Great news: Healthcare.gov still has “critical risk” security flaws

posted at 10:41 am on November 19, 2013 by Ed Morrissey

The news that the ObamaCare web portal had serious security gaps started emerging over the summer, as a number of state Attorneys General picked up on an Inspector General report criticizing a lack of security testing for Healthcare.gov. After its launch on October 1, the security flaws became an acute issue as the White House continued to insist that the site was safe, but pledged to correct any issues along with the operational failures that immediately erupted. An expert will testify today that the security issues haven’t even been significantly addressed after seven weeks, and that any user entering personal data faces a “critical risk” of data theft:

A respected security expert will warn Congress on Tuesday that the Obama administration’s healthcare website has security flaws that put user data at a “critical risk,” despite recent government assurances the data is safe.

“There are actual live vulnerabilities on the site now,” David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters ahead of his testimony at a Congressional hearing on the topic “Is My Data on HealthCare.gov Secure?”

Kennedy, a former U.S. Marine Corps cyber-intelligence analyst, said his firm has prepared a 17-page report describing some of the problems. It does not go into specifics in some areas, he said, because that could provide criminals with a blueprint for launching attacks.

Unlike the operational issues that emerged on the rollout, the security issues have been well known for months. Fourteen AGs demanded a delay in August on the rollout based on the IG report, while California’s Democratic insurance commissioner predicted a “disaster” on identity theft a month before that. Six weeks ago, on the third day of the Healthcare.gov rollout, IT security experts warned consumers that the site put them at risk for phishing attacks.

Since then, HHS has taken the site down a number of times to add updates.  One would have expected those updates to have addressed the gaping holes in data security, which should have consisted of basic fixes along well-known industry standards for web portals.  That would be especially true considering the political disaster that will result if people avoid enrollments because of entirely legitimate fears of data and identity theft. However, after four weeks the system still had easily-exploited basic gaps in security, helped no doubt by the White House’s reliance on a contractor with a history of security failures.

At the same time, the Obama administration insisted that the Healthcare.gov portal was safe to use.  On October 30th, HHS spokesperson Joanne Peters claimed that everything was fine:

Yet HHS spokeswoman Joanne Peters said that during the interim the public need not worry about the security of data entered on the site, which helps them identify and enroll inhealth insurance plans.

“When consumers fill out their online Marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure,” she said.

This looks like yet another lie from the administration, and one that might cost those who trusted it dearly.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

BIG. SHOCKER. THERE…

OmahaConservative on November 19, 2013 at 10:42 AM

This must be some of those rocky parts not smoothed out yet.

Dr. Frank Enstine on November 19, 2013 at 10:43 AM

The show is over. Exit the theater.
The grownups have entered the chamber, and to the disappointment of a few, we’re not gonna have a govt. shut down.
Exchanges open Oct 1st.

verbaluce on September 25, 2013 at 2:41 PM

-_-

Bishop on November 19, 2013 at 10:43 AM

If you like your privacy/credit score/savings/identity, you can keep your privacy/credit score/savings/identity.

NotCoach on November 19, 2013 at 10:44 AM

This is the Achilles heel of this law. Period. No matter what the cost, which lies are spewed. No one wants their private information exploited. It. Will. Die. (Soon I hope)

HomeoftheBrave on November 19, 2013 at 10:46 AM

Healthcare.gov systems architect Billy Stevens was unavailable for comment, his mom says he needs to finish his math homework.

R Square on November 19, 2013 at 10:47 AM

I’m starting to feel sorry for the poor slobs who went to that site just to see for themselves what a clusterfark it was and haplessly entered their personal information.

Or the ones who went in there, got a look at the prices, and left. There’s no way to remove your info once it’s in there.

CurtZHP on November 19, 2013 at 10:47 AM

-_-

Bishop on November 19, 2013 at 10:43 AM

Ed Bishop –
You mean the websites aren’t working perfectly on day one fifty?

verbaluce on October 1, 2013 at 10:18 AM

NotCoach on November 19, 2013 at 10:47 AM

Utopia is one big security risk….

Electrongod on November 19, 2013 at 10:49 AM

Still too many fools inhabit the land.

