Kennedy himself became mired briefly in controversy after he reported that through the use of basic Google search tools, he could tell that 70,000 records (possibly many more than that) were vulnerable.
It was then reported multiple times that he had hacked the site, which he had to scramble to correct. In blog posts and interviews he said he had not hacked or downloaded any sensitive information, but simply used, "passive reconnaissance, which allows us to query and look at how the website operates and performs...It's a rudimentary type attack that doesn't actually attack the website itself — it extracts information from it without actually having to go into the system."
Daniel Berger, president and CEO of Redspin, said Kennedy had used crafted search queries through Google, called "dorks," to find sensitive information indexed by search engines.
"Although this is a very easy issue to fix, it is indicative of the potential for more serious vulnerabilities that reside deeper within the app," he said. "So yes, the analogy about leaving the windows down in a locked car rings true."
Whether security has improved since the launch of Healthcare.gov is difficult to verify. U.S. Rep. Elijah Cummings, the top Democrat on the House committee that conducted the hearings in January, declared at the time that the site has now undergone end-to-end testing and that the government now has a strong mitigation plan in place to respond to attacks.
But, again, HHS's Hartinger did not respond to a request to confirm that. And Redspin's Berger noted the obvious: "Without details about the testing or seeing the mitigation plan, it is impossible to tell if this is adequate. It is easy to say that a plan is in place but when vulnerabilities keep arising people tend to lose faith in the statements made by officials," he said.
Kennedy said he does see some reason for encouragement. While he is not aware of any significant improvements to the site since its launch, he said he recently spoke with the CISO at HHS, "and from the discussions, I had a positive view of the direction of where they were focusing efforts on now in security. Based on the testimony, I think it opened some eyes and got a large focus that it hadn't previously," he said.
That attention to security, Berger said, should be foundational to the site. "Security needs to be built in to their development process, so future revisions are fully tested before release," he said. "Fixing things as they are discovered after the fact and published in the media does not build trust with your users."
Sign up for CIO Asia eNewsletters.