The Centers for Medicare and Medicaid Services (CMS), the division of the health department that administers the Healthcare.gov insurance exchange, has denied that the website is vulnerable to hackers. The statement came in response to David Kennedy of TrustedSec who claims that consumer information including first names, last names, addresses, and user names is publicly viewable through Google.
Kennedy says he never accessed the profiles himself, but he confirmed their existence by using some advanced search parameters to drill down deep into the site. "There are problems with the site that need to be fixed and things that need to be addressed that aren't being fixed," says Kennedy, who first testified about the issue in front of a Congressional committee in November. He declined to disclose his exact methods until the issue is fixed.
The administration has not responded to Kennedy personally, but told The Verge by email that "the information in the report is based on assumptions, not direct knowledge of the website." Healthcare.gov has never been the victim of a successful security attack, CMS says, and the site is "monitored by sensors and other tools to deter and prevent any unauthorized access such as regular penetration testing and continuous monitoring of computer systems."
Healthcare.gov is also compliant with the Federal Information Security Management Act (FISMA) and based on standards promulgated by the National Institutes of Standards and Technology (NIST), the administration says.
Healthcare.gov hasn't been hacked yet
CMS chief information security officer Teresa Fryer says independent experts completed an end-to-end assessment on December 18th and found no high risk security issues. Based on that assessment, Fryer says she would recommend that the site's security certificate be renewed when it comes up in March.
"While no serious security professional will ever guarantee that any system is hack-proof, I am confident, based on the recent security controls assessment and additional security protections, that the FFM is secure," Fryer says in an email. "In many instances, we have gone above and beyond what is required, with layered protection, continuous monitoring, and additional penetration testing."
Other security experts agree with Kennedy, however, that the administration is not responding to concerns about the site's exposure to hackers. “After reading the documents provided by David Kennedy that detailed numerous security vulnerabilities associated with the Healthcare.gov website, it's clear that the management team did not consider security as a priority," writes the hacker-turned-security consultant Kevin Mitnick.