HealthCare.gov security -- 'a breach waiting to happen'

The government's problem-riddled Obamacare Web site may face further problems from hackers taking advantage of its many security holes. At least that's the consensus of a group of security professionals who have analyzed the site.

David Kennedy, who is CEO of computer security consulting firm TrustedSec and who is testifying before Congress today on the security issues related to HealthCare.gov, outlined his concerns in a blog post today. Kennedy previously testified in November. Since then, it's still been "business as usual" on the site, he said in the blog.

Among the security holes identified last year, only half of one of them has been fixed, according to Kennedy. And more than 20 additional ones have been discovered by other security researchers examining the site. By his own admission, Kennedy didn't form his opinion by trying to hack into the site but rather based on his years of experience resolving similar problems for other organizations.

To review his findings, Kennedy said he called on other security professionals, including Ed Skoudis, Kevin Mitnick, Chris Nickerson, Eric Smith, Chris Gates, John Strand, and Kevin Johnson. Their responses?

"I asked that they simply give their professional opinion on what they thought of the exposures and if they think best practices were followed on the healthcare.gov website," Kennedy said. "The results were unanimous and unified -- it's bad."

In a signed document presented to Congress, some of Kennedy's fellow security pros weighed in with their specific opinions:

"Reviewing the security issues discovered in the healthcare.gov site, I can tell you: this is a breach waiting to happen," Counter Hack founder Ed Skoudis said in the document. "Or, given the numerous vulnerabilities, perhaps a breach already has happened. These are exactly the kind of security flaws bad guys exploit in large-scale breaches. Urgent action is required to fix these flaws, applying well-known, time-tested, industry-standard security defenses."

Kevin Johnson, CEO of Secure Ideas, found fault with the lack of security testing and training among those responsible for the site.

"In my professional opinion, these findings exhibit not only a basic lack of security testing, but also reflect signs that standard IT change management and validation practices are not being followed," Johnson said." These security findings are typical findings we see when an application has been written by developers who have not been introduced to basic security training, nor understand the importance of security within an application."

Johnson also told CNET that two main categories of issues persist on the site. First, there are flaws that can expose sensitive information about the site's users. Second, there are flaws that would allow someone to remotely attack users directly through the trusted connection on the site. Both categories pose risks to the public, Johnson added, including data and identify theft as well as compromised computers.

What should the government do at this point?

"In my experience the next step must be a comprehensive security assessment of the entire HealthCare.gov system," Johnson told CNET. "Based on that assessment we would be able to understand where the resources need to be put."

Waylon Krush, CEO of Lunarline, which has done security work for the Department of Health and Human Services, told Reuters that he questions Kennedy's findings since they were drawn without actually trying to hack into the site. Krush, who acknowledged that he hasn't actually reviewed Kennedy's findings or worked on the health care site, also is testifying before Congress.

Responding to CNET's request for comment on the security concerns, the Centers for Medicare & Medicaid Services (CMS), which manages the health care site, issued the following statement:

CMS takes seriously any legitimate concerns about the security of the website. We have a robust system in place to quickly investigate and address any potential vulnerabilities. We respond appropriately to anyone who contacts us with information about potential vulnerabilities or incidents. Because this individual had no direct access to the operations of the HealthCare.gov Web site, the information in the report is based on assumptions, not direct knowledge of the Web site.

To date, there have been no successful security attacks on HealthCare.gov and no person or group has maliciously accessed personally identifiable information from the site. Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers' personal information. The security of the system is also monitored by sensors and other tools to deter and prevent any unauthorized access such as regular penetration testing and continuous monitoring of computer systems. As part of the ongoing testing process, and in line with federal and industry standards, any open risk findings are being appropriately addressed with risk mitigation strategies and compensating controls. There are currently no open high risk findings for the FFM [Federally Facilitated Marketplace].

The components of the HealthCare.gov website that are operational have been determined to be compliant with the Federal Information Security Management Act (FISMA), based on standards promulgated by the National Institutes of Standards and Technology (NIST) and promulgated through the Office of Management and Budget (OMB).