Hacker Turned Security Consultant Criticizes HealthCare.gov Web Site

A former hacker who now provides security consulting services has joined the growing number who are criticizing the security flaws in the HealthCare.gov web site.

Kevin Mitnick was once the most wanted computer hacker in the world.  The FBI arrested Mitnick in 1995 and charged him with wire fraud and computer fraud, crimes for which Mitnick served five years in prison.

When Mitnick was released from prison in 2000, limitations were initially placed on when and how Mitnick could use computer equipment, the Internet, and even make telephone calls.  Mitnick was also not allow to profit from media related to his criminal activity until 2007.

Now Mitnick runs Mitnick Security Consulting, LLC, and his testimony was added last week to a growing stack of criticism levied at the software development firm and administration that rolled out the HealthCare.gov web site.

“It’s shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise,” noted Mitnick in a letter provided to the House Science, Space, and Technology Committee.

Security Issues Added to Growing List of Concerns with HealthCare.gov Web Site

HealthCare.gov is the web site rolled out as required by the Patient Protection and Affordable Care Act, or ObamaCare, to provide a healthcare exchange through which individuals can sign up for insurance coverage.  Although development of the HealthCare.gov web site cost taxpayers hundreds of millions of dollars, the site has been fraught with issues for day one.  Those issues have included an inability to provide services to even a minimal number of users trying to sign up for insurance coverage at the same time, miscalculations about how much insurance coverage will cost, and an inability to accurately provide information to downstream systems.

Add to that list of concerns the security of personal information that individuals enter into the web site.

“After reading the documents provided by David Kennedy that detailed numerous security vulnerabilities associated with the Healthcare.gov Website, it’s clear that the management team did not consider security as a priority,” continued Mitnick.

Kennedy is the CEO of TrustSEC LLC, a security firm who reviewed the security architecture of the web site before it went live on November 1.  Kennedy noted that he has seen little if any improvement in the security precautions taken on the web site since he testified on the matter before Congress on November 19.

“Nothing has really changed,” noted Kennedy.  “They did a little bit of work on it and it’s still vulnerable today.”

The types of security issues that Mitnick and Kennedy have identified are holes in the basic protection mechanisms that should be in place to protect any computer system attached to the Internet.  Much as a physical prison has locks, walls, and armed guards to limit the actions of the prisoners, a computer system has controls to prevent unauthorized individuals from gaining access to information they have no business accessing.  Without the appropriate security measures, the alleged bad guys could delete or change information or even make copies of the data.

Armed with Social Security Numbers, insurance information, medical history, and other data, hackers can sell that information to groups who profit from committing insurance fraud or other identity theft related crimes.

Although to date the administration has claimed there have been no confirmed security breaches on the HealthCare.gov web site, it is unclear if the appropriate detection mechanisms are in place to detect if such a breach has taken place.

Waylon Krush, CEO and founder of Lunarline, another security consulting firm, testified before the same committee that the allegations by Kennedy and Mitnick were mere speculation.

“Nobody here at this table can tell you there is a vulnerability,” said Krush.  Krush based his position on the fact that although Kennedy and Mitnick have identified signs of what they consider security vulnerabilities in the HealthCare.gov web site, they have not actually taken steps to see if anyone can use those vulnerabilities to gain unauthorized access.

Connect with Mark on Google+

by Mark Johnston

Mark has been a contributor to legal web sites related to bankruptcy, tax, and criminal law since 2011. He has an Accounting degree from Texas A&M University.