Great news: Healthcare.gov still has “critical risk” security flaws
posted at 10:41 am on November 19, 2013 by Ed Morrissey
The news that the ObamaCare web portal had serious security gaps started emerging over the summer, as a number of state Attorneys General picked up on an Inspector General report criticizing a lack of security testing for Healthcare.gov. After its launch on October 1, the security flaws became an acute issue as the White House continued to insist that the site was safe, but pledged to correct any issues along with the operational failures that immediately erupted. An expert will testify today that the security issues haven’t even been significantly addressed after seven weeks, and that any user entering personal data faces a “critical risk” of data theft:
A respected security expert will warn Congress on Tuesday that the Obama administration’s healthcare website has security flaws that put user data at a “critical risk,” despite recent government assurances the data is safe.
“There are actual live vulnerabilities on the site now,” David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters ahead of his testimony at a Congressional hearing on the topic “Is My Data on HealthCare.gov Secure?”
Kennedy, a former U.S. Marine Corps cyber-intelligence analyst, said his firm has prepared a 17-page report describing some of the problems. It does not go into specifics in some areas, he said, because that could provide criminals with a blueprint for launching attacks.
Unlike the operational issues that emerged on the rollout, the security issues have been well known for months. Fourteen AGs demanded a delay in August on the rollout based on the IG report, while California’s Democratic insurance commissioner predicted a “disaster” on identity theft a month before that. Six weeks ago, on the third day of the Healthcare.gov rollout, IT security experts warned consumers that the site put them at risk for phishing attacks.
Since then, HHS has taken the site down a number of times to add updates. One would have expected those updates to have addressed the gaping holes in data security, which should have consisted of basic fixes along well-known industry standards for web portals. That would be especially true considering the political disaster that will result if people avoid enrollments because of entirely legitimate fears of data and identity theft. However, after four weeks the system still had easily-exploited basic gaps in security, helped no doubt by the White House’s reliance on a contractor with a history of security failures.
At the same time, the Obama administration insisted that the Healthcare.gov portal was safe to use. On October 30th, HHS spokesperson Joanne Peters claimed that everything was fine:
Yet HHS spokeswoman Joanne Peters said that during the interim the public need not worry about the security of data entered on the site, which helps them identify and enroll inhealth insurance plans.
“When consumers fill out their online Marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure,” she said.
This looks like yet another lie from the administration, and one that might cost those who trusted it dearly.