Information Technology company TrustedSec revealed Monday in a Congressional hearing they discovered profiles from the site indexed on Google as well as numerous security flaws. The company did no direct ‘hacking' to test the government's healthcare website,
Instead, TrustedSec utilized information readily available on the Internet as well as analysis of information presented back from the website to perform the assessment. What this analysis shows us is that as an attacker, there are known exposures in the healthcare.gov website today that could lead to significant compromise of the website and information.
Additionally, the website is integrated into multiple agencies including some of the largest collections of United States citizen data – this includes the Internal Revenue Service (IRS) and other federal agencies.
In other words, the site holds lots of supposedly private information, but the security is so lax that it may be compromised with little effort using commonly available resources. Additionally, the information is shared among government agencies, further increasing the potential damage to citizens in the case of a security breach.
Based on our evaluation of the website, we have serious concerns over the security of the website and the ability to protect information. This document will explain our approach, what was identified, and the future roadmap to ensuring that the website and its integration into multiple agencies can be successful and secure.
Trusted Sec went on to explain,
…we are confident that the security around the application was not appropriately tested prior to release, that the safeguards to protect sensitive information are not in place, and that there are and will continue to be for a significant amount of time serious security concerns with the website unless direct action is taken to address these concerns