Security Expert on Healthcare.gov: ‘Not Secured Today – Nothing Has Really Changed’

January 16, 2014 - 3:39 PM

(CNSNews.com) – A security expert who tests flaws on private websites testified before the House Science Committee on Thursday that healthcare.gov, the federal exchange website for Obamacare, is “not secured today, and nothing has really changed” since he last testified before Congress about the security threat.

“The consistent feedback that we got was that healthcare.gov is not secured today, and nothing’s really changed since the Nov. 19 testimony. In fact, from our Nov. 19 testimony, it’s even worse,” David Kennedy, CEO and founder of Trusted SEC, said in his opening statement.

Kennedy worked more than 14 years in the security industry, including for the National Security Agency, and he spent “a number of years in Iraq and Afghanistan.”

He and seven well-known independent security researchers, including some who have worked for, trained for or worked closely with the government, provided feedback on the security flaws of the website in a letter to the committee.

“Additional security researchers have come into play, providing additional research – additional findings that we can definitely tell that the website is not getting any better,” said Kennedy.

“In fact, since the Nov. 19, 2013 testimony, there’s only been one half of a vulnerability that we discovered that has been addressed or even close to being mitigated. And what I say about one-half is that basically, they did a little bit of work on it, and it’s still vulnerable today,” Kennedy said.

Kennedy has been nicknamed the “white hat hacker,” although he contends that he “in no way, shape or form” performed any type of hacking on the website.”

“That’s a misnomer,” Kennedy said. “The type of techniques that we used is looking at the site from a health perspective, doing what we call passive reconnaissance – not attacking the site in any way, shape or form, not sending data to the site, but really looking at the health of it.”

Kennedy warned that hackers of healthcare.gov could access personal information - Social Security numbers, first name, last name, e-mail addresses, and home of record.

He said hackers would be able to access other government websites that are directly integrated into healthcare.gov and create an online profile.

“As an attacker, if I had access to the healthcare.gov infrastructure, it has direct integration into the IRS, DHS, as well as third party providers as well for credit checks. If I have access to those government agencies, I now can complete an entire online profile of an individual, everything that they do, and all their entire online presence,” Kennedy said.

“And this isn’t just healthcare.gov alone. I’m not trying to single out healthcare.gov alone. I’m really focusing on a much larger issue, which is security in the federal government alone is at a really bad state. We need to really work together to fix it and work on more sweeping changes,” he added.