Schadenfreude on November 19, 2013 at 10:50 AM

So we have corrupt Navigators via phone and an unsecured website..WHAT COULD GO WRONG.

hillsoftx on November 19, 2013 at 10:51 AM

Bishop and NotCoach, rogerb thanks you :)

Schadenfreude on November 19, 2013 at 10:52 AM

Anyone who went to that website is either desperate (and I honestly feel sorry for your situation) or unimaginably stupid (that would be the majority).

HomeoftheBrave on November 19, 2013 at 10:52 AM

Don’t worry America. Chairman Barry has been talking to folks about it.Y’know,he’s been talking and doing stuff…so don’t worry. He will continue on presidentin’ and golfing and stuff . Also, bush lied about WMD.

DeweyWins on November 19, 2013 at 10:55 AM

This looks like yet another lie from the administration, and one that might cost those who trusted it dearly.

Who you going to believe, industry experts or an HHS spokesthug?

This has long been identified by those outside the administration as the achilles heel not getting the attention it should since simply enrolling is harder than Hercules cleaning the Augean stables in a single day.

But the administration better move quick on quelling issues with security. If sticker shock isn’t enough, fear that your PII will be compromised will be the death of Obamacare. On second thought, let’s support the HHS position on this.

Happy Nomad on November 19, 2013 at 10:56 AM

Man, I’m so old I remember when insurance was suppose to reduce your risks.

Flange on November 19, 2013 at 10:56 AM

Those libs are tough…body blow after body blow, and they are still standing with their man.

How many of these can they sustain? They are already “punch drunk”, stumbling around the political ring avoiding the final blow.

It’s a matter of time until the “referee’s” like the NYT step in and finally call it a TKO…

right2bright on November 19, 2013 at 11:00 AM

Man, I’m so old I remember when insurance was suppose to reduce your risks.

Flange on November 19, 2013 at 10:56 AM

Yep. Now a young male is expected to pay for pediatric dental for kids he doesn’t have and pre-natal care for a wife he doesn’t have. In short, that one individual is expected to reduce risks for a bunch of parasites who pay nothing into the system yet get the exact same coverage as the suckers who actually enroll in Obamacare.

Happy Nomad on November 19, 2013 at 11:00 AM

To give this a slightly positive spin, according to ACA supporters, the people using the website are people that couldn’t afford insurance before, so hopefully they don’t have enough money to incent crooks to try to hack their information.

talkingpoints on November 19, 2013 at 11:01 AM

Nurse Ratched Sebelius says “we’ve got a pill for that….”

viking01 on November 19, 2013 at 11:01 AM

It’s almost like this is a government-run operation.

Bitter Clinger on November 19, 2013 at 11:02 AM

You wanted this crapola……you got it…..idiots

cmsinaz on November 19, 2013 at 11:02 AM

Those libs are tough…body blow after body blow, and they are still standing with their man.

right2bright on November 19, 2013 at 11:00 AM

They are all lashed to the mast as the good ship Obamacare faces hurricane-strength headwinds. What is less obvious is that there are those desperately gnawing at those ropes hoping to break free before the ship goes down and takes them with it.

Happy Nomad on November 19, 2013 at 11:02 AM

To give this a slightly positive spin, according to ACA supporters, the people using the website are people that couldn’t afford insurance before, so hopefully they don’t have enough money to incent crooks to try to hack their information.

talkingpoints on November 19, 2013 at 11:01 AM

So, in other words, those signing up for Obamacare so far are those who actually mooch off those that the system needs to enroll in order to pay for it all.

Happy Nomad on November 19, 2013 at 11:05 AM

They are all lashed to the mast as the good ship Obamacare faces hurricane-strength headwinds. What is less obvious is that there are those desperately gnawing at those ropes hoping to break free before the ship goes down and takes them with it.

Happy Nomad on November 19, 2013 at 11:02 AM

Or dash themselves on the rocks following the Siren’s song…

Come election, you will see every single democrat who is running for office, run from ObamaCare…

right2bright on November 19, 2013 at 11:05 AM

Memba this?

