Experts called before the House Science, Space, and Technology Committee raised information security concerns about HealthCare.gov, prompting the committee’s chair, Rep. Lamar Smith, R-Texas, to argue for taking the site offline.
Avi Rubin, a computer science processor at Johns Hopkins said it’s not surprising from the perspective of a software engineer that the website had a rocky launch – especially given the rush to meet a hard October 1 deadline.
He noted said the kind of information collected on the site and how the site operatescreates the potential vulnerabilities, and he argued that ongoing vigilance and response are needed to properly maintain security.
Rubin also said that all of the vulnerabilities that have been identified so far that he has heard of have been easily fixed. Going forward, he recommended: Annual, outside, independent review; Security reviews that focus on interfaces among components and across systems; Stronger user authentication; Security reviews checking for standard vulnerabilities such as SQL injection and cross-site-scripting and other standard checks; Data encryption – and other steps.
Morgan Wright, CEO, Crowd Sourced Investigations, sounded a more dire note following a review of the site: "The complexities and interdependencies of the current government site create significant opportunities for disruption of service, compromise of the security and privacy of personally identifiable information, frauds and scams and insider threats."
David Kennedy, the CEO or TrustedSec, an information security consultant, said a public review of the site (his company did not try to hack the site as part of its analysis) shows it’s clear that "even basic security was not built into the healthcare.gov," and that, "the exposures identified that the website has critical risks associated with it and security concerns should be remediated immediately."
