Until today, most of the “non-computer geeks” among the American public believed the major security problem with Healthcare.gov is the potential for identity theft — that hackers could get into the site and steal personal information such as social security numbers and the like.
But according to David Kennedy, a security expert who testified before Congress today, Healthcare.gov could be used to attack the computers of the end users:
Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation.
They wrote notes to the House Committee saying they were concerned about the site’s security, which Kennedy provided to Reuters and will be released on Thursday to the committee led by Republicans who oppose the Affordable Care Act.
“The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.
Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.
“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals.
On the bright side, that is good news for the folks at MSNBC who now they have an excuse when one of their hosts make a disgusting on-air comment. They could say the teleprompter must have been hacked via Healthcare.gov.
Kennedy said he learned of that particular attack method from another security researcher who had identified and tested it.
Yet Kennedy said he identified many other problems on his own, conducting what is known as “passive analysis” of the site, by using an ordinary Web browser and other software tools to look at HealthCare.gov’s content and architecture from the outside.
He said he did not take the additional step of hacking into the site to look for other problems because he did not have permission from the government.
A dissenting opinion was given by Waylon Krush, chief executive of a firm known as Lunarline, which has done security work for the Department of Health and Human Services.
Krush said he questions Kennedy’s conclusions that were drawn without launching attacks on the website.
“Anybody who brings testimony that says there is a vulnerability on HealthCare.gov is only speculating unless they have actually executed the code, at which point they are hacking a government website and that would be illegal,” said Krush, who will also testify before the committee on Thursday.
Krush said he has not reviewed Kennedy’s findings or done any work on the HealthCare.gov site itself.
It is also important to keep in mind that to this date there has been no hacking of the Obamacare website, though that doesn’t necessarily mean it cannot be hacked.