Article Lead Image

Healthcare.gov still dangerously easy to hack, experts testify

The downtime was just the tip of the iceberg.

 

Tim Sampson

Internet Culture

Posted on Jan 16, 2014   Updated on May 31, 2021, 9:07 pm CDT

Despite highly touted improvements to Healthcare.gov’s functionality, the site many Americans are using to sign up health coverage under the Affordable Care Act still has crucial cybersecurity weaknesses, experts testified on Capitol Hill Thursday.

Witnesses said that nothing has changed since security failings were first brought to light shortly after the website’s glitch-plagued launch back in October. 

“Healthcare.gov is not secure today,” said David Kennedy, head of the computer security firm TrustedSec LLC, one of a several security experts to testify before the House Science, Space and Technology Committee on Thursday.

According to statements made by Kennedy to Reuters, more than 20 security flaws, vulnerable to infiltration by hackers, have not been fixed. This despite the fact that a similar assessment was delivered at a hearing of the same committee two months ago. At that time, three out of four expert witnesses, including Kennedy, advised completely shutting down the federal health insurance exchange to address weak links in the site’s security.

Kennedy repeated his message Thursday, saying there is no doubt that security problems exist. The focus of government officials, he said, should be on how to fix them. Before the hearing, he told reporters that the site was susceptible to attacks that would allow hackers to steal personal information, modify data, or attack users’ personal computers. They could also break into and disrupt the infrastructure of Healthcare.gov itself.

But Democratic representatives disagreed with Kennedy’s assessment and accused GOP committee leaders of stacking the deck when it came to selecting witnesses. Rep. Eddie Johnson (D-Texas.), the committee’s ranking Democrat, said Republicans are using the committee’s investigative powers to keep the public’s attention on Healthcare.gov’s technical flaws as a way of undermining the Affordable Care Act. 

“The majority has allowed the committee to become a tool of political messaging,” Johnson said.

But Kennedy denied that politics played a role in his testimony. Other independent experts who have reviewed his research agree with Kennedy’s conclusions about the vulnerable state of the exchange.

“The site is fundamentally flawed in ways that make it dangerous to people who use it,” Kevin Johnson, one of the experts who reviewed Kennedy’s findings, told Reuters.

One of the more significant vulnerabilities uncovered by Kennedy and first reported to the federal government in October, exposes users’ information, including full names and email addresses. A short computer program Kennedy claims to have written in five minutes was able to automatically collect some 70,000 records in roughly four minutes. Kennedy didn’t even have to hack the site to obtain this data. The information was available via the Internet.

Other witnesses who appeared before the committee tried to downplay the threat. Waylon Krush, the CEO of a firm that has done security work for the Department of Health and Human Services, said most hackers would choose to focus on more lucrative targets like the recently hacked Target and Neiman Marcus. Kennedy and others refuted this claim, saying plenty of valuable information is still available through government websites. 

Healthcare.gov is the centerpiece of President Barack Obama‘s biggest legislative triumph to-date, the Affordable Care Act. The site is a federally administered marketplace for citizens in 36 states to buy private insurance plans. But since debuting in October, it has been plagued with technical errors. In addition to security concerns, many users faced crashes and timeouts when they first tried to access the site. 

The user experience was drastically improved by December, leading to an enrollment surge that saw up to 2.1 million citizens purchase health insurance through the site. However, that number remains far below initial administration projections. There are also ongoing reports of backend errors resulting in insurers not receiving accurate information about their new clients. 

The Obama administration recently announced that the primary contractor behind Healthcare.gov would be dismissed from the project. The firm, CGI Federal, is also facing backlash from several states who say the company has bungled their own state-run health insurance exchanges. The Department of Health and Human Services recently hired veteran Microsoft Executive Ken DelBene to oversee continued repairs to the site.

Photo by Edith Soto/Flickr

Share this article
*First Published: Jan 16, 2014, 8:52 pm CST