The healthcare.gov website may leave users vulnerable to hackers, compromising their personal data, according to experts who testified Nov. 19 before the House Committee on Science, Space and Technology.
“Trust is not a control and hope is not a strategy,” said Morgan Wright, CEO of Crowd Sourced Investigations and one of the four witnesses, of the potential security risk of the website.
The witnesses testified that fundamental security best practices were not being used by the website and that the basic foundation of security for the website was not up to par.
If you build a house on a foundation that is bad, the whole thing is flawed — you can add a metal door, but the whole house is insecure, said David Kennedy, CEO of TrustedSEC.
Kennedy’s firm inspected the website infrastructure and found personal information was easily extracted. Threat data from the website indicated hackers were trying to attack the site.
“It is very susceptible to attack,” Kennedy said.
The website’s complexity made it more vulnerable to hackers as well, according to witnesses. Healthcare.gov currently has 500 million lines of code, compared to about 50 million lines of code for the Windows operating system. The more code that goes into a website, the more vulnerable it is, Kennedy said.
Avi Rubin, director of the Information Security Institute at Johns Hopkins University, noted he was aware of some large, complex websites that have no security breaches, including Amazon.com and airplane reservation systems.
Another security problem noted was that in the first few weeks of healthcare.gov’s launch, more than 700 fake websites mimicking healthcare.gov’s design emerged online. The aim of the websites was to trick users into revealing personal information while they thought they were signing up for health insurance, according to Fred Chang, a cybersecurity expert at Southern Methodist University.
“It is unwise to underestimate our adversaries in cyberspace,” Chang said.
Democrats on the committee noted some changes have been made to the website to make it more secure. Rep. Joe Kennedy, D-Mass., noted healthcare.gov no longer asks for personal information other than age and the number of people who will be covered in the policy, before users can shop for plans.
He also noted in Massachusetts, 100 percent of children and 98 percent of adults had health insurance due to a plan similar to the Affordable Care Act.
Healthcare.gov was launched Oct. 1 and has since been struggling to enroll citizens. The Department of Health and Human Services on Oct. 22 hired former Office of Management and Budget official Jeffery Zients to fix the site by the end of November.