Security holes found in HealthCare.gov

WASHINGTON — Significant security vulnerabilities are still being uncovered in the Obama administration’s health-insurance website, nearly three months after the launch of HealthCare.gov.

Officials discovered two such vulnerabilities, known as “high findings,” within the past month, including one this week, Teresa Fryer, chief information security officer for the Center for Medicare and Medicaid Services, told the House Oversight Committee this week in an interview. Fryer said that both issues were being addressed.

The debate over the security of HealthCare.gov has raised questions about whether similar vulnerabilities exist in systems across the federal government. Because the Internal Revenue Service, the Social Security Administration and other agencies communicate with HealthCare.gov, security gaps in those agencies could, if discovered, allow hackers to penetrate their systems and indirectly compromise the functioning of the new health-care law, outside security experts say.

“It’s a standard technique,” said James Lewis, a cybersecurity scholar at the Center for Strategic and International Studies. “If the target is hard but it’s linked to an easy target, breaking into the easy target will get you into the hard target.”

While software vulnerabilities in Healthcare.gov have been documented, the potential risk stemming from the site’s interconnection with other federal systems has not. Officials from the White House, the Health and Human Services Department and others did not answer questions posed by The Washington Post about whether serious vulnerabilities exist in other federal IT systems linked to HealthCare.gov.

The strength of HealthCare.gov’s security has been the subject of ongoing rancor between Republicans and Democrats.

In recent weeks, House Oversight Committee Chairman Darrell Issa, R-Calif., has highlighted the site’s early vulnerabilities while accusing the White House of launching a premature product. Democrats, meanwhile, maintain that the bugs have been fixed and that the site is safe to use.

Of the two vulnerabilities identified by Fryer in her interview with Congress, one of them turned out to be false, said Patti Unruh, a spokeswoman for HHS. The contractor flagged the problem while performing an assessment in a test version of HealthCare.gov. But the real version contained safeguards that prevented the vulnerability from posing a security risk.

The other high finding involved a faulty piece of code that was successfully repaired, and there are no other significant security issues on the site, Unruh said.

Separately, Mitre, an independent contractor hired to test the security of HealthCare.gov, identified 28 security vulnerabilities in one of several tests it conducted in mid-October, according to the company.

Those tests also showed that hackers could have obtained people’s personal information, according to a letter written to HHS this week by Issa, who quoted information given to him by the company.

Administration officials said the issues identified by Mitre either did not pose a security risk or have since been fixed.

“There have been no successful security attacks on HealthCare.gov,” said HHS spokeswoman Joanne Peters, “and no person or group has maliciously accessed personally identifiable information from the site.”

Last month, Mitre agreed to send redacted copies of its test results to Issa in response to a subpoena. On Dec. 9, Issa requested the documents in an unredacted format.

In four letters to Issa, executives from Mitre warned that the unredacted documents could pose a risk to national security.

“In the wrong hands, this information could cause irreparable harm to the basic security architecture of HealthCare.gov,” Mitre chief executive Alfred Grasso wrote in a letter that accompanied the unredacted documents, “and potentially to the security of other CMS data networks that share attributes of this architecture.”

The Obama administration chimed in, with the White House counsel’s office urging Issa not to leak the documents for fear of endangering “other, similarly constructed federal IT system controls.”

HHS wrote in a letter to Issa: “Disclosure of these security documents could ⅛allow€ hackers to penetrate not only HealthCare.gov and the Federal Data Services Hub, but other Federal IT systems, some of which contain taxpayer information.”

A Republican aide for Issa would not rule out a release, but said that the lawmaker is working with outside analysts to determine the danger for himself.

House Democrats have demanded a classified meeting with Issa so that members of the IRS and the Department of Homeland Security could brief him on the danger of releasing the documents.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

A firefighter stands in silence before a panel bearing the names of L. John Regelbrugge and Kris Regelbrugge during the ten-year remembrance of the Oso landslide on Friday, March 22, 2024, at the Oso Landslide Memorial in Oso, Washington. (Ryan Berry / The Herald)
‘Flood of emotions’ as Oso Landslide Memorial opens on 10th anniversary

Friends, family and first responders held a moment of silence at 10:37 a.m. at the new 2-acre memorial off Highway 530.

