Security holes found in HealthCare.gov

WASHINGTON — Significant security vulnerabilities are still being uncovered in the Obama administration’s health-insurance website, nearly three months after the launch of HealthCare.gov.

Officials discovered two such vulnerabilities, known as “high findings,” within the past month, including one this week, Teresa Fryer, chief information security officer for the Center for Medicare and Medicaid Services, told the House Oversight Committee this week in an interview. Fryer said that both issues were being addressed.

The debate over the security of HealthCare.gov has raised questions about whether similar vulnerabilities exist in systems across the federal government. Because the Internal Revenue Service, the Social Security Administration and other agencies communicate with HealthCare.gov, security gaps in those agencies could, if discovered, allow hackers to penetrate their systems and indirectly compromise the functioning of the new health-care law, outside security experts say.

“It’s a standard technique,” said James Lewis, a cybersecurity scholar at the Center for Strategic and International Studies. “If the target is hard but it’s linked to an easy target, breaking into the easy target will get you into the hard target.”

While software vulnerabilities in Healthcare.gov have been documented, the potential risk stemming from the site’s interconnection with other federal systems has not. Officials from the White House, the Health and Human Services Department and others did not answer questions posed by The Washington Post about whether serious vulnerabilities exist in other federal IT systems linked to HealthCare.gov.

The strength of HealthCare.gov’s security has been the subject of ongoing rancor between Republicans and Democrats.

In recent weeks, House Oversight Committee Chairman Darrell Issa, R-Calif., has highlighted the site’s early vulnerabilities while accusing the White House of launching a premature product. Democrats, meanwhile, maintain that the bugs have been fixed and that the site is safe to use.

Of the two vulnerabilities identified by Fryer in her interview with Congress, one of them turned out to be false, said Patti Unruh, a spokeswoman for HHS. The contractor flagged the problem while performing an assessment in a test version of HealthCare.gov. But the real version contained safeguards that prevented the vulnerability from posing a security risk.

The other high finding involved a faulty piece of code that was successfully repaired, and there are no other significant security issues on the site, Unruh said.

Separately, Mitre, an independent contractor hired to test the security of HealthCare.gov, identified 28 security vulnerabilities in one of several tests it conducted in mid-October, according to the company.

Those tests also showed that hackers could have obtained people’s personal information, according to a letter written to HHS this week by Issa, who quoted information given to him by the company.

Administration officials said the issues identified by Mitre either did not pose a security risk or have since been fixed.

“There have been no successful security attacks on HealthCare.gov,” said HHS spokeswoman Joanne Peters, “and no person or group has maliciously accessed personally identifiable information from the site.”

Last month, Mitre agreed to send redacted copies of its test results to Issa in response to a subpoena. On Dec. 9, Issa requested the documents in an unredacted format.

In four letters to Issa, executives from Mitre warned that the unredacted documents could pose a risk to national security.

“In the wrong hands, this information could cause irreparable harm to the basic security architecture of HealthCare.gov,” Mitre chief executive Alfred Grasso wrote in a letter that accompanied the unredacted documents, “and potentially to the security of other CMS data networks that share attributes of this architecture.”

The Obama administration chimed in, with the White House counsel’s office urging Issa not to leak the documents for fear of endangering “other, similarly constructed federal IT system controls.”

HHS wrote in a letter to Issa: “Disclosure of these security documents could ⅛allow€ hackers to penetrate not only HealthCare.gov and the Federal Data Services Hub, but other Federal IT systems, some of which contain taxpayer information.”

A Republican aide for Issa would not rule out a release, but said that the lawmaker is working with outside analysts to determine the danger for himself.

House Democrats have demanded a classified meeting with Issa so that members of the IRS and the Department of Homeland Security could brief him on the danger of releasing the documents.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Traffic idles while waiting for the lights to change along 33rd Avenue West on Tuesday, April 2, 2024 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood seeks solutions to Costco traffic boondoggle

Let’s take a look at the troublesome intersection of 33rd Avenue W and 30th Place W, as Lynnwood weighs options for better traffic flow.

