HealthCare.gov security risks laid bare
'We should have had a lot of defensive capabilities into this site well ahead of it being released.'
At a House hearing Tuesday, lawmakers heard testimonies from security experts over whether HealthCare.gov is secure enough to handle the sensitive personal information of millions. The unanimous response? In its current form, probably not. But, it can get there.
Some experts testifying, however, were a little more blunt in their assessment of the site's dearth of security. When asked whether or not developers should essentially start the site out from scratch, Morgan Wright, chief executive officer at Crowd Sourced Investigations and former advisor at the Republican National Convention at Cisco Systems, didn't hesitate.
"If you're asking from a technology standpoint, it would be easier to start over again, lay a foundation of security and start over from the beginning because security has to be the foundation of this site. Period," he said at the hearing.
[See also: HealthCare.gov cost $174M -- so far.]
Wright pointed out that HealthCare.gov has more than 500 million lines of code. Behemoth Facebook, comparatively, has only 20 million. This complexity can lead to more "potential for disruption," he said.
Moreover, the fact that a consumer is required to enter his or her Social Security number before they even see the health plans is something that needs to be changed, said Wright.
"It would be the equivalent of saying you can't go in and see a car on the car lot and kick the tire until you fill out a credit app and you're approved," he explained. "This is not the way consumers do business, and it creates the potential for fraud."
However, it was pointed out that HealthCare.gov does not actually store this personally identifiable data.
Fred Chang, computer science professor at Southern Methodist University and former national security agency research director, was next to weigh in, emphasizing the fact that we can't underestimate our cyber adversaries.
Chang said within the first few weeks of launching HealthCare.gov, more than 700 mimic websites were set up. Hackers and cybercriminals will take advantage of the users who will undoubtedly mistype the website name or find it from a search engine. One of the biggest risks, he said, is from bogus websites.
These criminals, he said, "will find seams in the system, will attack you in ways you won't expect."
Avi Rubin, director of the health and medical security lab at John Hopkins' Institute of Security, offered a more moderate testimony.
"As a software engineer, it's not surprising to me that this happened," he said, referring to the reported hacking incidents -- however unsuccessful -- and site failures.
"Maintaining a secure website is not easy," he added. "All of that said, the computer industry has many success stories." Rubin pointed to the airline reservation websites that are both large and complex and have not experienced any major breaches. It can be done in the right way.