News Feature | September 26, 2014

Healthcare.gov Website Vulnerable To Attack

Katie Wike

By Katie Wike, contributing writer

Healthcare.gov Website Vulnerable To Attack

Security flaws in the government website leave consumer information vulnerable according to a report from the Government Accountability Office.

A report from the Government Accountability Office (GAO) notes the Healthcare.gov website is vulnerable to attack due to a list of weakness. According to Modern Healthcare, the website collects social security numbers, birthdates, names, and other sensitive information and is used by multiple federal agencies, though there is no shared knowledge of security measures.

CMS, the agency which runs the website, "Had not always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network," the report said.

“While CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support Healthcare.gov, weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.”

According to iHealth Beat, weaknesses outlined by the GOA include:

  • CMS failed to complete network security systems
  • no backup website for recovery due to systems failure
  • inconsistent application of security patches
  • the allowance of certain systems to access the website's infrastructure, which heightened the risk for unauthorized access to data
  • weak enforcement of password-strength requirements

The report stated, "Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by HealthCare.gov and related systems, and the disruption of service provided by the systems."

In response, HHS spokesman Aaron Albright explained that the changing nature of threats makes website security an evolving process and that officials have already acted on many of the recommendations.