Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Insecure healthcare.gov allowed hacker to access 70,000 records in 4 minutes

Darlene Storm | Jan. 24, 2014
When it comes to the atrocious state of HealthCare.gov security, white hat hacker David Kennedy, CEO of TrustedSec, may feel like he’s beating his head against a stone wall. Kennedy said, "I don't understand how we're still discussing whether the website is insecure or not. It is; there's no question about that." He added, "It is insecure - 100 percent."

Kennedy is not alone is sounding the cybersecurity warning alarm about healthcare.gov. At the House Science and Technology Committee hearing held last week, Kennedy and a pack of elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website’s insecurity. According to their signed statements [pdf]:

Kevin Mitnick, the 'world's most famous hacker' testified:

Healthcare.gov retrieves information from numerous third-party databases belonging to the IRS, Social Security Administration, Department of Homeland Security, and other State agencies. It would be a hacker's wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases. A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise or access to consumer proprietary information.

SANS Faculty Fellow Ed Skoudis affirmed:

Reviewing the security issues discovered in the healthcare.gov site, I can tell you: this is a breach waiting to happen. Or, given the numerous vulnerabilities, perhaps a breach already has happened. These are exactly the kind of security flaws bad guys exploit in large-scale breaches. 

Conversely, Teresa Fryer, chief information security officer for the Centers for Medicaid and Medicare Services, testified before the House Oversight Committee that cybersecurity testing of Healthcare.gov had been successfully completed on Dec. 18. According to the Associated Press, Fryer claimed, “There have been no successful attacks on the site.” Fryer told CBS that security testing is conducted on a regular basis; and although a person can “never guarantee any system is hack-proof,” she noted that “the protections we have put in place have successfully prevented attacks.”

While claiming anything is unhackable is like daring attackers to prove it is entirely hackable, if the government is so confident that healthcare.gov has enough security to defeat hackers, then why not officially ask Kennedy, Mitnick, Skoudis and the other cybersecurity experts to hack it? If I were placing a bet on the outcome, my money would be on the white hat penetration testers. If black hat attackers decide to secretly breach it and make off with everyone’s online identity, then we’re all toast because the feds are not legally required to notify citizens if and when healthcare.gov is hacked.

Source: Computerworld

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.