Site is still vulnerable today, watchdog says.
In addition to being essentially unusable when it launched last year, the Obamacare website was not secure then and still today is vulnerable, according to a government watchdog.
HealthCare.gov did not always require strong passwords, and developers lacked good security and privacy plans and did not perform adequate tests, the Government Accountability Office said in its latest report on the website and federal health insurance marketplace.
Additionally, access to the Internet should have been more restricted, software patches haven’t been consistently implemented and an administrative network wasn’t properly configured, the report said.
“While CMS has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them,” GAO said. “Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by HealthCare.gov and related systems.”
Security is a critical issue for HealthCare.gov, the report noted, because millions of consumers have and will continue to submit personally identifiable information to the site, including employment and salary information.
Republican lawmakers suspected the site was insecure after its troubled launch last year, but the issue seemed to die down after the website was fixed and appeared to be working within two months. That was until earlier this month, when it was reported that a hacker had installed malware on a server used to conduct tests on code for HealthCare.gov.
No consumer information was compromised in the breach, but Republicans responded quickly with calls for additional hearings on the security of the site. While the reported breach was not dangerous, it’s unclear if it can be linked to general weaknesses that could be exploited to steal personal information.
Republicans, who were against Obamacare from the start, may be playing politics with cybersecurity, Democrats have alleged. "If this happened anywhere other than HealthCare.gov, it wouldn't be news," a senior Department of Homeland Security official told The Wall Street Journal, when it broke the breach story.
The House Oversight and Government Reform Committee planned a hearing Thursday on HealthCare.gov’s security and transparency, and the House Science, Space and Technology Committee expected Wednesday to compel former federal Chief Technology Officer Todd Park to testify on the site’s security.
The GAO report released yesterday was the public version of a limited official report circulated earlier this month.