HealthCare.gov security risks laid bare
'We should have had a lot of defensive capabilities into this site well ahead of it being released.'
Rubin maintained that along with other security tweaks, if there were annual security reviews, "a website such as Healthcare.gov can be deployed in a practical manner."
David Kennedy, chief executive officer of information security firm TrustedSEC, disagreed. As part of his job, Kennedy, a self-described white hat hacker, will hack into systems to determine their security risks. And although he and his team did not hack the HealthCare.gov website, from what he could tell on the front end, it's just not secure enough.
"Objectively, we should have had a lot of defensive capabilities into this site well ahead of it being released," he told the House committee.
The purpose of security, he explained, is not to say, "'Hey we're 100 percent impenetrable all the time,' but can we detect the hackers in the very early stages of an the lifecycle of the attack, monitor them and prevent them from happening," he continued, "And none of those are clearly being done on the HealthCare.gov website and all of its subwebsites."
Just by looking at the website, Kennedy and his team identified some 17 different exposures and subsequently reported these vulnerabilities. "A lot of those have been addressed," he said. "Some of them have not been."
Kennedy addressed the claims that HealthCare.gov and its sub-sites have been subjects of attempted hacker attacks 16 times. That's just not possible, he said.
"The attacks that happen on the Internet are so frequently used and so frequently done, that that means there's not much detection capabilities on HealthCare.gov," he explained.
Kennedy offered an example. Just by typing a semicolon into the search field, one can see that semicolons are one of the top-viewed "terms" on the site. Those, he said, are called sequel injections attacks, "meaning that hackers are continuously trying to vulnerabilities on this, and the top results on the website are actual attacks on the website itself," he explained.
Although the security of HealthCare.gov was the topic of the hearing, many lawmakers repeatedly used the hearing as a platform to disparage the Affordable Care Act overall.
One sentiment all sides agreed on, however, was there are flaws and shortcomings that need to be fixed.