Healthcare.gov has security bugs, expert warns Congress

Paper applications are available in lieu of using the HealthCare.gov website at a health care enrolment fair. Credit: Reuters
Paper applications are available in lieu of using the HealthCare.gov website at a health care enrolment fair. Credit: Reuters

The website at the center of U.S. President Barack Obama’s healthcare overhaul has security flaws that put user data at “critical risk” despite recent government assurances it is safe to use, a respected security expert said on Tuesday.

“There are actual, live vulnerabilities on the site now,” David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters before testifying at a congressional hearing on the topic “Is My Data on HealthCare.gov Secure?”

Kennedy, a former U.S. Marine Corps cyber-intelligence analyst, presented a 17-page report describing the problems to the House Science, Space and Technology Committee. It does not go into specifics in some areas, he said, because that could provide criminals with a blueprint for launching attacks.

The website is an online exchange that allows consumers to shop for insurance plans under Obama’s Affordable Care Act, which mandated that Americans have health insurance and created new marketplaces to buy and sell policies.

The site has been bedeviled by technical glitches since its launch on October 1, although Obama administration officials have said they are getting on top of the problems.

“There is a lot of stuff that we are not publicly disclosing because of the criticality of the findings,” Kennedy said. “We don’t want to hurt people.”

When asked to describe the severity of the threat that they posed to the public, he said it was a “critical risk.”

The HealthCare.gov site collects data including the names, birth dates, social security numbers, email addresses and healthcare information about its users that criminals could use to engage in a wide variety of scams.

“The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure,” said Lamar Smith, the Texas Republican who is chairman of the House committee.

“Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals.”

The Obama administration said on Tuesday the website was safe to use.

IDENTIFYING VULNERABILITIES

Kennedy was one of the first security experts to identify vulnerabilities that the site poses to the security of user data, describing them on his company’s blog shortly after its October 1 launch.

The site lets people know invalid user names when logging in, allowing attackers to identify user IDs for the site, according to the report prepared for Tuesday’s hearing. It also describes more technical bugs that could lead to attacks.

Kennedy said in making his assessment he had used tools that allowed him to remotely view the site’s software, code and architecture without needing credentials to log on to its server.

In October, a September 27 government memorandum surfaced in which two Department of Health and Human Services officials said the security of the site had not been properly tested before its launch, creating “a high risk.”

HHS spokeswoman Joanne Peters said then that steps had been taken to ease security concerns since the memo was written, and that consumer data was secure.

Peters reiterated those assurances on Tuesday.

“When consumers fill out their online Marketplace applications, they can trust that the information that they are providing is protected by stringent security standards,” she said.

“Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” she said.

The Department of Homeland Security said last week that authorities were investigating more than a dozen cybersecurity incidents targeting HealthCare.gov.

 



News
Entertainment
Sports
Lifestyle
Local

MTA announces service changes for Sunday

The MTA has announced service changes ahead of Sunday's People's Climate March, which will be held from 11:30 a.m. to 4:30 p.m. Sunday. Riders using…

Local

NYPD launches Twitter account for L train

The NYPD recently launched a Twitter handle dedicated to the L train and its riders. According to @NYPDLtrain, officers went underground Thursday morning to hand…

Local

Bushwick community space offers activists a place to…

A new Bushwick community space offers community activists to meet, create, learn and throw back a few cold ones. MayDay, located 214 Starr Street in Bushwick,…

Local

Activists gearing up for Sunday's "historic" People's Climate…

If all goes according to plan, more than 100,000 people will gather near Central Park West on Sunday morning and march through midtown to raise…

Movies

Kevin Smith makes peace with the Internet

I was thinking about Ain't It Cool News and Harry Knowles last night, wondering if anyone from Ain't It Cool had reviewed my new movie…

Movies

Art imitates life in 'Swim Little Fish Swim'

There's a certain comfort to be taken in finding that young artists are still moving to New York and trying to make it — and…

Movies

Review: Terry Gilliam's 'The Zero Theorem' is better…

Terry Gilliam's latest, "The Zero Theorem," concerns a reclusive malcontent (Christoph Waltz) struggling with the search for the meaning of life.

Music

Esperanza Spalding and a being called Emily get…

Esperanza Spalding is about to spiral off in a brand new direction that may or may include an alter ego named Emily.

NFL

Oday Aboushi ready for increased role, and to…

Oday Aboushi might feel comfortable enough to engage in some trash talk the next time he is on the field.

NFL

Giants vs. Texans: 3 things to watch

The Giants host the surprising Texans (2-0) in what may already be a must-win game for Big Blue.

NFL

Eric Decker misses practice again, could miss Monday

Jets wide receiver Eric Decker missed practice Thursday as he continues to rehab a hamstring injury suffered last Sunday.

MLB

Derek Jeter still focused on baseball as final…

Derek Jeter has effectively hid his emotions for 20 years in the Bronx.

Parenting

A sneaky way to serve kids fruits and…

"My First Juices and Smoothies" gives smoothie recipes for kids.

Style

3 things we love from Day 1 of…

The highlights from Day 1 of Milan Fashion Week.

Sex

Why don't more couples use condoms?

  Call it the “condom moment.” That’s the name the authors of a new study have given to the pivotal conversation every couple should be…

Sex

Need an idea for a first date? Here's…

Picture your idea of a nice first date. Is it dinner and a movie? A visit to an interesting museum exhibit? Instead, an expert on…