Healthcare.gov Still Insecure, Critics Tell House Panel

In a sequel to a previous inquiry about the risks associated with the federal government's health insurance exchange website, the US House Science, Space, and Technology Committee held a hearing Tuesday entitled Healthcare.gov: Consequences of Stolen Identity.

While the testimony presented was a little less unanimous against the integrity of the website this time, Democratic members protested the premise of the hearing as biased and giving too much weight to speculation about potential vulnerabilities rather than evidence of real problems.

Testifying before a US House committee, David Kennedy, CEO of TrustedSEC, LLC, said that "nothing has changed" to alter the opinion he offered at the same committee's November hearing that the HealthCare.gov website is insecure and should have been shut down until basic flaws were corrected.

"I don't understand how we're still discussing whether the website is insecure or not. It is. It's not a question of whether it's insecure -- it's how to fix it," Kennedy said. He also provided the committee with a collection of letters from security experts -- Ed Skoudis, Kevin Mitnick, Kevin Johnson, Lares Consulting (Chris Gates, Eric Smith, Chris Nickerson), and John Strand -- echoing his condemnation.

For example, Kevin Mitnick, the former criminal hacker and founder and CEO of Mitnick Security Consulting, wrote:

[Is it safe to shop? Read Target Breach: 8 Facts On Memory-Scraping Malware.]

Kennedy also cited the connections of HealthCare.gov to other federal systems as a reason to worry -- although at some level that's not only a criticism of HealthCare.gov. "Security in the federal government as a whole is in a really bad state," he said.

Chairperson Lamar Smith (R-Texas) teed up the issue by claiming that "clear indicators that even basic security was not built into the HealthCare.gov website" and by citing a recent Experian report that healthcare-related data breaches are likely to surge in 2014 and should be a major area of concern.

The ranking minority member, Eddie Bernice Johnson of Texas, protested that "none of the majority witnesses' concerns have turned into actual security breaches." She also questioned the quality of their analysis, saying, "Not one of them has actual knowledge of security structure at HealthCare.gov. The best they can do is speculate." She charged that the hearing was part of a cynical campaign to make Obama administration's healthcare reform initiative fail by making people afraid to use the website.

Johnson got some support from one of the testifying cybersecurity experts, Waylon Krush, co-founder and CEO of Lunarline, Inc. In the absence of an active vulnerability assessment, including penetration testing -- which would be illegal to conduct without the permission of the US government -- security researchers can hypothesize that the site could be vulnerable to attacks. But, he pointed out, "we can only speculate on whether those attacks will work." Further, the suggestion that a hacker who gained access to HealthCare.gov would be able to hopscotch into the connected systems such as those of the IRS, he said, "shows a lack of knowledge" of the extensive security measures all those sites have in place.

Citing his firm's contracts with the US Department of Health and Human Services and the Centers for Medicare and Medicaid division that oversees the operation of the website, Krush said. "Of anyone here, I probably have the most backend knowledge [of how these systems actually work]." (Later in the hearing, Chairperson Smith suggested those contracts might bias Krush to speak favorably about those agencies.) Krush also disputed the idea that HealthCare.gov represents a particularly big target for hackers, who tend to "go where the money is," businesses like Target and Neiman Marcus.

The federal government has also established some of the world's strongest standards for information security, he asserted.

Maybe so, but the health insurance exchange is a very large system. It was built so quickly, said Michael Gregg, CEO of Superior Solutions, that "it's very hard to believe" all those federal information security requirements were met. While it's good that the site's operators are running weekly assessments, he pointed out, that doesn't mean they're catching all possible problems.

The committee also heard from Lawrence Ponemon, chairperson and founder of Ponemon Institute, which conducts information security research. Ponemon testified mostly about the financial and emotional harm caused by identity theft, particularly medical identity theft, and the lack of confidence engendered by the way the HealthCare.gov site stumbled at launch. "Regaining the public's trust will be essential to the success of this initiative," he said.

One of the major assertions of the critics was that HealthCare.gov should be subject to an independent third-party assessment. This idea also became an item of partisan dispute, with Democratic members raising the point that the site was in fact being scrutinized by The MITRE Corp., Blue Canopy, and Frontier Security.

When Rep. Suzanne Bonamici (D-Oregon) asked if those firms were qualified to audit the security of the website, all four witnesses said yes (although Ponemon said he was specifically familiar with only MITRE's qualifications). Bonamici said the fact that the government is already following that recommendation undercut the whole premise of the proceeding. "[The] title of the hearing suggests the consequence of signing up at HealthCare.gov is going to be identity theft," she said.

Rep. Chris Collins (R-New York) said the minority protests were a matter of trying "to defend the indefensible," meaning the Obama administration's rush to get the site online by October 1 to keep a political promise. "That was the overriding concern, certainly not security," he said.

In the end, when the witnesses were asked for a yes or no answer on whether the site was secure, Kennedy and Gregg said no. "It's hard to say," Ponemon said, "but as a citizen of this country, I'm concerned. I'm not happy with what I'm hearing today."

"Speculating on whether it's secure or not, I'm not willing to say," Krush said, sticking to his assertion that the question couldn't be answered by anyone who hadn't actively tested the site's defenses. When pressed, he pointed back to the regime of weekly security scans that's been implemented. "That's pretty secure," he said.

David F. Carr is the editor of InformationWeek Healthcare and a contributor on social business, as well as the author of Social Collaboration For Dummies. Follow him on Twitter @davidfcarr or Google+.

Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: Why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs. (Free registration required.)