Kennedy is not alone is sounding the cybersecurity warning alarm about healthcare.gov. At the House Science and Technology Committee hearing held last week, Kennedy and a pack of elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website’s insecurity. According to their signed statements [pdf]:
Healthcare.gov retrieves information from numerous third-party databases belonging to the IRS, Social Security Administration, Department of Homeland Security, and other State agencies. It would be a hacker's wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases. A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise or access to consumer proprietary information.
Reviewing the security issues discovered in the healthcare.gov site, I can tell you: this is a breach waiting to happen. Or, given the numerous vulnerabilities, perhaps a breach already has happened. These are exactly the kind of security flaws bad guys exploit in large-scale breaches.
Conversely, Teresa Fryer, chief information security officer for the Centers for Medicaid and Medicare Services, testified before the House Oversight Committee that cybersecurity testing of Healthcare.gov had been successfully completed on Dec. 18. According to the Associated Press, Fryer claimed, “There have been no successful attacks on the site.” Fryer told CBS that security testing is conducted on a regular basis; and although a person can “never guarantee any system is hack-proof,” she noted that “the protections we have put in place have successfully prevented attacks.”
While claiming anything is unhackable is like daring attackers to prove it is entirely hackable, if the government is so confident that healthcare.gov has enough security to defeat hackers, then why not officially ask Kennedy, Mitnick, Skoudis and the other cybersecurity experts to hack it? If I were placing a bet on the outcome, my money would be on the white hat penetration testers. If black hat attackers decide to secretly breach it and make off with everyone’s online identity, then we’re all toast because the feds are not legally required to notify citizens if and when healthcare.gov is hacked.
Sign up for CIO Asia eNewsletters.