Last October, John McAfee, founder of McAfee, Inc., said that the Obamacare website would be a “hacker’s wet dream.” Well, not only did he turn out to be right, but the news comes just before Christmas. Forbes’ Avik Roy noted the lack of security last August, but it’s starting to look as if no security was ever built into the site.
How vulnerable is healthcare.gov? Well, it’s going to take at least a year to make sure your sensitive information is protected. Oh yes, government efficiency at its finest ladies and gentleman.
As reported by CNBC on November 25:
It could take a year to secure the risk of “high exposures” of personal information on the federal Obamacare online exchange, a cybersecurity expert told CNBC on Monday.
“When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time,” said David Kennedy, a so-called “white hat” hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.
“It’s really hard to go back and fix the security around it because security wasn’t built into it,” said Kennedy, chief executive of TrustedSec. “We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself.”
According to the Department of Health and Human Services, which oversaw the implementation of the website, the components used to build the site are compliant with standards set by Federal security authorities.
“The privacy and security of consumers’ personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” said the spokesperson.
[...]
But on CNBC, Kennedy disputed those claims, saying vulnerabilities remain on “everything from hacking someone’s computer so when you visit the website it actually tries to hack your computer back, all the way to being able to extract email addresses, users names—first name, last name—[and] locations.”
[...]
“When you look at the site itself, it could be really good. It could do really well. They’re just not building the security into the site itself,” said Kennedy. “Putting your information on there is definitely a risk.”