David Kennedy, head of computer security consulting firm
TrustedSec LLC, told Reuters that the government has yet to plug
more than 20 vulnerabilities that he and other security experts
reported to the government shortly after HealthCare.gov went live on
Hackers could steal personal information, modify data or attack the
personal computers of the website's users, he said. They could also
damage the infrastructure of the site, according to Kennedy, who is
scheduled to describe his security concerns in testimony on Thursday
before the House Science, Space and Technology Committee.
"These issues are alarming," Kennedy said in an interview on
The Centers for Medicare & Medicaid Services, the federal agency
that oversees the site's operations, provided Reuters with a
statement saying it takes the concerns seriously.
"To date there have been no successful security attacks on
HealthCare.gov and no person or group has maliciously accessed
personally identifiable information from the site," the statement
"Security testing is conducted on an ongoing basis using industry
best practices to appropriately safeguard consumers' personal
HealthCare.gov lets consumers shop for insurance plans under
President Barack Obama's Affordable Care Act, which mandates health
insurance for all Americans.
The site, which is meant to serve millions of consumers in 36
states, was crippled by technology errors in the first two months
after its launch on October 1. The Obama administration's efforts to
repair the site helped it to work more smoothly beginning in
December, but problems with data transmission remain.
Kennedy said he last week presented technical details describing the
vulnerabilities in the site to seven independent cyber security
experts, who reviewed videos of potential attack methods as well as
logs and other documentation.
They wrote notes to the House Committee saying they were concerned
about the site's security, which Kennedy provided to Reuters and
will be released on Thursday to the committee led by Republicans who
oppose the Affordable Care Act.
Members of the security community have been publicly pointing out
problems with the site and say they have been privately providing
the government with technical details of those issues since early
At a November Science Committee hearing, Kennedy and three other
expert witnesses said they believed the site was not secure and
three of them said it should be shut down immediately.
Kennedy and his peers who reviewed his work ahead of Thursday's
hearing said the site still has serious security vulnerabilities
that can be viewed from the outside.
"The site is fundamentally flawed in ways that make it dangerous to
people who use it," said Kevin Johnson, one of the experts who
reviewed Kennedy's findings.
Johnson said that one of the most troubling issues was that a hacker
could upload malicious code to the site, then attack other
"You can take control of their computers," said Johnson, chief
executive of a firm known as Secure Ideas and a teacher at the
non-profit SANS Institute, the world's biggest organization that
trains and certifies cyber security professionals.
He declined to provide further details about that vulnerability,
saying he was concerned the information could be used by malicious
hackers to launch attacks.
Kennedy said he learned of that particular attack method from
another security researcher who had identified and tested it.
[to top of second column]
Yet Kennedy said he identified many other problems on his own,
conducting what is known as "passive analysis" of the site, by using
an ordinary Web browser and other software tools to look at
HealthCare.gov's content and architecture from the outside.
said he did not take the additional step of hacking into the site to
look for other problems because he did not have permission from the
Waylon Krush, chief executive of a firm known as Lunarline that has
done security work for the Department of Health and Human Services,
said he questions Kennedy's conclusions that were drawn without
launching attacks on the website.
"Anybody who brings testimony that says there is a vulnerability on
HealthCare.gov is only speculating unless they have actually
executed the code, at which point they are hacking a government
website and that would be illegal," said Krush, who will also
testify before the committee on Thursday.
Krush said he has not reviewed Kennedy's findings or done any work
on the HealthCare.gov site itself.
"If I said everything was perfect, I would just be speculating
because I did not work on the site," he said.
One security flaw that Kennedy first uncovered and reported to the
government in October exposes information including a user's full
name and email address. He said he wrote a short computer program in
five minutes that automatically collects that data, which was able
to import some 70,000 records in about four minutes.
He said the information was accessible via the Internet and he did
not have to hack the site to get it. He declined to elaborate.
John Strand, a principal with Black Hills Information Security and a
SANS Institute trainer who also reviewed Kennedy's findings, said he
was concerned about what might have been uncovered if Kennedy had
conducted a more in-depth probe and actually attempted to hack into
He said he supports a recent move by the House of Representatives to
force the government to disclose breaches whenever they occur. The
government is generally not required to notify the public when its
systems are compromised.
"We don't know how bad it is because they don't have to tell us,"
Lamar Smith, the Texas Republican chairman of the committee, said in
a statement that the government should quickly move to plug the
security flaws that have already been reported by security experts.
"If Americans' information is not secure, then the theft of their
identities is inevitable and dangerous," he said. "The President
should take swift action to ensure that the American people are not
the next target of cyber criminals."
The government said on Saturday that Accenture Plc would replace CGI
Federal, a subsidiary of CGI Group, as the lead contractor for the
Obamacare enrollment website.
(Reporting by Jim Finkle; editing by Richard Valdmanis and Richard
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.