A memorial with small gifts surrounded a utility pole with a photograph of Ariel Garcia at the corner of Alpine Drive and Vesper Drive ion Wednesday, April 10, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Death of Everett boy, 4, spurs questions over lack of Amber Alert

Local police and court authorities were reluctant to address some key questions, when asked by a Daily Herald reporter this week.

The new Amazon fulfillment center under construction along 172nd Street NE in Arlington, just south of Arlington Municipal Airport. (Chuck Taylor / The Herald) 20210708
Frito-Lay leases massive building at Marysville business park

The company will move next door to Tesla and occupy a 300,0000-square-foot building at the Marysville business park.

Snohomish City Hall on Friday, April 12, 2024 in Snohomish, Washington. (Olivia Vanni / The Herald)
Snohomish may sell off old City Hall, water treatment plant, more

That’s because, as soon as 2027, Snohomish City Hall and the police and public works departments could move to a brand-new campus.

Lewis the cat weaves his way through a row of participants during Kitten Yoga at the Everett Animal Shelter on Saturday, April 13, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Downward cat? At kitten yoga in Everett, it’s all paw-sitive vibes

It wasn’t a stretch for furry felines to distract participants. Some cats left with new families — including a reporter.

FILE - In this Friday, March 31, 2017, file photo, Boeing employees walk the new Boeing 787-10 Dreamliner down towards the delivery ramp area at the company's facility in South Carolina after conducting its first test flight at Charleston International Airport in North Charleston, S.C. Federal safety officials aren't ready to give back authority for approving new planes to Boeing when it comes to the large 787 jet, which Boeing calls the Dreamliner, Tuesday, Feb. 15, 2022. The plane has been plagued by production flaws for more than a year.(AP Photo/Mic Smith, File)
Boeing pushes back on Everett whistleblower’s allegations

Two Boeing engineering executives on Monday described in detail how panels are fitted together, particularly on the 787 Dreamliner.

Ferry workers wait for cars to start loading onto the M/V Kitsap on Friday, Dec. 1, 2023 in Mukilteo, Washington. (Olivia Vanni / The Herald)
Struggling state ferry system finds its way into WA governor’s race

Bob Ferguson backs new diesel ferries if it means getting boats sooner. Dave Reichert said he took the idea from Republicans.

Traffic camera footage shows a crash on northbound I-5 near Arlington that closed all lanes of the highway Monday afternoon. (Washington State Department of Transportation)
Woman dies almost 2 weeks after wrong-way I-5 crash near Arlington

On April 1, Jason Lee was driving south on northbound I-5 near the Stillaguamish River bridge when he crashed into a car. Sharon Heeringa later died.

Owner Fatou Dibba prepares food at the African Heritage Restaurant on Saturday, April 6, 2024 in Everett, Washington. (Annie Barker / The Herald)
Oxtail stew and fufu: Heritage African Restaurant in Everett dishes it up

“Most of the people who walk in through the door don’t know our food,” said Fatou Dibba, co-owner of the new restaurant at Hewitt and Broadway.

A pig and her piglets munch on some leftover food from the Darrington School District’s cafeteria at the Guerzan homestead on Friday, March 15, 2024, in Darrington, Washington. Eileen Guerzan, a special education teacher with the district, frequently brings home food scraps from the cafeteria to feed to her pigs, chickens and goats. (Ryan Berry / The Herald)
‘A slopportunity’: Darrington school calls in pigs to reduce food waste

Washingtonians waste over 1 million tons of food every year. Darrington found a win-win way to divert scraps from landfills.

Foamy brown water, emanating a smell similar to sewage, runs along the property line of Lisa Jansson’s home after spilling off from the DTG Enterprises property on Tuesday, March 5, 2024, in Snohomish, Washington. Jansson said the water in the small stream had been flowing clean and clear only a few weeks earlier. (Ryan Berry / The Herald)
Neighbors of Maltby recycling facility assert polluted runoff, noise

For years, the DTG facility has operated without proper permits. Residents feel a heavy burden as “watchdogs” holding the company accountable.

Rosario Resort and Spa on Orcas Island (Photo provided by Empower Investing)
Orcas Island’s storied Rosario Resort finds a local owner

Founded by an Orcas Island resident, Empower Investing plans” dramatic renovations” to restore the historic resort.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.