Jump to content

Security Experts Say Close Healthcare.gov

Recommended Posts

Close HealthCare.gov For Security Reasons, Experts Say


Testifying before the House technology committee, four security experts advise would-be HealthCare.gov users to steer clear of the site, pending security improvements.



Should the embattled HealthCare.gov website be shut down until the White House proves it's secure?

That was one approach advocated by several security experts, testifying Tuesday during the House Science, Space, and Technology committee's "Is My Data on HealthCare.gov Secure?" hearing.

Ever since the October 1 launch of the federal HealthCare.gov portal, which implements the Affordable Care Act and is used by 36 states, security experts have been warning that the site is vulnerable to a number of different types of attacks. To date, would-be hackers appear to have paid scant attention to the site, but many security experts -- and legislators -- have voiced their concerns over the hack-attack potential for a healthcare portal that handles people's personal information, including social security numbers, income levels, and medical details.

"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure. Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals," said committee chairman Lamar Smith (R-Texas) at the hearing.

[What will it take to make HealthCare.gov work? Read How To Get Obamacare Moving Now.]

"Several vulnerabilities have already been identified, and we know of at least 16 attempts to hack into the system. And I heard this morning that there were another 50," he added. "But we can assume that many more security breaches have not been reported."

David Kennedy, CEO of information security consulting firm TrustedSEC, echoed that assessment, saying there was no way that HealthCare.gov had been targeted only 16 times in the first six weeks after it launched. "What this statement shows is the lack of a formal detection and prevention capability within the website and its infrastructure," said Kennedy. "On average, while working for an international Fortune 1000 company, our main website was attacked over 230 -- averaged [out to] 232 attacks a day for the year of 2012 -- times a day."

Whatever the attack volume, the security experts testifying at the hearing all emphasized the challenge of trying to secure any infrastructure that sports 500 million lines of code, and which was implemented in a rush. "When it comes to security, complexity is not your friend. Indeed it has been said that complexity is the enemy of security," Fred Chang, a former NSA research director who now heads the cybersecurity program at Southern Methodist University in Dallas, told Congress. Likewise, for maximum protection, "ideally, security is built into an application from the very beginning rather than having it 'bolted on' afterwards," he said.

Link to comment
Share on other sites

Join the conversation

You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...