How to hack Healthcare.gov? Just ask cyber security professional and “white hat hacker” David Kennedy.
Low enrollment might be a blessing in disguise for the Obama administration after it was announced that the Affordable Care Act’s website, healthcare.gov, has flawed security and puts users at high risk for having their data stolen by hackers.
According to ABC News, Internet security professionals met with Congress Nov. 19 to expose their security findings and warned that, in its current state, healthcare.gov should be taken off line until it’s free of security flaws.
“Just by looking at the website, we can see that there is just fundamental security principles that are not being followed,” Kennedy said.
Kennedy, a “white hat hacker,” said that he believes that healthcare.gov has already been subjected to hacking, or it will soon.
And once a hacker is in, you’re toast.
“We can actually enable their web cam, monitor their web cam, listen to their microphone, steal passwords,” he explained. “Anything that they do on their computer we now have full access to.”
When security concerns were raised last month, Health and Human Services released a statement: “When consumers fill out their online Marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.”
Explain that to Lisa Martinson, a St. Louis resident who registered on healthcare.gov and, according to St. Louis TV channel 4, had her personal information compromised.
Martinson called customer service after she couldn’t remember her password. There, she was told that three other unknown individuals also gained access to her information.
“I just want my information that’s on there right now to be gone – right now – and nobody can do that,” Martinson told Channel 4.
Rep. Lamar Smith, chairman of the Science, Space and Technology Committee, which is where the security professionals presented, said that the Obama administration has the responsibility to make sure citizens’ data inputted on healthcare.gov is secure, and if that’s not the case, the Affordable Care Act should be repealed.
“Perhaps it is time to take Obamacare off of life-support,” Smith added.
An image posted to Twitter had a screenshot of healthcare.gov with an auto-complete text box near the page’s search function. In the image, after a user typed a semi-colon, the website would suggest its most popular search terms, which just so happen to be SQL injections. An SQL injection, which is something any wanna-be hacker could do, uses search queries that basically modify the attached databases.
Typically, a web developer programs a page to not accept SQL language in search queries.
According to the security professionals that appeared before Congress, healthcare.gov needs some time off-line to build the necessary infrastructure to secure users’ data. The four men agreed that Nov. 30 was an unrealistic deadline.
“We can protect against hackers and we owe it to Americans to protect this infrastructure and data that’s on it. It’s our personal information not the governments,” said Kennedy on Fox News after his testimony.