Security expert David Kennedy has warned that the Obamacare website Healthcare.gov was not designed with security in mind, and that it could take as long as a year to address the “critical and high exposures on the website.”
Kennedy, CEO of the security consultancy TrustedSec, testified before congress last week about the security lapses he found after conducting a fairly routine, low-intensity penetration test of the government run website, saying that the developers took little to no care in producing a secure portal.
“When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time,” said Kennedy. “It’s really hard to go back and fix the security around it because security wasn’t built into it.”
The Department of Health and Human Services, which oversaw the site’s development, maintains that it meets all applicable federal regulations as far as security precautions are concerned.
“The privacy and security of consumers’ personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” an spokesperson stated.
It’s not only the federal government who is having trouble securing the health insurance exchange sites, as Vermont has disclosed a data breach linked to their healthcare website, and a consumer in Oregon said she was sent another applicant’s information in the mail, including birth dates, income, and Social Security numbers.
HHS says that numerous bugs and vulnerabilities have been fixed in recent weeks, and is confident the site can withstand further scrutiny where data protection is concerned, but Kennedy disagrees with their assessment.
“When you look at the site itself, it could be really good. It could do really well. They’re just not building the security into the site itself. Putting your information on there is definitely a risk,” said Kennedy.
Read more Here…