Obamacare website security called 'outrageous': How safe is it? (+video)
Glitches in the Obamacare website are well known, but some cyber experts are also raising red flags about the site's security. They point to a variety of concerns.
Cybersecurity professionals are voicing questions about potential red flags in the new federal health care website system that could open the door to theft of personal information.Skip to next paragraph
Infographic Obamacare facts: How will the law affect you?
Subscribe Today to the Monitor
In the two weeks since the Affordable Healthcare Act site, www.healthcare.gov, went live, most complaints have centered on long wait times with sites initially overloaded by interested visitors. In response, government officials are scrambling to get more capacity for the main site and its satellites.
But potentially far more serious questions are emerging about cybersecurity. Experts have said that hackers could “spoof” the website with a look-alike website to collect personal information, or criminals could use an automated program to try repeatedly to enter the site even if it didn’t get a login correct.
Experts have stopped short of calling these concerns “vulnerabilities” – a term that means a proven weak spot to hackers. But they say these red flags need attention.
“I’ll ask you your Social Security, your date of birth, [so] an hour later I can empty your bank account,” John McAfee, who founded the cybersecurity company of the same name but is no longer associated with it, complained on Fox News. The Obamacare websites, he said, have “no safeguards,” and the main site's architecture is "outrageous."
Federal officials say they have made website security a “top priority,” said Marilyn Tavenner, administrator for the Centers for Medicare & Medicaid Service, which operates the system, during a congressional hearing in July. “We will use appropriate policies, procedures, standards, and implementation specifications to ensure the privacy and security of consumer data in accordance with applicable law.”
For example, the site is supposed to adhere to cybersecurity standards for the federal government set by the National Institute of Standards and Technologies.
But just because all the standards are met does not mean all the holes are plugged. Some cybersecurity experts have echoed Mr. McAfee's comments. Here are some of the red flags they raise.
Request forgery. One potential flaw with the Obamacare website would grant automated “all-Access Request For Other Sites” – which basically allows another site to make a certain kinds of request to healthcare.gov that could lead to “cross-site request forgery” and potentially fooling the government site into releasing restricted information, writes Nidhi Shah, who works on research and development for HP's Web Security Research Group, on a company blog. That red flag appeared on some of the site's pages, but she admits it could not be confirmed at the time on the site’s most secure areas because of high traffic volume.