Nearly six months after the Obamacare rollout, the agency in charge of its website, Healthcare.gov, says it is reasonably secure.
According to the federal Department of Health and Human Services (HHS), Americans should have no fear of entering sensitive personal information on it, said spokeswoman Alicia Hartinger. The site is, "protected by stringent security standards (and) monitored by sensors and other tools to deter and prevent any unauthorized access," she said in an emailed statement.
No, it isn't, according to a number of security experts. David Kennedy, CEO of TrustedSec, spoke for many of his colleagues when he said the site is so lacking in basic security that it amounts to the online version of a car with its doors and windows open.
So whom should you believe?
Part of the problem with sorting out a credible answer is that HHS won't respond to specific questions about security measures on the site. Hartinger said that, "the privacy and security of consumers' personal information are a top priority for us," and that to date, "there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site."
She added that the components of the site that are operational, "have been determined to be compliant with the Federal Information Security Management Act (FISMA), based on standards promulgated by the National Institutes of Standards and Technology (NIST) and promulgated through the Office of Management and Budget (OMB)."
But, she declined to address questions regarding the unanimous opinion of security experts that compliance with FISMA is not equivalent to security. In the words of Danny Lieberman, CTO at Software Associates, "FISMA is the equivalent of counting the number of rivets on an F-15 and declaring it safe to fly because it has 100% of its rivets.
"If HHS is serious about security, they are invited to publish their threat model and analysis of the web site and hold it up to public scrutiny," he said, noting that this has not happened. "A site that cost $700 million and relies on politics and security by obscurity will never be secure," he said.
Hartinger also had no response to critics who have said the monitoring of the site is poor — that it has reported detecting only dozens of attacks, while it is almost certain that there have been thousands.
And within the security community, there is virtually unanimous agreement that the site remains catastrophically vulnerable. Martin Fisher, director of information security at Wellstar Health System, was perhaps the most gentle when he called it, "more-or-less as secure as the vast majority of websites out there."
Sign up for CIO Asia eNewsletters.