Security professionals are again issuing a warning shot about the vulnerability of Healthcare.gov. Prior to testifying to Congress for the second time about the healthcare website’s security, David Kennedy — CEO of TrustedSec — wrote a blog post. In it, he provides his opinion, written testimony, and the opinions other professionals hold concerning the site’s security.
“In November of last year, I testified on the glaring security issues around Healthcare.gov, not as a hacker but someone who studies security exposures and works for some of the largest companies in the world to better their security,” Kennedy writes on the blog. “Today, nothing has changed and it’s business as usual on the healthcare.gov site.”
Kennedy acknowledges that he has never hacked Healthcare.gov. However, just as a car mechanic can spot the blatant, visible issues on a vehicle, Kennedy says his career allows him to do the same thing in regards to security exposures.
The written testimony includes several recommendations for improving the infrastructure of Healthcare.gov, particularly monitoring, and detection capabilities. There is also a dismissal of a memo sent by Representatives Henry Waxman (D-Calif.), and Diana DeGette (D-Colo.) to the Committee on Energy and Commerce.
The memo stated that there had been no serious security breaches. “No person or group has hacked into Healthcare.gov, and no person or group has maliciously accessed any personally identifiable information from users,” the Waxman memo stated. Kennedy is skeptical of the ability for this to be asserted when, just a month before the memo was sent, the center for testing security had not been built.
“Monitoring and detection is not just the creation of automatic rules for firewalls or other technologies, its understanding how attacks look and being able to respond to them with a formal incident response capability,” Kennedy’s testimony to the House Science, Space, and Technology Committee states.
In addition to his own opinion, Kennedy invited other industry experts to review the evidence and weigh in with their own opinions. Kevin Johnson, the CEO of Secure Ideas said that he reviewed the findings, which “exhibit not only a basic lack of security testing, but also reflect signs that standard IT change management and validation practices are not being followed.” Johnson went on to add that what he saw is characteristic of “findings we see when an application has been written by developers who have not been introduced to basic security training, nor understand the importance of security within an application.”
Representative Eddie Johnson (D-Tex.) does not think the testimonies of the security experts paint an accurate portrait. ”As smart and experienced as these witnesses are, not one of them has actual knowledge of the security structure of Healthcare.gov,” the Congress member told Reuters. “They can only speculate.”