Healthcare.gov more vulnerable to hacking & privacy breaches after 'fix'

For the love of Jiminy Cricket, how much cybersecurity incompetence are American citizens expected to accept and excuse while also footing the $660 million bill? Online security experts say the “new and improved” Healthcare.gov site may actually be more insecure now than before it was fixed!

Incompetent cybersecurity on healthcare.gov

An operational progress report quoted Jeffrey Zients, a management consultant on repairs to the Obamacare site, as stating, “The bottom line -- HealthCare.gov on December 1st is night and day from where it was on October 1st.” Well if this is “day,” then it’s an Arctic Alaskan daytime with no sunlight as “experts” blindly attempt to bolt on security to a system that was developed without a care about the security or privacy of Americans.

David Kennedy, founder and principal security consultant of TrustedSec, warned that the Healthcare.gov was not secure. In fact, Kennedy previously told CNBC that it’s hard to bolt on security after a site is developed and that “no security was ever built into the Obamacare site.”

So how many of the security risks were eliminated now that the administration “fixed” the site? None according to what Kennedy told the Washington Free Beacon. “It doesn’t appear that any security fixes were done at all.” He added:

“There are a number of security concerns already with the website, and that’s without even actually hacking the site, that’s just a purely passive analysis of [it]. We found a number of critical exposures that were around sensitive information, the ability to hack into the site, things like that. We reported those issues and none of those appear to have been addressed at all.”

“They said they implemented over 400 bug fixes,” he said. “When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code.”

Well that’s just peachy keen and that’s before considering the “hacker” threat. But, hey, it’s not like the feds are required to notify citizens if there is a breach; after all, it’s so much easier to leave that headache to each state. Just ask Vermont, since Vermont Health Connect had to admit to a security breach that allowed “improper access to another user’s Social Security number and other data.”

Kennedy also said that:

the team working on Healthcare.gov is more likely to hide its security flaws than address them. When it was revealed that the most popular searches on the website were hack attempts—confirmed by entering a semicolon in the search bar—the website simply removed the tool.

“The top results were hacker attempts,” Kennedy said. “Their fix for it wasn’t, ‘Hey let’s restrict people from inputting malicious code into the website,’—because that’s how hackers break into websites—it was, ‘we’re just going to completely disable that entire function completely, and not even show the search results back.’”

“We’ve deployed 12 large, dedicated servers,” states the operation progress report. Oh goodie gumdrops, it “can now handle about as many shoppers as the average custom T-shirt site,” pointed out Human Events. The site has “a remodeled 404 Error page that pretends to be a ‘waiting room,’ where you can ‘queue up’ and leave an email address to be notified” when it’s your turn to fill out all your private info.

Julie Bataille, Director of Communications, Centers for Medicare & Medicaid Services, summed up the newly “fixed” site’s progress report [pdf] as having an upgraded and reconfigured firewall that protects the system while allowing “more than five times the network throughput.” The “improved shopping” experience on Healthcare.gov supposedly can handle 50,000 people logged on to the website at once, and “more than 800,000 visitors a day;” but even with a lower number of “shoppers,” the Associated Press reported that many visitors faced “the same old sputters and even crashes.”

Cybersecurity incompetence

U.S. Rep. Mike Rogers said on NBC’s Meet the Press that “the security of this site and its ability to safeguard health and income information 'does not meet even the minimal standards of the private sector'.” Americans “should not tolerate the sheer level of incompetence securing this site. And remember how much personal information is not only there, but all of the (federal government data) sites that the (healthcare.gov) hub accesses would expose Americans’ personal information in a way that is breathtakingly bad.”

While Rogers believed the Obama administration was more concerned about timeline fixes than the security of Americans’ private information, a person need look no further than NSA surveillance to confirm the fact that citizens’ privacy is trivial to President Obama. He said he welcomes a national debate over the surveillance policies, adding "that's a debate we wouldn't have had five years ago." But as Jay Leno said, "It's a debate we wouldn't have had two weeks ago if they all hadn't gotten caught."

Regarding the new and improved Heathcare.gov, Kennedy warned, “I’m a little bit more skeptical now, and I would still definitely advise individuals to not use the website because it’s definitely something that I don’t believe is secure and neither did the four individuals that testified in front of Congress. I think there’s some major security concerns there around privacy and information, and they haven’t even come close to being addressed, and won’t be in the short term.”

Fixed healthcare.gov has more security risks

If you go ahead use the website, then you may get close to the end when an error pops up that states, "Verification system temporarily unavailable." Or you may think you actually completed the task. But AHIP spokesman Robert Zirkelbach told FoxNews that "in some cases, plans are not getting the enrollment files at all" and that "getting that fixed," is "critical."

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies