Michael Gregg, chief executive officer of the Houston information technology security assessment firm Superior Solutions Inc., recently appeared before the U.S. House Committee on Science, Space and Technology. He testified about possible vulnerabilities to healthcare.gov, the website for the federal health insurance marketplace.
With more than 20 years of experience in cybersecurity, Gregg's clients have included Fortune 500 companies, banks and government agencies. He talked with Houston Chronicle reporter Lora Hines about his experience, testimony and concerns about healthcare.gov. The following are edited excerpts:
Q: What concerns you about healthcare.gov?
A: Any time you build something very quickly, you have problems as far as building security in. We have kind of a tendency to go with security or usability. They are many times diametrically opposed, meaning you have very strong security, but then the usability drops off. Or you have very good usability, but then the security is not as strong. My concern really was with something set up that quickly and had that many problems as far as usability. Then they went through and made changes to get the site running and add more servers and more systems. I'd be very hard-pressed to believe that the adequate security controls were put in place.
Q: How could healthcare.gov consumers potentially be harmed?
A: It would be the type of information that they pass through there -- your name, demographic information, how many kids you have, how much money you make, Social Security number. That would give me enough to go out and get a car loan. That would give me enough to go out and potentially get credit under your name. (An identity thief) could go out and get health care under your name. A (health care identity) breach in many ways is much harder to clean up than just a credit card problem, because it involves health care information (privacy laws).
Q: How often could hackers hit healthcare.gov to find vulnerabilities?
A: One of the arguments during the (committee) hearing was no breach has occurred yet. Most sites are getting hit hundreds of times a day to see what types of vulnerabilities or types of problems are there. To say there are only 16 or 30 or 40 (hits), that's a very low number, which means either they're not monitoring, they're not monitoring correctly or what they're monitoring for has not been correctly (programmed).
Q: What other healthcare.gov concerns did you discuss?
A: How the information is passed on the back end to the insurance companies. This data is basically your name, other information, and it's passed from the site and back. It's what the insurer actually gets to determine your policy, other types of information, once you enroll. There's a percentage of that information that's gone back that's tainted or corrupt. The insurance company and also (the Department of) Health and Human Services are having to manually tweak or look at these records. If you have good input data, you should have good process data. You should have good output data. If data is corrupt at any one point, something is wrong or something is broken. Any time something is wrong or broken, that's the same thing the attacker is going after.
Q: What can healthcare.gov consumers do to protect themselves?
A: There's not a lot you can do. If you use the service, you're at risk.
Q: What effect do you think your testimony will have?
A: I hope a positive impact. People are more aware. A big piece of (protecting information) is awareness and education.
©2014 the Houston Chronicle