BOSTON/WASHINGTON (Reuters) - A cybersecurity professional warned that the U.S. government failed to implement fixes to protect the HealthCare.gov website from hackers at a congressional hearing that Democratic lawmakers claimed was politically motivated.
“HealthCare.gov is not secure today,” David Kennedy, head of computer security consulting firm TrustedSec LLC, said at a Thursday hearing of the House Science, Space and Technology Committee.
He said “nothing has really changed” since a hearing of the same committee in November, when he and three other expert witnesses said they believed the site was not secure and three of them said it should be shut down immediately.
“I don’t understand how we’re still discussing whether the website is insecure or not,” Kennedy told the committee. “It is insecure - 100 percent. It’s not a question of whether or not its insecure, it’s what we need to do to fix it.”
Before the hearing, Kennedy told Reuters the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1.
Hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site, Kennedy said in an interview with Reuters ahead of Thursday’s testimony.
U.S. Representative Eddie Johnson, the top Democrat on the committee, said the Republican-led panel’s focus on HealthCare.gov was politically motivated: “The majority has allowed the committee to become a tool of political messaging.”
HealthCare.gov lets consumers shop for insurance plans under President Barack Obama’s Affordable Care Act, which mandates health insurance for all Americans.
The site, which is meant to serve millions of consumers in 36 states, was crippled by technology errors since its launch. The Obama administration’s efforts to repair the site helped it to work more smoothly in December, though some problems remain. Democrats have accused Republicans of keeping a focus on the website’s problems in an effort to undermine the 2010 law.
Johnson said there have been numerous fixes to the site since the committee’s last hearing in November and millions of Americans have signed up.
“As smart and experienced as these witnesses are, not one of them has actual knowledge of the security structure of HealthCare.gov,” Johnson said. “They can only speculate.”
Kennedy said the experts were not only concerned about HealthCare.gov, but that security of sites throughout the federal government “is in a really bad state.”
“To me this is not a political issue. For me personally this is a security issue,” Kennedy told the committee.
Waylon Krush, chief executive officer of a firm known as Lunarline that has done security work for the Department of Health and Human Services, pointed out that many federal websites contained Americans’ personal information but said there were far more lucrative targets for hackers.
“HealthCare.gov is not the one getting attacked,” he testified. “They’re going to go where the money is. They’re going to go after the Targets, they’re going to go after the Neiman Marcus, they’re going to go after these places that contain lots of data related to intellectual property.”
Kennedy countered that there was plenty of money to be made from personal information contained on U.S. government websites.
Kennedy last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed documentation of his findings.
They wrote statements to the House committee, which were made public on Thursday, saying they are concerned about the security of the site.
“The site is fundamentally flawed in ways that make it dangerous to people who use it,” Kevin Johnson, one of the experts who reviewed Kennedy’s findings, told Reuters.
Johnson said one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.
“You can take control of their computers,” said Johnson, chief executive officer of a firm known as Secure Ideas.
Kennedy said he identified many other problems on his own, conducting what is known as “passive analysis” of the site, by using an ordinary Web browser and other software tools to look at HealthCare.gov’s content and architecture from the outside.
One security flaw that Kennedy first uncovered and reported to the government in October exposes information including a user’s full name and email address.
He said he wrote a short computer program in five minutes that automatically collects that data, which was able to import some 70,000 records in about four minutes.
He said the information was accessible via the Internet and he did not have to hack the site to get it. He declined to elaborate.
Kennedy said he did not take the additional step of hacking into the site to look for other problems because he did not have permission from the government or access to its networks.
The Centers for Medicare & Medicaid Services said in its statement that Kennedy’s methodology undermined his findings.
“Because this individual had no direct access to the operations of the HealthCare.gov website, the information in the report is based on assumptions, not fact.”
Reporting by Jim Finkle; Editing by Richard Valdmanis, Richard Chang and Chris Reese