If you believe the various security professionals who spoke to Reuters, and why wouldn’t you, HHS has done next to nothing to plug the 20+ security holes they’ve been warned about since October. Including one, allegedly, that would let hackers remotely access people’s computers by uploading some sort of worm to the server.
I honestly don’t know what to believe. There’s no reason to doubt the security pros and every reason in the world to doubt that HHS equipped the site with sturdy security before rolling it out. We don’t even have to draw an inference from the overall half-assed execution of Healthcare.gov as of October 1st; remember, HHS’s own security people were waving red flags before launch day. And yet, despite endless stories about the site’s vulnerabilities and high-profile testimony by security experts before Congress in November about just how bad things are, there have been no major breaches to date.
That we know of.
Hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee…
Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation…
“The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.
Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.
“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals…
“We don’t know how bad it is because they don’t have to tell us,” Strand said.
A contractor who’s worked with HHS counters that you can’t know how vulnerable the site is unless you’ve hacked into it, which Kennedy et al. haven’t done. Kennedy did, however, write a short bit of code to see if he could harvest any personal information about users from the site. He collected 70,000 names and e-mail addresses in … four minutes. (He didn’t hack Healthcare.gov, he claims; the information was accessible on the Internet somehow and his code accessed it.) So how do we reconcile all of this? Three possibilities. One: The security pros are simply wrong. Why they would all be wrong, though, I have no idea. Clearly the site appears to the trained eye to be susceptible to major hacking, even though there’s no hard proof. I suppose that, in the mad rush in November to patch its problems, HHS closed the security holes without cleaning up all of the code, leaving it looking somehow like the site is vulnerable when it really isn’t. Anyone buy that? Me neither.
Two: The security pros are right but hackers, for whatever reason, have laid off Healthcare.gov. Maybe it’s because they don’t want to mess with the feds on a matter so visible, knowing that a highly public hack of the government’s new health-care showpiece would bring down the wrath of the DOJ upon them. Or maybe they’re just too kind-hearted to mess with a site that’s all about helping people get medical coverage. Hackers take legal risks all the time, though. And if anything, the public prominence of Healthcare.gov just makes it a juicier (and conveniently low-hanging) fruit to pick, I’d imagine. Even if most hackers are inclined to lay off, the basic dynamics of bad apples and bunches suggest that there’s at least one person out there who couldn’t resist screwing with it.
Three: The site’s been hacked and we just don’t know about it. The feds are keeping that info verrrry close to the vest, knowing that the last thing the big O-Care rollout needs after the big “it’s fixed!” publicity for Healthcare.gov in December is news of a massive security breach. They need people to keep enrolling to get anywhere close to their target by March 31st. A scare story about vulnerabilities being exploited to steal people’s data would bring things to a screeching halt, maybe even to the point of congressional Democrats peeling off lest they take any more political uppercuts from O-Care. But if that’s what happened here, where’s the evidence? There couldn’t be a huge hack of a site like this without someone, either on the inside or outside, finding out about it and leaking it, right? The hacker himself might brag about it somewhere online, unable to resist showing off his trophy. And yet, as far as I know, nothing like that has happened. No one’s offered any evidence of a wide-scale malicious security breach.
Just as I’m writing this, I see the AP has a story on the wires about one of the CMS officials who waved a red flag before launch now pronouncing the site safe. Apparently, it passed a security test just recently — and yet here’s Kennedy and crew telling Reuters it’s a disaster. What’s going on here?