Obamacare website too vulnerable, say security experts

20 November 2013
By Tereza Pultarova
Mobile version
Share |
Some experts have said the Obamacare website would better be shut down due to security glitches

Some experts have said the Obamacare website would better be shut down due to security glitches

Obamacare website puts sensitive data of users at risk, experts have said said, recommending it to be shut down until the problems are addressed.

Speaking in front of the US congress on Tuesday, some of the questioned experts said the site needed to be completely rebuilt to run more efficiently, making it easier to protect.

With its 500 million lines of code – 25 times the size of Facebook – the HealthCare.gov website is extremely vulnerable, the experts believe.

"When your code base is that large it's going to be indefensible," Morgan Wright, CEO of a firm known as Crowd Sourced Investigations, said in a Republican-led questioning.

David Kennedy, head of computer security consulting firm TrustedSec LLC and a former US Marine Corps cyber analyst said in a written testimony some of the major security glitches of the HealthCare.gov would require at least seven to 12 months to be fixed and suggested the site would better be shut down until the problems are solved.

Earlier this month, experts revealed the site lets people know invalid user names when logging in, allowing hackers to identify user IDs.

Avi Rubin, director of the Information Security Institute at Johns Hopkins University and an expert on health and medical security, said he needed more data before calling for a shutdown of the site.

"Bringing down the site is a very drastic response," he told Reuters after the hearing. However, he admitted, he would not use the site himself because of security concerns.

It has also been revealed during the hearing that the part of the HealthCare.gov system securing financial operations is by far not ready and won’t be until at least mid-January.

According to Henry Chao, HealthCare.gov’s project manager, the unfinished technology makes up 40 per cent of the whole system.

According to insider sources, work on the back-end technology was postponed by the managers in order to allow developers to fully concentrate on the user interface prior to the website’s launch.

Julie Bataille, the spokeswoman for Centers for Medicare & Medicaid Services – a federal health agency operating the website, said the financial functions would not be needed until mid-January.

"The back-end financial management systems are something that we do not believe are essential until 2014 and we'll roll those out in those timeframes," she said.

However, the insurers will start sending the bills as soon as 1 January, claiming billions of dollars for subsidised coverage, which could possibly lead to a collapse of the fragile website.

Some experts have also suggested a program needed to confirm the identities, subsidy levels and coverage choices of individual plan enrolees would have to be in place in December, if coverage is to begin on time on 1 January.

Latest Issue

E&T cover image 1601

"Read about the key issues that are getting people talking, from the UK's flood defences and doping in sport to the dirty tricks of cyber criminals"

E&T jobs

More jobs ▶


Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T