Tipsheet

Experts: Healthcare.gov's 'Fundamental' Data Security Weaknesses 'Alarming'


Of all the shoes waiting to drop on Obamacare over the next year, one of the least-discussed is a damaging data security breach. We've seen a few troubling incidents crop up in various states, and an expert uncovered a major backdoor vulnerability to Healthcare.gov early on in the process -- but we haven't heard about any large- scale security meltdowns...yet, that is. Obamacare officials say the site recently passed a battery of security tests, but cyber security professionals offered a starkly different assessment to Reuters:


A group of cyber security professionals is warning that the U.S. government has failed to implement fixes to protect the HealthCare.gov website from hackers, some three months after experts first pointed out the problem. David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters that the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1. Hackers could steal personal information, modify data or attack the personal computers of the website's users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee. "These issues are alarming," Kennedy said in an interview on Wednesday.


So who's telling the truth? The administration says Healthcare.gov's security functions just received a clean bill of health. Outside experts say more than 20 deficiencies haven't been addressed -- and that they raised red flags about these issues in early October. Indeed, private sector authorities, hackers, members of Congress, and even some Obamacare bureaucrats have been pounding the table on these "limitless risks" for months. But how bad could these enduring weaknesses really be? This bad:


"The site is fundamentally flawed in ways that make it dangerous to people who use it," said Kevin Johnson, one of the experts who reviewed Kennedy's findings. Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users. "You can take control of their computers," said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world's biggest organization that trains and certifies cyber security professionals. He declined to provide further details about that vulnerability, saying he was concerned the information could be used by malicious hackers to launch attacks...One security flaw that Kennedy first uncovered and reported to the government in October exposes information including a user's full name and email address. He said he wrote a short computer program in five minutes that automatically collects that data, which was able to import some 70,000 records in about four minutes. He said the information was accessible via the Internet and he did not have to hack the site to get it. He declined to elaborate.


He whipped up a rudimentary program in five minutes, let it run, and collected 70,000 records in the span of four minutes. But the government tells us everything is just fine. Tests were supposedly passed, after all. Many Americans will understandably trust the experts over the Obama administration, which has lied, dissembled and betrayed pledges over months of bumbling Obamacare incompetence. But if the data risks are so glaringly apparent, why haven't we seen a massive breach? Allahpundit reasons through three possible explanations: First, the site may appear to be vulnerable, but it's actually pretty secure. Re-read the last excerpt above and draw your own conclusions. Second, that the site is, in fact, vulnerable, but hackers don't want to cross the feds on something this big. But that's what hackers do. Some may be scared off by the world of hurt that would come crashing down on them if they get caught, but surely someone is willing to give Uncle Sam the finger and tap this treasure trove of personal data, right? Finally, he suggests that breaches have already occurred, we just haven't heard about them yet. Maybe the administration is suppressing information, or maybe they haven't even detected the problems. In any case, the lingering threat of identity theft will continue to hang over the Obamacare enrollment process like Damocles' sword -- and any forthcoming report about a big-time data exposure could deal yet another devastating blow to the program's tattered reputation.