December 6, 2013 - In late November, four well regarded cyber-security experts testified before congress on the data security problems associated with the Healthcare.gov website. Three of the four recommended that the site be taken down and remain off-line until the problems can be fixed. And all four of them stated that the public should not be using the site. One of those people was TrustedSEC CEO David Kennedy. Since his testimony, the government has made more than 400 updates to the website. According to Kennedy, those updates have actually made the security problems associated with the site worse. That's bad news when you consider the information Americans are providing the site includes absolutely everything required for someone to commit both financial and medical identity theft. 

Tweet

In separate interviews with MSNBC (video below) and the Washington Free Beacon, Kennedy paints an abysmal picture. After analyzing the website last month, Kennedy's firm provided a list of security concerns - some of them critical in nature - to the Department of Health and Human Services (HHS). After the 400 or so fixes made to the site by HHS, the site was reanalyzed. Kennedy said, "...none of those [security concerns] appear to have been addressed at all."

In his WFB interview Kennedy said, "They said they implemented over 400 bug fixes. When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code."

"I’m a little bit more skeptical now, and I would still definitely advise individuals to not use the website because it’s definitely something that I don’t believe is secure and neither did the four individuals that testified in front of Congress," Kennedy said. "I think there’s some major security concerns there around privacy and information, and they haven’t even come close to being addressed, and won’t be in the short term." He went on to say that it doesn't appear that any of the fixes to the site concerned data security.

He also pointed out that it isn't just the federal exchange that has an issue. All 14 of state exchanges are also vulnerable. And while the state exchanges do have to report any data breaches, the federal exchange does not. Given all of the bad publicity associated with the failed roll-out effort by the government, Kennedy told the Beacon that he thought HHS would probably try to hide any data breaches from the public.

As evidence of this, Kennedy pointed out that an analysis of the most popular search terms being used on the federal website revealed that most of the searches being conducted were actually hacking attempts. Kennedy said, "Their fix for it wasn’t, 'Hey let’s restrict people from inputting malicious code into the website,'—because that’s how hackers break into websites—it was, 'we’re just going to completely disable that entire function completely, and not even show the search results back.'" In other words, HHS has already demonstrated that it is willing to hide information from the public rather than be honest about the issue.

You can see his MSNBC interview below. The bottom line here is that even though the website is now able to handle substantially more traffic, consumers using the site are completely vulnerable to fraud and ID theft. ACCESS is advising consumers to stay away from it. According to Kennedy, it could take more than a year to fix it. 

 byJim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Follow me on Twitter:

Follow ACCESS