Security Experts' Unanimous Testimony: Obamacare Website Still Isn't Secure
Back in August, Forbes' Avik Roy warned about the Obamacare website's substantial security problems, and now he's been proven right. Reuters reports that three security experts told the House Oversight committee today that personal user data is vulnerable.
"There are actual, live vulnerabilities on the site now," David Kennedy, head of computer security consulting firm TrustedSec LLC, said in remarks before testifying on the topic "Is My Data on HealthCare.gov Secure?"
Reuters added, "in a rapid 'yes' or 'no' question and answer session, Republican Representative Chris Collins of New York asked the experts about the security of the site:
"Do any of you think today that the site is secure?"
"The answer was a unanimous 'no."
"Would you recommend today that this site be shut down until it is?"
"Kennedy, Morgan Wright, CEO of Crowd Sourced Investigations and Fred Chang, cyber security chair at Southern Methodist University said 'yes."
"Avi Rubin, director of the Information Security Institute at Johns Hopkins University, said he would need more information."
Back in August, Roy wrote, "in order for Obamacare to work, the government will need to know a lot about your financial, medical, and employment situation. Has the Obama administration set up adequate safeguards to protect Americans' privacy under the law? According to the Office of the Inspector General of the Department of Health and Human Services, the answer is no. Based on OIG's analysis, Obamacare's exchanges may end up illegally exposing Americans' private records to hackers and criminals."
"To out that another way: In March, CMS estimated that it would take 51 days-from July 15 to September 4-to review the final Security Control Assessment report, and make the final Security Authorization Decision, which you can think of as the "green light" that allows the exchanges to go forward, knowing that adequate security controls are in place. Now, CMS is planning to do that 51-day review in just 10 days."
As expected, that security review was unsuccessful.