The Herald of Everett, Washington
Customer service  |  Subscribe   |   Log in or sign up   |   Advertising information   |   Contact us
HeraldNet on Facebook HeraldNet on Twitter HeraldNet RSS feeds HeraldNet Pinterest HeraldNet Google Plus The Daily Herald on Linked In HeraldNet Youtube
HeraldNet Newsletters  Newsletters: Sign up  Green editions icon Green editions

Security holes found in

SHARE: facebook Twitter icon Linkedin icon Google+ icon Email icon |  PRINTER-FRIENDLY  |  COMMENTS
The Washington Post
WASHINGTON -- Significant security vulnerabilities are still being uncovered in the Obama administration's health-insurance website, nearly three months after the launch of
Officials discovered two such vulnerabilities, known as "high findings," within the past month, including one this week, Teresa Fryer, chief information security officer for the Center for Medicare and Medicaid Services, told the House Oversight Committee this week in an interview. Fryer said that both issues were being addressed.
The debate over the security of has raised questions about whether similar vulnerabilities exist in systems across the federal government. Because the Internal Revenue Service, the Social Security Administration and other agencies communicate with, security gaps in those agencies could, if discovered, allow hackers to penetrate their systems and indirectly compromise the functioning of the new health-care law, outside security experts say.
"It's a standard technique," said James Lewis, a cybersecurity scholar at the Center for Strategic and International Studies. "If the target is hard but it's linked to an easy target, breaking into the easy target will get you into the hard target."
While software vulnerabilities in have been documented, the potential risk stemming from the site's interconnection with other federal systems has not. Officials from the White House, the Health and Human Services Department and others did not answer questions posed by The Washington Post about whether serious vulnerabilities exist in other federal IT systems linked to
The strength of's security has been the subject of ongoing rancor between Republicans and Democrats.
In recent weeks, House Oversight Committee Chairman Darrell Issa, R-Calif., has highlighted the site's early vulnerabilities while accusing the White House of launching a premature product. Democrats, meanwhile, maintain that the bugs have been fixed and that the site is safe to use.
Of the two vulnerabilities identified by Fryer in her interview with Congress, one of them turned out to be false, said Patti Unruh, a spokeswoman for HHS. The contractor flagged the problem while performing an assessment in a test version of But the real version contained safeguards that prevented the vulnerability from posing a security risk.
The other high finding involved a faulty piece of code that was successfully repaired, and there are no other significant security issues on the site, Unruh said.
Separately, Mitre, an independent contractor hired to test the security of, identified 28 security vulnerabilities in one of several tests it conducted in mid-October, according to the company.
Those tests also showed that hackers could have obtained people's personal information, according to a letter written to HHS this week by Issa, who quoted information given to him by the company.
Administration officials said the issues identified by Mitre either did not pose a security risk or have since been fixed.
"There have been no successful security attacks on," said HHS spokeswoman Joanne Peters, "and no person or group has maliciously accessed personally identifiable information from the site."
Last month, Mitre agreed to send redacted copies of its test results to Issa in response to a subpoena. On Dec. 9, Issa requested the documents in an unredacted format.
In four letters to Issa, executives from Mitre warned that the unredacted documents could pose a risk to national security.
"In the wrong hands, this information could cause irreparable harm to the basic security architecture of," Mitre chief executive Alfred Grasso wrote in a letter that accompanied the unredacted documents, "and potentially to the security of other CMS data networks that share attributes of this architecture."
The Obama administration chimed in, with the White House counsel's office urging Issa not to leak the documents for fear of endangering "other, similarly constructed federal IT system controls."
HHS wrote in a letter to Issa: "Disclosure of these security documents could ⅛allow€ hackers to penetrate not only and the Federal Data Services Hub, but other Federal IT systems, some of which contain taxpayer information."
A Republican aide for Issa would not rule out a release, but said that the lawmaker is working with outside analysts to determine the danger for himself.
House Democrats have demanded a classified meeting with Issa so that members of the IRS and the Department of Homeland Security could brief him on the danger of releasing the documents.
Story tags » FederalHealthMedicare

More Nation & World Headlines


HeraldNet Headlines

Top stories and breaking news updates


Share your comments: Log in using your HeraldNet account or your Facebook, Twitter or Disqus profile. Comments that violate the rules are subject to removal. Please see our terms of use. Please note that you must verify your email address for your comments to appear.

You are logged in using your HeraldNet ID. Click here to update your profile. | Log out.

Our new comment system is not supported in IE 7. Please upgrade your browser here.