Technology experts are disputing the Obama administration's assurances that the government is safeguarding the personal information Americans provide when signing up for the federal health insurance exchanges online.
Health and Human Services Secretary Kathleen Sebelius and other White House officials have said consumers can trust that their information is protected when applying for insurance on healthcare.gov.
Experts, though, say that serious security vulnerabilities are among the many problems continuing to plague the website, which did not undergo proper testing before its Oct. 1 launch.
“I'm not seeing any evidence of new security testing being done on the website,” David Kennedy, the CEO of online security company Trusted Sec, told the Washington Examiner. “There are basic indicators that people testing website security see as evidence of high security standards, and I'm not seeing even the most basic principles [of security] having been performed on the website.”
Nish Bhalla, CEO of information security firm Security Compass, said that security lapses cannot be avoided in the rollout of any complicated online product. Still, he argued, the number of real-life examples of security problems with healthcare.gov are worrisome.
“It's very difficult for a website to be 100 percent invulnerable to attack, but the security problems shouldn't be this drastic,” Bhalla said. “Think of a building inspection process ... as you cut corners inside the building it not only makes the entire structure less stable, it makes it more susceptible to security problems as well.”
While most of the focus has been on healthcare.gov's tech glitches and low enrollment numbers, evidence has surfaced of system flaws that are already exposing personal information of applicants.
South Carolina attorney Thomas Dougall and his wife signed up on the website in October, but over the weekend received a disturbing notice about a man in North Carolina who tried to register and was surprised to get the Dougalls' eligibility letters, including their names and home address.
An HHS spokeswoman confirmed the incident and said the administration took “immediate steps” to fix a batch of software code that caused the security breach.
Last week, a cybersecurity expert found a way to trick the system into providing access to users' applications and accounts. Ben Simo, a software tester in Arizona, told CNN that that he could gain access to people's accounts with relative ease.
By guessing an existing username, he found that the website confirmed if such a profile existed. When claiming he forgot his password, the site agreed to reset it, and Simo could then view the site's unencrypted source code in any browser to find the password reset code.
If he plugged in the username and reset code, the website would display a person's three security questions. If he answered the security questions wrong, the website produced the account owner's email address.
HHS spokeswoman Joanne Peters said consumers can trust the information they're providing is protected “by stringent security standards and that the technology underlying the application process has been tested and secure.”
“Security testing happens on an ongoing basis using industry best practices,” she said.
An HHS official said security testing is being conducted on an “ongoing basis as we add new functionality.”
Sebelius last week testified that Mitre Corp., a private security company, is performing that testing and is in the process of posting their final report.
“That did not raise flags about going ahead,” Sebelius said, “and the mitigation strategy was put in place to make sure that we had a temporary authority to operate in place while the mitigation was going on, and then a permanent authority to operate will be signed.”
Kennedy told the Washington Examiner that it's impossible to know what type of testing Mitre is doing because it's not readily apparent how thorough it is. A week after launching, he said, the website reset everyone's passwords, a worrisome sign of deeper security vulnerabilities.
“That doesn't typically happen,” he said. “But it's impossible to know just how extensive the security risk was or whether it was an actual breach because the government is not under any mandate to disclose that information.”
Sebelius will be on the hot seat again Wednesday when she appears before the Senate Finance Committee, and top Republicans, including Sen. Orrin Hatch, R-Utah, plan to zero in on the ongoing security risks for the Obamacare enrollment website.
House Intelligence Committee Chairman Mike Rogers, R-Mich., has called for the Obama administration to temporarily shut down the website because of cybersecurity concerns.
“They're trying to change a tire on a car going 75 miles an hour down the expressway,” Rogers said Sunday on CBS' "Face the Nation." “That's not the way cybersecurity works.”
At last Wednesday's hearing with Sebelius, he said HHS had conducted “a completely unacceptable level of security” and the poor security measures “have exposed millions of Americans.”
Rogers cited an internal Centers for Medicare & Medicaid Services memo from Sept. 27 which said that “from a security perspective,” aspects of the system were not tested, exposing “a level of uncertainty that can be deemed as high risk.” The memo was written by IT officials James Kerr and Henry Chao, and was signed by CMS Administrator Marilyn Tavenner.
Before that memo leaked, Hatch, the ranking member on the finance committee, and ten other Republicans wrote to Sebelius asking her to provide answers to a series of detailed questions about what safeguards were undertaken prior to the website going live to protect the privacy of Americans signing up for coverage.
HHS has yet to respond to the letter, Hatch's office said Tuesday.