The Obamacare website is even less secure than it was in November, David Kennedy, head of computer security consulting firm TrustedSec LLC, told Fox News Sunday.
Kennedy testified before Congress Thursday that the site was "100 percent" insecure and personal information for consumers at healthcare.gov was at risk, Reuters reports:
Before the hearing, Kennedy told Reuters the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1. Hackers could steal personal information, modify data, attack the personal computers of website users and damage the infrastructure of the site, Kennedy said in an interview.
He expanded on his conclusions Sunday in an interview with Chris Wallace, calling it "much worse" than what he and other experts saw in November.
"What we learned was that they had rushed through what we call the software development life cycle where they actually build the application," Kennedy said. "So when you do that, security doesn't really get integrated into it. And what happened with the rocky launch in October is they slapped a bunch of servers in trying to fix the website just to keep it up and running so that people could actually go and use it. The problem is they still didn't imbed any security into it."
Given the depth of personal information that must be provided for questions regarding health insurance, everything from names to addresses to social security numbers is there for the taking.
The Obama administration has pushed back, with chief security officer Teresa Fryer saying the website had passed end-to-end assessments and should be fully certified, but Kennedy said he completely disagreed.
"It's not just myself that's saying this website is insecure, it's also seven other independent security researchers that also looked at the research I've done and came to the exact same conclusion," Kennedy said. "You know, if you read the testimony and you read what she actually said, she said it's done end-to-end security testing. They don't say what type of testing that is. It could have been an audit that just looks at paperwork. it could have been really rudimentary testing that looks for just basic things. But what's pretty evident right now is that the site itself is not secure. It's much worse off."