Researcher sounds alarm on state health exchange security

Cursory review of three sites shows them to be buggy and easily exploitable

Several state healthcare exchanges established as part of the Affordable Care Act (ACA) appear buggy and easy to attack, a security researcher warned this week.

Kyle Adams, chief software architect for Juniper Networks' Junos WebApp Secure intrusion detection technology, said a cursory examination of some state health insurance sites revealed coding issues that make the sites vulnerable to attackers.

Adams says he didn't have to conduct penetration tests or even log in in to the sites to discover the problems. Instead, he identified potential security issues merely by reviewing the HTML and HTTP traffic between his computer and the websites using a web debugging proxy tool.

"[The sites] produced errors suggesting that the developers did not properly handle specific conditions," Adams said. "They are built in such a way as to almost attract attackers."

Most of the security concerns to date surrounding the ACA health exchanges center on the federally run Healthcare.gov website, which has suffered from a series of performance issues ever since it went live Oct. 1. Less attention has been paid so far to the 15 state-run healthcare exchanges in states like Massachusetts, Connecticut, Maryland, Vermont, New York and Washington.

With a few exceptions, the state run exchanges have fared better than Healthcare.gov, at least in allowing people to enroll in healthcare plans. Problems reported on these sites are mostly related sometimes to backend issues.

However, a review of three state-run exchanges found security problems as well, Adams said. "I did some light investigation on some of the health care websites, including Kentucky, Vermont, Maryland and the federal HealthCare.gov sites and quickly identified areas that would be attractive to attackers."

Using the debugging proxy, Adams looked at how each site interacted with his browser in response to simple requests like loading a new page.

He quickly discovered that the sites were serving up a lot more information than needed to fulfill the requests. A few of the interactions going on in the background were coming back with errors and unnecessary information, Adams added.

The sites appears to be needlessly interacting with the underlying servers and pulling up information, such as that related to the login process even though no attempt was made to log in to any site. "There were a lot of requests issued in the background. It was really weird. Things like user records were coming back with no records," Adams said.

"In all cases, except Maryland, a fair amount of backend implementation information was disclosed to the client," Adams noted. "This is generally not advisable, because it allows attackers to target their attacks more efficiently. It also allows attackers to identify the architecture and find holes in the business logic and code interactions."

Each of the sites has completely different architectures. implementation languages and technologies, he said, Kentucky's site was developed on ASP.net, Vermont was developed in Java, while Healthcare.gov is developed in Java on top of Apache Tomcat web server with a WS02 web services layer.

The diverse architectures give attackers a "wide array of choices," Adams maintained. "Having different architectures for each site [increases] the overall healthcare attack surface for attackers that now how multiple opportunities and choices when deciding how to attack."

State-run sites, like Healthcare.gov, don't store health records or personally identifiable information. They merely serve to route information between consumers, health insurers and federal eligibility verification databases.

Even so, there is concern that attacks against the exchanges could expose users to identify theft and other fraud.

A spokeswoman for the Kentucky Cabinet for Health and Family Services Thursday said that the state has conducted and the Kynect site passed all required security audits of the site before going live.

"Safeguarding the personal information of our citizens is of critical importance to the Commonwealth of Kentucky," the spokeswoman said in an email to Computerworld.

"Over the course of this project, the Commonwealth conducted a series of security tests and engaged an independent third party to perform a security assessment," she said. "The Commonwealth also met the federal requirements to receive the authority to connect to the federal hub, which included federal reviews and approval of the Exchange security plan, controls and security testing results."

Kentucky has one of the highest enrollment figures in the country via an online health exchange so far.

An official at Vermont's Health Connect exchange did not respond to a Computerworld request for comment.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies