Cybersecurity experts sent mixed messages about the vulnerability of healthcare.gov in a House Committee on Science, Space and Technology hearing Jan. 16.
In the second hearing by the committee investigating the issue, the witnesses disagreed on whether the health care marketplace was safe for users’ personal identification.
In a previous hearing Nov. 19, a panel unanimously agreed healthcare.gov’s security was flawed and could leave it susceptible to cyber-attacks. However, the message was not as consistent at the Jan. 16 hearing.
“Nobody here at this table can tell you that there are vulnerabilities [in healthcare.gov] without actually knowing the back-end of the site,” Waylon Krush, CEO of Lunerline, said at the hearing.
Krush testified healthcare.gov had followed federal security protocol and was as safe as any other federal website that procured personal information. He added the site was secure and said regular scans for attacks were conducted on the site.
Krush also said federal websites have a higher standard of security than private industry sites.
Two other experts disagreed with Krush’s assessment. David Kennedy, CEO of TrustedSEC, who also testified at the last hearing, said the website was fundamentally flawed.
Kennedy’s company used a tactic called past reconnaissance to identify possible weaknesses in the website.
“What we see are symptoms of a larger [security] issue,” his testimony said.
Krush countered that unless vulnerabilities were actually exploited, which cannot legally be done, the conversation is only speculation.
Healthcare.gov has not been victim to a major attack since its launch Oct. 1.
Krush also admitted his company had a $1.5 million contract with the Department of Health and Human Services and the Centers for Medicare and Medicaid Services. Kennedy did not provide his financial records for the committee, but said in the hearing his company does not work in the public sector.
During the hearing, Democrats accused Republicans of politicizing the healthcare.gov issue.
“I’m concerned that the intentions of these hearings is to scare Americans away from the healthcare.gov website,” said Rep. Eddie Bernice Johnson, D-Texas.
Republicans said they held the hearings out of concern for public safety.
The House passed a bill Jan. 10 that would require HHS to notify citizens if healthcare.gov experienced a breach.