Healthcare.gov still not secure three months later

Rick Moran
A group of cyber-security experts scheduled to testify before congress on Thursday will tell lawmakers that holes in security at the healthcare.gov site still haven't been plugged 3 months after the site went live.

Reuters:

A group of cyber security professionals is warning that the U.S. government has failed to implement fixes to protect the HealthCare.gov website from hackers, some three months after experts first pointed out the problem.

David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters that the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1.

Hackers could steal personal information, modify data or attack the personal computers of the website's users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee.

"These issues are alarming," Kennedy said in an interview on Wednesday.

The Centers for Medicare & Medicaid Services, the federal agency that oversees the site's operations, provided Reuters with a statement saying it takes the concerns seriously.

"To date there have been no successful security attacks on HealthCare.gov and no person or group has maliciously accessed personally identifiable information from the site," the statement said.

"Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers' personal information."

CMS continues to insist that all is well, that the security is within federal government standards. But the site went live without a complete security test of the system, and CMS IT director Henry Chao, in testimony befoire the House oversight committee in November, couldn't recall a memo that stated that security vulnerabilities were "limitless" at the site.

Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation.

They wrote notes to the House Committee saying they were concerned about the site's security, which Kennedy provided to Reuters and will be released on Thursday to the committee led by Republicans who oppose the Affordable Care Act.

Members of the security community have been publicly pointing out problems with the site and say they have been privately providing the government with technical details of those issues since early October.

At a November Science Committee hearing, Kennedy and three other expert witnesses said they believed the site was not secure and three of them said it should be shut down immediately.

'FUNDAMENTALLY FLAWED'

Kennedy and his peers who reviewed his work ahead of Thursday's hearing said the site still has serious security vulnerabilities that can be viewed from the outside.

"The site is fundamentally flawed in ways that make it dangerous to people who use it," said Kevin Johnson, one of the experts who reviewed Kennedy's findings.

Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.

"You can take control of their computers," said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world's biggest organization that trains and certifies cyber security professionals.

Who ya going to believe? Your government? Or non-partisan security experts?

The administration doesn't care about your personal info being secure. It is of secondary consideration next to enticing people to the website and getting them to sign up for insurance.

If CMS hasn't made this clear to us before, they have now.




A group of cyber-security experts scheduled to testify before congress on Thursday will tell lawmakers that holes in security at the healthcare.gov site still haven't been plugged 3 months after the site went live.

Reuters:

A group of cyber security professionals is warning that the U.S. government has failed to implement fixes to protect the HealthCare.gov website from hackers, some three months after experts first pointed out the problem.

David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters that the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1.

Hackers could steal personal information, modify data or attack the personal computers of the website's users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee.

"These issues are alarming," Kennedy said in an interview on Wednesday.

The Centers for Medicare & Medicaid Services, the federal agency that oversees the site's operations, provided Reuters with a statement saying it takes the concerns seriously.

"To date there have been no successful security attacks on HealthCare.gov and no person or group has maliciously accessed personally identifiable information from the site," the statement said.

"Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers' personal information."

CMS continues to insist that all is well, that the security is within federal government standards. But the site went live without a complete security test of the system, and CMS IT director Henry Chao, in testimony befoire the House oversight committee in November, couldn't recall a memo that stated that security vulnerabilities were "limitless" at the site.

Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation.

They wrote notes to the House Committee saying they were concerned about the site's security, which Kennedy provided to Reuters and will be released on Thursday to the committee led by Republicans who oppose the Affordable Care Act.

Members of the security community have been publicly pointing out problems with the site and say they have been privately providing the government with technical details of those issues since early October.

At a November Science Committee hearing, Kennedy and three other expert witnesses said they believed the site was not secure and three of them said it should be shut down immediately.

'FUNDAMENTALLY FLAWED'

Kennedy and his peers who reviewed his work ahead of Thursday's hearing said the site still has serious security vulnerabilities that can be viewed from the outside.

"The site is fundamentally flawed in ways that make it dangerous to people who use it," said Kevin Johnson, one of the experts who reviewed Kennedy's findings.

Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.

"You can take control of their computers," said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world's biggest organization that trains and certifies cyber security professionals.

Who ya going to believe? Your government? Or non-partisan security experts?

The administration doesn't care about your personal info being secure. It is of secondary consideration next to enticing people to the website and getting them to sign up for insurance.

If CMS hasn't made this clear to us before, they have now.