Warning to Americans: Don’t use HealthCare.gov.
That was the advice from four tech experts Tuesday morning who testified before a congressional committee about security concerns related to the new federal health insurance marketplace.
The experts warned that the website central to Obamacare’s implementation still contains serious security flaws that make user information vulnerable to hackers. Three of the four experts agreed that the site should be shut down until security flaws are resolved.
“I would say the website is either hacked already or will be soon,” David Kennedy, head of the computer security consulting firm TrustedSec LLC, located outside of Cleveland, told the committee. He added, “There’s not a lot of security built into the site.”
At a hearing titled “Is My Data on HealthCare.gov Secure?,” each expert gave lawmakers from the House Committee on Science, Space and Technology a scathing review of the website, saying it is currently vulnerable to an attack, despite administration officials’ persistent assurance that the website is safe.
Though the website does not store medical records, it does include information from other websites and includes e-commerce information that could be targeted by hackers. “It’s not only Social Security numbers … it’s one of the largest collections of personal data, Social Security and everything else, that we’ve ever seen,” Kennedy said.
All four tech experts agreed that they would not have launched the website on Oct. 1, knowing what they know now about its security vulnerabilities. They also agreed that the website will not be safe and secure by Nov. 30 – the date by which the Obama administration has said the website will be fully functioning and “running smoothly for the vast majority of users.”
“There’s no doubt that compared to a private system that goes live, this system has more problems than you would expect to see,” said Avi Rubin, technical director of Johns Hopkins University’s Information Security Institute. “It’s actually the most far behind in terms of security.”
Just days before the website went live, a government memo was circulated in which two officials from the Department of Health and Human Services revealed that HealthCare.gov had not been properly tested before its launch, creating a “high risk.” Since then, officials have said that steps had been taken to ease security concerns.
But the tech experts said they aren’t buying that. They told the committee that addressing the security concerns could take months – maybe even years – and that doing so might require shutting down the website entirely, since the system is so complex.
Indeed, HealthCare.gov contains 500 million lines of code and sees about 500,000 unique visitors each day. That’s compared to Facebook – which has about 20 million lines of code and services 727 million unique daily visitors, according to testimony by Morgan Wright, chief executive officer of Crowd Sourced Investigations.
“Whenever you introduce this amount of complexity, it creates a significant amount of risk,” Kennedy said, noting that few large applications built have been built on 500 million lines of code, as Healthcare.gov has been.
At the same time, the website’s project manager, Henry Chao, was telling a separate congressional committee in the same House office building, that Americans should not worry about the security of their personal information on the website. “Security vulnerabilities have not necessarily been reported in terms of it being a security threat,” Chao said.
Follow Brianna Ehley on Twitter @BriannaEhley
Top Stories from The Fiscal Times: