IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Healthcare.gov Blasted for Security Flaws

An outside analysis of the site by security experts identified several significant issues which leave it vulnerable to a breach.

Security experts weighed in recently on Healthcare.gov and basically blasted the site's dismal lack of security. In a report presented to Congress on Thursday, Ed Skoudis, founder of Counter Hack, said that the site is a "breach waiting to happen," if it hasn't already. "These are exactly the kind of security flaws bad guys exploit in large-scale breaches," said Skoudis in the report.

"The findings disclose a wide range of issues that could cause serious harm to both healthcare.gov as well as any individual using the application," wrote Kevin Johnson of Secure Ideas. "These flaws are not even complex problems that would require advanced security knowledge to detect. Instead, they are issues that are detected with simple, standard techniques, of which any developer or QA professional should be aware."

Lares Consulting staff said the site contained numerous flaws that fail to meet the "bare minimum requirements" of The Open Web Application Security Project (OWASP) Top Ten, including: Injection,  Broken Authentication and Session Management, Security Misconfigurations, Sensitive Data Exposure, Missing Function Level Access Control, Using Components with Known Vulnerabilities, and Invalidated Redirects and Forwards.

David Kennedy of TrustedSec said that the security review was politically unbiased and based solely on security issues. In addition to Kennedy, Skoudis, Johnson and Lares, statements were included from security consultants Kevin Mitnick and John Strand, who had similar concerns as to the basic security of the site.

Wayne E. Hanson served as a writer and editor with e.Republic from 1989 to 2013, having worked for several business units including Government Technology magazine, the Center for Digital Government, Governing, and Digital Communities. Hanson was a juror from 1999 to 2004 with the Stockholm Challenge and Global Junior Challenge competitions in information technology and education.