Lose Your Plan, Lose Your Doctor, Lose Your Personal Data

Obamacare Site “Alarmingly” Insecure, Expert Says

Top cyber security consultant David Kennedy has provided testimony to Congress that outlines “critical flaws” and “alarming security threats” on the Healthcare.gov website.

Last Sunday, Kennedy told Fox’s Chris Wallace that he was easily able to penetrate the healthcare exchange. He said he determined that he could gain access to 70,000 personal records of Obamacare enrollees.

He’s a security expert, so surely he used some tricks of the trade to crack the website, right?

Nope. Kennedy said it only took him about 4 minutes and a standard browser to access the information, and that he didn’t even have to hack the website:

“And 70,000 was just one of the numbers that I was able to go up to and I stopped after that,” he said. “You know, I’m sure it’s hundreds of thousands, if not more, and it was done within about a 4 minute time frame. So, it’s just wide open.”

“You can literally just open up your browser, go to this, and extract all this information without actually having to hack the website itself,” he said.

Kennedy explained what he and other experts discovered about the lack of security on the exchange:

“What we learned was that they had rushed through what we call the software development life cycle where they actually build the application.”

“So when you do that, security doesn’t really get integrated into it. And what happened with the rocky launch in October is they slapped a bunch of servers in trying to fix the website just to keep it up and running so that people could actually go and use it. The problem is they still didn’t imbed any security into it.”

“It’s not just myself that’s saying this website is insecure, it’s also seven other independent security researchers that also looked at the research I’ve done and came to the exact same conclusion.”

Last Thursday, Kennedy told the House Science, Space and Technology Committee that nothing has changed since the November hearing on the site’s security issues:

HealthCare.gov is not secure today. I don’t understand how we’re still discussing whether the website is insecure or not. It is insecure – 100 percent.

Before the hearing, Kennedy told Reuters what is wrong with the site:

The government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on October 1. Hackers could steal personal information, modify data, attack the personal computers of website users and damage the infrastructure of the site.

Teresa Fryer, the CMS chief information security officer, claimed that the Obamacare website underwent end-to-end security testing on December 18 and that all industry standards were met:

“The (federal marketplace) is secure. In many instances, we have gone above and beyond what is required, with layered protection, continuous monitoring and additional penetration testing,” Fryer said.

Darrell Issa, chairman of the House Oversight and Government Reform Committee, made an excellent point: