Friday, 24 January 2014

Security Expert Points Out Serious Flaws in Healthcare.Gov

Written by 

A cyber security expert has claimed that he was able to gain access to 70,000 personal records of ObamaCare enrollees in just four minutes, an announcement that is likely to be frightening to all those who have enrolled in the new healthcare program.

According to David Kennedy, CEO of TrustedSec, the information was easily obtained without even resorting to hacking. Appearing on Fox News Sunday, Kennedy explained:

There’s a technique we call passive reconnaissance which allows us to query and look at how the website operates and performs.... These type of attacks that I’m mentioning here ... is very easy to do, it’s a rudimentary type attack that doesn’t actually attack the website itself — it extracts information from it without actually having to go into the system.... Think of it this way, think of something where you have a car and the car doors are open and the windows are open and you can see inside of it, that’s basically what they allow you to do and there’s no real sophistication level here — it’s just really wide open.... And 70,000 was just one of the numbers that I was able to go up to and I stopped after that.... You know, I’m sure it’s hundreds of thousands — if not more — and it was done within about a 4 minute timeframe.

Kennedy’s announcement provoked so many concerns that Kennedy had to update his blog post to emphasize that no data was actually dumped and no hacking took place. He reiterated that he simply used basic Google tools to search the Web, a fact that likely did not assuage concerns over the security of the website.

Simply stated, healthcare.gov “fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of protection for the website itself,” he said.

Kennedy has already testified before congressional committees twice on the lack of security in the healthcare website.

In his second testimony, which took place before the House Committee on Science, Space, and Technology on January 16, Kennedy said "nothing has really changed" since his first testimony before the committee in November, when he and three other expert witnesses said they believed the site was not secure and three of them said it should be shut down immediately.

In fact, Kennedy stated that of the 18 issues identified during that November hearing, only “a half of one issue” had been “fixed.” And as critical issues remain, new ones “have been identified and reported” but “have not been fixed,” he added. “One of the more alarming is the ability to access anyone’s eligibility reports on the website without the need for any authentication or authorization.”

"I don't understand how we're still discussing whether the website is insecure or not," said Kennedy, who worked for the National Security Agency and the U.S. Marine Corps before entering the private sector. "It is insecure — 100 percent."

Kennedy also told Reuters that the government has failed to address more than 20 vulnerabilities that he and other experts had reported shortly after the launch of ObamaCare on October 1. According to Kennedy, hackers could steal personal information, modify data, attack personal computers of website users and damage the infrastructure of the website.

Kennedy is not alone in his assessment of the website’s security.

“The Healthcare.gov website is a major target for hackers who are looking to steal personal identities,” Michael Gregg, CEO of Texas-based security-assessment firm Superior Solutions, told members of Congress. “A successful attack against HealthCare.gov ... could very well be the largest [such attack] ever.”

In response to these assessments, the Centers for Medicare and Medicaid Services told Reuters, “There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site.”

And CMS chief information security officer, Teresa Fryer, said the website has undergone security testing on December 18 and met all industry standards.

“The (federal marketplace) is secure. In many instances, we have gone above and beyond what is required, with layered protection, continuous monitoring and additional penetration testing," Fryer said before the House Oversight panel.

But perhaps industry standards need to be raised, if Kennedy was able to access 70,000 user files on the website.

Overall, three separate oversight hearings specifically addressing security problems with the ObamaCare website have taken place in the House of Representatives. Two of those hearings focused on Healthcare.gov’s vulnerability to hackers.

For some lawmakers, the security issues that plague Healthcare.gov do not come as a surprise, considering the vast problems the site has experienced.

"It seems to defy common sense that a website plagued with functional problems was, in fact, perfectly secure by design," said Darrell Issa, chairman of the House Oversight and Government Reform Committee.

Furthermore, security issues related to the website were known even prior to the launch of ObamaCare on October 1.

“The website ultimately went live on Oct. 1 without ever having undergone complete end-to-end-security testing,” ABC News reported.

Fryer told the House Oversight Committee in December that she notified three officials at the Department of Health and Human Services about the serious risks inherent in the website before it was launched, but her warnings were ultimately ignored.

Documents from the House Energy and Commerce Committee show that “monitoring and detection capabilities hadn’t even been created or started prior to the launch of the healthcare.gov web site, and had not started by November 19th, 2013,” Kennedy testified.

The chairman of the House Oversight Committee has compared the site's problems to the recent massive breaches at major stores like Target and Neiman Marcus, which have admitted losing control of tens of millions of financial records.

But rather than seriously address the security problems, Democrats have accused Republicans of “cherry-picking partial information to promote a narrative that is inaccurate,” as stated by Representative Elijah Cummings (D-Md.).

Republicans in the House are making efforts to address some of the problems related to the healthcare website's security. Earlier this month, the House passed a measure that would require the government to notify consumers within two days of their personal information being compromised on the site.

The House also passed a measure that would require the Obama administration to issue weekly enrollment statistics. While the White House begrudged the bill as one aimed at attempting to disrupt the implementation of health reform, 33 Democrats in the House voted for the bill.

...