http://www.nbcnews.com/technology/hackers-healthcare-gov-still-riddled-potential-security-issues-2D11940198?ocid=msnhp&pos=11/16/14
Hackers: HealthCare.gov still riddled with potential security issuesCybersecurity researchers slammed HealthCare.gov's security during a House hearing on Thursday morning, saying the site is still riddled with problems that could put consumers' sensitive health details at risk.
“The reason we’re concluding that this is so shockingly bad is that the issues across the site are so varied,” David Kennedy, founder of the information security firm TrustedSec, told NBC News.
“You don’t even have to hack into the system to see big issues – which means there are [major problems] underneath.”Kennedy was the first of a group of so-called "white-hat hackers" who testified before the House of Representatives Science Committee on Thursday. He previously appeared before the committee on November 19, when he said he was able to identify 18 major issues with the site – without even hacking into it.
“Nothing’s really changed since our November 19 testimony,” Kennedy said during the hearing. “In fact, it’s worse.”Only half of one of those 18 issues on HealthCare.gov has been fixed since that November meeting, Kennedy said, and he has since learned of more problems with the site. A separate House Oversight committee hearing began Thursday morning with testimony expected from the Department of Health and Human Service's chief information security officer.
TrustedSec isn’t disclosing the specifics of how those vulnerabilities work, as they are active issues that hackers could exploit. But Kennedy did cite issues including the disclosure of user profiles and the “ability to access anyone’s eligibility report on the website without the need for any authentication or authorization.”
“
Some issues still include critical or high-risk findings to personal information or risk of loss of confidentiality or integrity of the infrastructure itself,” Kennedy said in his written testimony. He also submitted statements from seven other security researchers who expressed serious concerns.
HealthCare.gov is run through the Centers for Medicare and Medicare Services (CMS), which released a statement Thursday insisting the agency takes security concerns seriously and has a “robust system in place” to address potential issues.
“To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site,” CMS said in the statement, adding that it continually conducts security testing on the site.
The committee, which is chaired by Rep. Lamar Smith (R-Tex.), also heard testimony from Michael Gregg, the CEO of security consulting firm Superior Solutions.
Gregg discussed concerns about Healthcare.gov “going up fast,” comparing the process with those of private companies like Microsoft, which roll out products in waves and spend a lot of time testing them. Healthcare.gov didn’t follow that type of process, he said, and the data it contains is a goldmine.
“Hacking today is big business,” Gregg told the committee. “It’s no longer the lone hacker in the basement.”
When questioned by the panel, Gregg and Kennedy both said they would not put their personal information on HealthCare.gov.
The third of the three cybersecurity researchers on the panel disagreed. Waylon Krush, CEO of the security firm Lunarline, stressed that he would put his information on the site.
Krush explained that Lunarline has worked with federal clients, and he used his written testimony to lay out the six-step process that federal information systems use to mitigate risk.
He also criticized Kennedy and Gregg for engaging in what he called speculation, pointing out that “no one at this table” was involved in the setup and management of HealthCare.gov. What’s more, he added, because hacking into the system would be a crime, no one has – at least not legally -- looked deep into the site to fully understand its setup.
“Just as security critics lack the hands on knowledge necessary to make dramatic claims about the site's weaknesses, I cannot claim to understand all of Healthcare.gov's security intricacies,” Krush said in his written testimony.
Gregg argued that a third party should be assigned to do just that: plumb the depths of the site and figure out a way to fix the problems through “an independent assessment.”
Another security researcher, who was not a part of the committee hearing, was not as optimistic.
“If you build a house on a bad foundation and it’s sinking into a swamp, it’s really hard to pick up the house and rebuild the foundation,” said Alex McGeorge, a senior security researcher at Immunity Inc. Companies hire Immunity to hack into their own systems and show vulnerabilities.
“Security isn’t a bolt-on,” McGeorge said. “It’s not easy to retrofit once you have a system up and running.”This week the Obama Administration booted the original IT contractor, CGI Federal, that managed Healthcare.gov. CGI Federal’s contract will not be renewed in February, and Accenture won the contract instead.
“From a security standpoint, one of the things that’s so interesting about this site is that it’s so dynamic -- and it’s changing quickly,” McGeorge said. “You’ve got so many hands in the pot.”
Unfortunately, “that is the exact opposite of how you create a secure site,” McGeorge said.
There’s also an upside to the ever-changing nature of Healthcare.gov and its stewards: When the site is constantly shifting, it’s tougher for hackers to exploit vulnerabilities they found previously.
“It’s harder to hit a moving target,” McGeorge said. “But a moving target also makes more mistakes.”
