HealthCare.Gov: Experts Declare it Insecure

HealthCare.Gov:Experts Declare it Insecure
HealthCare.Gov:Experts Declare it Insecure

It appears, however, that the political argument has spilled into the security argument, with those in favor of Obamacare claiming that the security experts who criticize HealthCare.Gov are politically motivated and wrong. "Democratic Representative Elijah Cummings charged that Republicans were 'cherry-picking partial information to promote a narrative that is inaccurate' about the Obamacare website, when its security was 'strong and keeps getting stronger'". (Reuters)

This view is supported by the Centers for Medicare and Medicaid Services (CMS), the federal agency responsible for HealthCare.Gov. It told Reuters that there have been no successful attacks against HealthCare.Gov, and that no unauthorized person had accessed personal information on the site.

The contrary view, however, is typified by that of David Kennedy, head of TrustedSec. Last week he testified to the House Science, Space and Technology Committee, claiming that the site is flawed and insecure, and that he had discovered this simply through using Google. "There are techniques you can use through Google, such as reconnaissance on the website, and just clicking through links that gave me enough information about how the site was developed and how security was very much an afterthought. It’s bad", he explained in a blog posted Sunday.

CMS attempted to dismiss his arguments, telling Reuters, "Because this individual had no direct access to the operations of the HealthCare.Gov website, the information in the report [his criticism of HealthCare.Gov's security] is based on assumptions, not fact."

Kennedy responded to this in his testimony by saying that if he had been a mechanic for fourteen years (rather than a security practitioner), and saw a car with a smoking engine, making clanking sounds and dripping oil, he could tell that the car is 'messed up' without having to look under the hood. "I don't understand how we're still discussing whether the website is insecure or not," he told Reuters. "It is insecure – 100 percent."

His report on the security of the HealthCare.Gov website, presented to the House Science and Technology Committee, included testimonies from other security experts: Ed Skoudis (founder of Counter Hack), Kevin Mitnick (founder and CEO of Mitnick Security Consulting), Kevin Johnson (CEO of Secure Ideas), John Strand (senior security analyst and principal at Black Hills Information Security) and Lares Consulting who all commented on the flaws found by Kennedy.

Skoudis reported, "Reviewing the security issues discovered in the HealthCare.Gov site, I can tell you: this is a breach waiting to happen. Or, given the numerous vulnerabilities, perhaps a breach already has happened." He added, "Urgent action is required to fix these flaws."

Mitnick, calling breaking into HealthCare.Gov "a hacker's wet dream," said "It's shameful the team that built the HealthCare.Gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise or access to consumer proprietary information."

Johnson said, "These are the types of flaws that a security assessment should find with little effort. Given the existence of these flaws for such a prolonged amount of time after the release of the application, it is a certainty that security testing is either not being performed at all, not being performed well, or the results of the testing are not being made part of remediation efforts. Applications containing low hanging fruit such as these flaws typically also contain much more serious issues."

But Strand tried to put the problem in the wider context of government security. "If the HealthCare.Gov site is the devil we know," he asked, "what about the devil we don't know? Where are the breach notification requirements for .gov sites? Where are the regular and continuous testing requirements for federal and state governments? It is truly unfortunate that rather than the government being the shining city on the hill when it comes to security and breach notification, it is the devil we don't know.” 

Following the hearing, the committee's chairman Lamar Smith issued a statement on HealthCare.Gov. "It is obvious that is in need of an outside, independent audit. The President should formally certify the safety requirements, security standards and privacy conditions of Given the potential risks and dangers associated with today, the President should not let the American people be the next target of cyber criminals.” The problem here is that Smith is a Republican, and Kennedy's security arguments are back to being a political football.

What’s hot on Infosecurity Magazine?