“In February Breitbart TV first revealed this video of Rep Maxine Waters bragging about Obama collecting Americans information
,br> “The President has put in place an organization with the kind of database that no one has ever seen before in life,” Representative Maxine Waters told Roland Martin on Monday.
,br> “That’s going to be very, very powerful,” Waters said. “That database will have information about everything on every individual on ways that it’s never been done before and whoever runs for President on the Democratic ticket has to deal with that. They’re going to go down with that database and the concerns of those people because they can’t get around it. And he’s [President Obama] been very smart. It’s very powerful what he’s leaving in place.”

http://www.breitbart.com/Breitbart-TV/2013/06/09/Breitbart-Flashback-Maxine-Waters-Reveals-Obams-Secret-Data-Base-Filled-With-Voters-Private-Info

workingclass artist on November 19, 2013 at 11:06 AM

To give this a slightly positive spin, according to ACA supporters,

talkingpoints on November 19, 2013 at 11:01 AM

It’s ObamaCare, don’t fall into the liberal presses trap…it is ObamaCare, that is the water they have been carrying when it was “popular”…

right2bright on November 19, 2013 at 11:07 AM

What’s the problem? Simply refuse to believe anything that his administration says, or do the opposite of what it says, and you’re good.

HiJack on November 19, 2013 at 11:07 AM

So, what is the Obama Adm.’s “Consumer Protection Agency” doing about this site?

Were is the Better Business Bureau on this?

Hello “McAfee” where is your notice of a “Unsafe Site”?

Hello, “Google Search” why no Public Warning?

Bing, Yahoo, etal search engines…???

How about each State Goverments “Consumer Protection Agency”???

Is it that as long as it a government that gets your ID taken,, all is ok…. that it….???

APACHEWHOKNOWS on November 19, 2013 at 11:07 AM

Bishop on November 19, 2013 at 10:43 AM

NotCoach on November 19, 2013 at 10:47 AM

A couple of gems. Some things never get old…

JusDreamin on November 19, 2013 at 11:09 AM

It’s ObamaCare, don’t fall into the liberal presses trap…it is ObamaCare, that is the water they have been carrying when it was “popular”…

right2bright on November 19, 2013 at 11:07 AM

It’s hard not to call obozocare, but we really should be calling it democratcare and tie it to all of them. Don’t give them the chance to just blame the head clown.

Flange on November 19, 2013 at 11:11 AM

Man, I’m so old I remember when insurance was suppose to reduce your risks.

Flange on November 19, 2013 at 10:56 AM

Lol. Hope and Change baby.

JusDreamin on November 19, 2013 at 11:11 AM

Think how fun it will be when you are thrown in prison after being accused of trying to steal your own identity because some illegal in California paid a hacker to steal it from the website and it now belongs to him.

Bishop on November 19, 2013 at 11:13 AM

If the exchanged and the ACA website were run by a private company they would have already been shutdown by the government for fraud (not to mention they never would have launched due to the 4.4 billion price tag).

gwelf on November 19, 2013 at 11:14 AM

After NOv 30th the hacker group anonymous should prove this contention pretty easily.

jake49 on November 19, 2013 at 11:17 AM

Okay… who left the unlocked cage full Tea Party Gremlins in the dot.gov server farm?

I wanna send them a case of beer…

CPT. Charles on November 19, 2013 at 11:18 AM

“If you like God in your Gettysburg Address, you can keep God in your Gettysburg Address. Period.” -Jaggazz Husein 0b00ba

Akzed on November 19, 2013 at 11:19 AM

Think how fun it will be when you are thrown in prison after being accused of trying to steal your own identity because some illegal in California paid a hacker to steal it from the website and it now belongs to him.

Bishop on November 19, 2013 at 11:13 AM

We have to break through our kind of private idea that our personal information belongs to us and recognize that it belongs to whole communities. We have never invested as much in public identities as we should have because we’ve always had a private notion of our SSN and bank account number. That your ID is yours and totally your responsibility. We haven’t had a very collective notion of identities.

It is only a matter of “economic justice” that you share your identity with some illegal named Consuela in Los Angeles. I mean, seriously, how much worse is that than the fact you’re going to be paying boatloads for services you don’t need so that she and her family can mooch off of society? I’d rather the system be set up like one of those charities where we get a picture of the parasite we are supporting by our contribution to Obamacare.

Happy Nomad on November 19, 2013 at 11:24 AM

And here I was left, yesterday, sympathizing with the 20% the website wouldn’t work for.

Now, today, I instead have to consider them lucky and sympathize with the 80% the website will work for?

Dusty on November 19, 2013 at 11:25 AM

This looks like yet another lie from the administration, and one that might cost those who trusted it dearly.

Yet, who is paying the price for these lies, the incompetence, and outright criminal level fraud being perpetrated by the Administration and their contractors?

