Healthcare.gov is a security nightmare

| November 22 2013

Policy Feature Issue –
The Security of HealthCare.gov: Read Outs from the House Committees on Science and Energy and Commerce Oversight Hearings 

The Committee on Oversight and Government Reform: Oversight Field Hearings December Schedule 

Readout from Energy and Commerce Oversight and Investigations Subcommittee Hearing on “Security of HealthCare.gov

Feature Witness:  Mr. Henry Chao, Deputy Chief Information Officer and Deputy Director of the Office of Information Services, Centers for Medicare and Medicaid Services (CMS)

  • Major portions of Obamacare’s exchange – an estimated 30 to 40 percent – have not even been built yet. In response to questions from Rep. Cory Gardner (R-CO), theHealthCare.gov point person admitted that 30 to 40 percent of the Federally Facilitated Marketplace – the federally run exchange – has not yet been built. Examples of unfinished elements include components that send payments to insurers, “the back office systems, the accounting systems, the payment systems.”
  • A full Security Control Assessment is coming in December – some 12 weeks after public launch. In order to complete the Security Control Assessment, which is a key review of the website’s security, the site must be complete. Whether the security testing is actually completed will depend on the ability to complete the site by December. However, the administration has been moving the goal posts about exactly what will be ready and working by its self-imposed November 30 deadline.

Readout of House Science, Space, and Technology Committee Hearing on “Is My Data onHealthcare.gov Secure?”

Witnesses:  Mr. Morgan Wright, Chief Executive Officer, Crowd Sourced Investigations, LLC; Dr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security, Southern Methodist University; Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (JHU); and Mr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC

Chairman Lamar Smith“Given the testimony we have heard today, there is only one reasonable course of action. Mr. President, take down this website.”

  • Testimony from online security experts demonstrated significant flaws and vulnerabilities in the healthcare.gov website that put the personal data of Americans at risk.
  • In their haste to launch the Healthcare.gov website, it appears the Obama administration cut corners that leave the site open to hackers and other online criminals.  As a result, the personal information that has already been entered into Healthcare.gov is vulnerable to identity thieves.
  • All but one witness at today’s hearing said that they would immediately pull down the site in order to address the security flaws.  Mr. Wright said that he’s not political and not viewing this as a politician.  But as a technical expert, it would be easier to start over with the website than to spend years trying to identify each vulnerability, loophole, flaw in the system that could be exploited by hackers and online criminals.
  • All 4 witnesses agreed that they would not have recommended the launch of Healthcare.gov, given the factual known status of the website, on October 1st.
  • All witnesses agreed that the site is not secure today.
  • All 4 witnesses agreed that the website will not be safe by November 30th.
  • All 4 witnesses agreed that they would not advise Americans to use the website in light of the current security risks.
  • We already know of at least 16 attempts to hack into the system.  But we can assume that many more security breaches have not been reported.  In order to gain information on potential healthcare coverage through healthcare.gov, users must input personal contact information, birth dates and social security numbers as well as financial information.
  • David Kennedy, a “white hat hacker” who testified today, gave a demonstration of the website’s vulnerabilities showing in real-time that hackers are attempting to access personal information on the website. Not only is the website vulnerable, but it’s under attack.
  • When asked whether he believed the website had already been compromised by hackers, Mr. Kennedy testified that he believed the website has either already been hacked or soon will be.

Oversight Committee Announces Affordable Care Act Field Hearing Series 

The Oversight and Government Reform Committee announced a series of field hearings this week on ObamaCare’s impact on Americans. The hearings will examine a variety of issues about Affordable Care Act (ACA) implementation including the cost of increased premiums for healthcare coverage and the lack of choice for Americans.

From Politico:

“Beginning with an event in Gastonia, N.C., on Friday, the House oversight committee is seeking to highlight regular Americans’ problems with the law. Issa and his panel will later head to Georgia, Arizona and Dallas. Each location seeks to highlight different problems with Obamacare: for example, sticker shock and people getting dropped from their insurance plans. Issa’s hearings will stretch into mid-December.”

Field Hearing Details: 

North Carolina

Georgia

  • Monday, November 22, 2013
  • “ObamaCare Implementation: High Costs, Few Choices for Rural America”
  • 10:00 a.m. EDT at Hall County Government Center
  • Commission Meeting Room – 2nd floor
  • 2875 Browns Bridge Road, Gainesville, GA 30504

Arizona

  • Friday, December 6, 2013
  • “ObamaCare Implementation, The Broken Promise: If You Like Your Current Plan You Can Keep It”
  • TBD, Arizona

Texas

  • Monday, December 16, 2013
  • “ObamaCare Implementation:  Who Are The Navigators?”
  • Dallas, Texas

Downloadable PDF