Testimony on Capitol Hill further exposed security flaws within the Obamacare health insurance exchange on Thursday, concluding that the website is more vulnerable now than ever.
The House Committee on Science, Space, and Technology held a follow-up to its hearing in November, in which "white-hat hacker" David Kennedy testified to the health insurance marketplace’s security vulnerabilities and warned Americans to stay away from Healthcare.gov.
"Nothing has really changed since the Nov. 19 testimony," Kennedy, the CEO of the online security firm TrustedSec, told the House committee on Thursday. "In fact, it’s even worse."
Kennedy testified that "critical" and "high-risk" threats to personal information remain, including access to lists of users information (name, email, login ID) in bulk, profile disclosures, and "cookie theft."
"Additional security researchers have come into play providing additional research, additional findings that we can definitely tell that the website is not getting any better," he said. "In fact, since the Nov. 19, 2013, testimony there’s only been one half of a vulnerability that we discovered that has been addressed, or even close to being mitigated. What I say about one half is that basically they did a little bit of work on it, and it’s still vulnerable today."
According to documents obtained by the House Committee on Government Oversight and Reform, the administration knew of the security risks within Healthcare.gov before Oct. 1 but decided to launch the website anyway. Nineteen vulnerabilities remained unaddressed when the site went live.
"When the Obama administration launched Healthcare.gov, Americans were led to believe that the website was safe and secure," Chairman Lamar Smith (R., Texas) said. "As we have learned, this was not the case."
"Given the potential risks and dangers associated with Healthcare.gov today the president should not let the American people be the next target of cyber criminals," he said.
"Hacking today is a big business," said Michael Gregg, CEO of Superior Solutions, Inc. "It’s no longer the lone hacker in his basement. Today it’s organized crime. It’s very large groups, potentially out of places like Russia and Eastern Europe."
"We can fix these problems, but for these problems to be fixed means that we need an external assessment of the site by independent third parties," he said.
The Department of Health and Human Services (HHS) has said there have been no successful hack attempts on Healthcare.gov. However, according to Kennedy, the government has no idea whether that is the case.
Smith asked Kennedy to clarify why "the government doesn’t even know whether it’s been hacked or not."
"If you look at the Healthcare.gov infrastructure, it was built independently of HHS, even the security operations centerpiece," Kennedy said. "The security operations center as of Nov. 17 had not been built or implemented, which means that they didn’t have the security monitoring or detection capabilities to detect the attacks that are being mentioned here today."
"So to reemphasize, they don’t know," he said.
"That’s why they can say there haven’t been any," Smith said. "They’re not in a position to know one way or the other."
"That’s correct," Kennedy said.
Gregg testified that in addition to personal information such as Social Security numbers, birthdays, and incomes, Healthcare.gov places Americans’ medical information at risk.
When asked by Rep. Randy Neugebauer (R., Texas) if a security breach on the exchange could result in medical files being accessed, Gregg said, "yes."
"The real damage would come afterwards," he said. "How that information could be used, it could be used potentially to gain financial data, it could be used for identity theft. It could be misused many different ways."
Closing the hearing, Rep. Chris Collins (R., N.Y.) asked Kennedy if the site is secure today.
"Absolutely not," he said.