Julie Petersen poses for a photo with images of her sister Christina Jefferds and Jefferds’ grand daughter Sanoah Violet Huestis next to a memorial for Sanoah at her home on March 20, 2024 in Arlington, Washington. Peterson wears her sister’s favorite color and one of her bangles. (Annie Barker / The Herald)
‘It just all came down’: An oral history of the Oso mudslide

Ten years later, The Daily Herald spoke with dozens of people — first responders, family, survivors — touched by the deadliest slide in U.S. history.

Victims of the Oso mudslide on March 22, 2014. (Courtesy photos)
Remembering the 43 lives lost in the Oso mudslide

The slide wiped out a neighborhood along Highway 530 in 2014. “Even though you feel like you’re alone in your grief, you’re really not.”

Director Lucia Schmit, right, and Deputy Director Dara Salmon inside the Snohomish County Department of Emergency Management on Friday, March 8, 2024, in Everett, Washington. (Ryan Berry / The Herald)
How Oso slide changed local emergency response ‘on virtually every level’

“In a decade, we have just really, really advanced,” through hard-earned lessons applied to the pandemic, floods and opioids.

Ron and Gail Thompson at their home on Monday, March 4, 2024 in Oso, Washington. (Olivia Vanni / The Herald)
In shadow of scarred Oso hillside, mudslide’s wounds still feel fresh

Locals reflected on living with grief and finding meaning in the wake of a catastrophe “nothing like you can ever imagine” in 2014.

The rezoned property, seen here from the Hillside Vista luxury development, is surrounded on two sides by modern neighborhoods Monday, March 25, 2024, in Lake Stevens, Washington. (Ryan Berry / The Herald)
Despite petition, Lake Stevens OKs rezone for new 96-home development

The change faced resistance from some residents, who worried about the effects of more density in the neighborhood.

Rep. Suzan DelBene, left, introduces Xichitl Torres Small, center, Undersecretary for Rural Development with the U.S. Department of Agriculture during a talk at Thomas Family Farms on Monday, April 3, 2023, in Snohomish, Washington. (Olivia Vanni / The Herald)
Under new federal program, Washingtonians can file taxes for free

At a press conference Wednesday, U.S. Rep. Suzan DelBene called the Direct File program safe, easy and secure.

Former Snohomish County sheriff’s deputy Jeremie Zeller appears in court for sentencing on multiple counts of misdemeanor theft Wednesday, March 27, 2024, at Snohomish County Superior Court in Everett, Washington. (Ryan Berry / The Herald)
Ex-sheriff’s deputy sentenced to 1 week of jail time for hardware theft

Jeremie Zeller, 47, stole merchandise from Home Depot in south Everett, where he worked overtime as a security guard.

Everett
11 months later, Lake Stevens man charged in fatal Casino Road shooting

Malik Fulson is accused of shooting Joseph Haderlie to death in the parking lot at the Crystal Springs Apartments last April.

T.J. Peters testifies during the murder trial of Alan Dean at the Snohomish County Courthouse on Tuesday, March 26, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Bothell cold case trial now in jury’s hands

In court this week, the ex-boyfriend of Melissa Lee denied any role in her death. The defendant, Alan Dean, didn’t testify.

A speed camera facing west along 220th Street Southwest on Tuesday, Nov. 21, 2023 in Edmonds, Washington. (Olivia Vanni / The Herald)
New Washington law will allow traffic cams on more city, county roads

The move, led by a Snohomish County Democrat, comes as roadway deaths in the state have hit historic highs.

Mrs. Hildenbrand runs through a spelling exercise with her first grade class on the classroom’s Boxlight interactive display board funded by a pervious tech levy on Tuesday, March 19, 2024 in Marysville, Washington. (Olivia Vanni / The Herald)
Lakewood School District’s new levy pitch: This time, it won’t raise taxes

After two levies failed, the district went back to the drawing board, with one levy that would increase taxes and another that would not.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.