At this point, the only one’s paying a price are those who are being forced by the government to use the exchanges. The consumer / citizen is not the one who should be paying a price for this EpicClusterFark.

Everyone, at this point, gets that the government is not like a business in the private sector. That’s not a good thing, particularly with the massive expansion of government power and control over the individual.

We need to get back on the path where government exists to support, serve, and be accountable to the people. Today, it’s reversed. The people are the one’s who are there to support, serve, and be held accountable by the government – bereft of personal liberty and freedoms.

Athos on November 19, 2013 at 11:27 AM

Regime officials are suggesting registrants opt for the heightened security of posting their personal information on bus station billboards.

viking01 on November 19, 2013 at 11:29 AM

Secure in the databases of hackers worldwide…

Tsar of Earth on November 19, 2013 at 11:30 AM

So, in other words, those signing up for Obamacare so far are those who actually mooch off those that the system needs to enroll in order to pay for it all.

Happy Nomad on November 19, 2013 at 11:05 AM

Or…

Self employed individuals who liked their insurance and could afford their insurance who found their policies cancelled and the new Obama-compliant policies have priced them out of the market unless they can qualify for subsidies.

Wendya on November 19, 2013 at 11:37 AM

This looks like yet another lie from the administration, and one that might cost those who trusted it dearly.

If one could prove damages from ID theft caused by the site, I smell law suits.

MJBrutus on November 19, 2013 at 11:53 AM

Self employed individuals who liked their insurance and could afford their insurance who found their policies cancelled and the new Obama-compliant policies have priced them out of the market unless they can qualify for subsidies.

Wendya on November 19, 2013 at 11:37 AM

You say “qualify for subsidies” as if that isn’t stealing money from some Americans to pay the freight for others. I have problems with the whole wealth redistribution aspect of Obamacare but that’s hidden behind the idea that the money used for “subsidies” is clean money and not taking money away from some other family.

Happy Nomad on November 19, 2013 at 11:54 AM

Just wondering how many of those “security flaws” are due to tracking keylogger programs and such put there by the administration.

Sterling Holobyte on November 19, 2013 at 11:55 AM

And here I was left, yesterday, sympathizing with the 20% the website wouldn’t work for.

Now, today, I instead have to consider them lucky and sympathize with the 80% the website will work for?

Dusty on November 19, 2013 at 11:25 AM

Never fear! The 20% can always go to some ex-felon starting his new career as an Obamacare navigator.

Happy Nomad on November 19, 2013 at 11:55 AM

80% Secure. 20% chance of losing. Slightly worse then Russian roulette.

kcewa on November 19, 2013 at 11:57 AM

Or the ones who went in there, got a look at the prices, and left. There’s no way to remove your info once it’s in there.

CurtZHP on November 19, 2013 at 10:47 AM

I know a guy in Eastern Europe who can delete your record. For a small, reasonable price. PayPal only.

Tsar of Earth on November 19, 2013 at 11:58 AM

A Debacle Czar needs to be appointed ASAP.

Then a special task force with the best and brightest needs to be appointed.

Then a spoonful of special sauce needs to be added.

Then someone needs to be hired ASAP to scoop the special sauce and spread it around.

SparkPlug on November 19, 2013 at 12:01 PM

You say “qualify for subsidies” as if that isn’t stealing money from some Americans to pay the freight for others.

Happy Nomad on November 19, 2013 at 11:54 AM

And what do you call doubling (or higher) premiums to pay for services the policy holder doesn’t want and will never use? I don’t blame people who have been forced into an untenable situation by Obama for taking the only action available to protect themselves and their families. I can only hope unbearable pain falls at the feet of the jackasses who voted Democrat.

Wendya on November 19, 2013 at 12:01 PM

80% success is the new normal.

chewmeister on November 19, 2013 at 12:02 PM

Are we sure this isn’t really part of the Identity Theft and Criminal Full Employment act?

I mean that is what the ACA is coming to represent.

ajacksonian on November 19, 2013 at 12:06 PM

To give this a slightly positive spin, according to ACA supporters, the people using the website are people that couldn’t afford insurance before, so hopefully they don’t have enough money to incent crooks to try to hack their information.

talkingpoints on November 19, 2013 at 11:01 AM

That is information that can be sold on the cheap to illegals so they can get legitimate jobs.

