: Healthcare.gov is Still Unsecured and 'Dangerous' to Use

Cyber security experts continue to warn that Healthcare.gov is not secure, and the Obama administration continues to not listen to them. Reuters reports:

A group of cyber security professionals is warning that the U.S. government has failed to implement fixes to protect the HealthCare.gov website from hackers, some three months after experts first pointed out the problem.

David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters that the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1.

Hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee.

“These issues are alarming,” Kennedy said in an interview on Wednesday.

The Obama administration’s answer: bland talk that top men are on the case. The Centers for Medicare and Medicaid Services, which runs the site and has a vested interest in depicting it as secure, says no attacks have occurred, and “Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information.”

Did those “best practices” include building a site that barely worked when it was rolled out, and did they include building a Spanish-language version of the site that isn’t actually written in Spanish? Asking for a friend, as they say.

Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation.

They wrote notes to the House Committee saying they were concerned about the site’s security, which Kennedy provided to Reuters and will be released on Thursday to the committee led by Republicans who oppose the Affordable Care Act.

Members of the security community have been publicly pointing out problems with the site and say they have been privately providing the government with technical details of those issues since early October.

At a November Science Committee hearing, Kennedy and three other expert witnesses said they believed the site was not secure and three of them said it should be shut down immediately.

The experts continue to warn that Healthcare.gov has not been fixed at all, and remains “fundamentally flawed that make it dangerous to people to use it.” Kennedy says malicious hackers can use the site to take control of users’ computers and steal their personal data. One flaw even allows hackers to upload their own data to the site, and then attack other Healthcare.gov users.