1/20/14

Healthcare.gov 'still riddled with security holes'

Only half of one of the security holes previously identified on the government's health care site has been patched, while new ones have since been uncovered, says the head of a security consulting firm testifying before Congress today on the security issues related to HealthCare.gov, outlined his concerns in a blog post today. Kennedy previously testified in November. Since then, it's still been "business as usual" on the site, he said in the blog.
Among the security holes identified last year, only half of one of them has been fixed, according to Kennedy. And more than 20 additional ones have been discovered by other security researchers examining the site. By his own admission, Kennedy didn't form his opinion by trying to hack into the site but rather based on his years of experience resolving similar problems for other organizations.
To review his findings, Kennedy said he called on other security professionals, including Ed Skoudis, Kevin Mitnick, Chris Nickerson, Eric Smith, Chris Gates, John Strand, and Kevin Johnson. Their responses?
"I asked that they simply give their professional opinion on what they thought of the exposures and if they think best practices were followed on the healthcare.gov website," Kennedy said. "The results were unanimous and unified -- it's bad." More details here    [BJS]