Oh, and that poor person is stuck with the tax liability and trying to clear their name, which costs them money they don’t have.

ajacksonian on November 19, 2013 at 12:11 PM

To give this a slightly positive spin, according to ACA supporters, the people using the website are people that couldn’t afford insurance before, so hopefully they don’t have enough money to incent crooks to try to hack their information.

talkingpoints on November 19, 2013 at 11:01 AM

That is information that can be sold on the cheap to illegals so they can get legitimate jobs.

Oh, and that poor person is stuck with the tax liability and trying to clear their name, which costs them money they don’t have.

ajacksonian on November 19, 2013 at 12:11 PM

The victim doesn’t have to have money; the criminals open credit card accounts in their name and create new debts for them.

slickwillie2001 on November 19, 2013 at 12:26 PM

I work for a large IT company, and over the last few years this kind of stuff doesn’t surprise me any more.

Bureaucracy not only tolerates incompetency, it breeds it.

SteveInRTP on November 19, 2013 at 12:50 PM

80% success is the new normal.

chewmeister on November 19, 2013 at 12:02 PM

Pretty sure that what an “A” is in the affirmative action world of higher learning.

B=70%
C=50%
D=30%
F=0%

This grading scale is more fair and levels the playing field.

jukin3 on November 19, 2013 at 12:57 PM

jukin3 on November 19, 2013 at 12:57 PM

IIRC, there’s a school district in NC considering banning zeroes/Fs.. so that makes your B = 60%?

We are so screwed.

SteveInRTP on November 19, 2013 at 1:00 PM

Healthcare.gov still has “critical risk” security flaws

I DON’T hate to tell you “I told you so”!

landlines on November 19, 2013 at 1:29 PM

People who haven’t signed-up for this are least affected.

(Nelson Muntz) … HA HA

listens2glenn on November 19, 2013 at 1:31 PM

APACHEWHOKNOWS on November 19, 2013 at 11:07 AM

Good points.

LegendHasIt on November 19, 2013 at 1:52 PM

The EpicClusterFarkNado just keeps getting better….

Between now and December 1, the technical wizards behind Healthcare.gov and Obamacare, still have to build 30-40% of the site…including the ‘minor’ functionality of a workable payment system so people can actually pay for the insurance they are buying via the exchanges.

And if that part doesn’t work – there will be a lot of people who will have very unpleasant surprises in the event they need medical treatment or visit their doctor in January.

What is done? According to Henry Chao…

…the online application, verification, determination, plan compare, getting enrolled, generating the enrollment transaction — that’s 100 percent there.

…but at best, it will only work for 80% of the people who need to use it.

Does any of this lend any comfort to the information / date regarding subsidies being correct? Or being willing to trust your personal data – including payment information (when it’s built) – with HHS / CMS?

So many more shoes yet to drop with the EpicClusterFark….

Athos on November 19, 2013 at 2:00 PM

-_-

Bishop on November 19, 2013 at 10:43 AM

Ed Bishop –
You mean the websites aren’t working perfectly on day one fifty?

verbaluce on October 1, 2013 at 10:18 AM

NotCoach on November 19, 2013 at 10:47 AM

BWAHAHAHA! It’s day 50 and I’m still laughing! Please everyone keep posting these! Laughter is the greatest form of ridicule, and ridicule the greatest approach to minimizing the idiocy of fools!

dominigan on November 19, 2013 at 2:35 PM

THESE PEOPLE ARE STUCK ON STUPID.

If you have common sense, please do NOT go on that STUPID website and put ANY of your information on it.

mmcnamer1 on November 19, 2013 at 3:14 PM

The Security problems are not yet at hand. There is just nothing there to steal. There is just nothing more secure then an empty Bank Vault. Just wait a year. When they get it working and the Medical records go on line. At that time the new game will not be ID theft but “Black Mail”. What would be the value of Obama’s real medical Records? What would be paid for the true record of Congressman’s drug and alcohol abuse treatments?

Cost of all this? Well put this with the other lies but so far it must be well over 5 Billion Dollars, including all the selling ad work and raw costs and man hours. If you “like it you can keep it” lie, if site not fixed in 10 days the litigation could reach 2-6 Trillion Dollars. Add to that ID theft and Black Mail .

Yet no one is at fault.

jpcpt03 on November 20, 2013 at 3:47 AM