Security concerns about HealthCare.gov are overblown, Democrats say
1. Security concerns about HealthCare.gov are overblown,
Democrats say
Security concerns about HealthCare.gov are overblown, Democrats say | PCWorld
Security concerns raised by Republican critics of the U.S. Department of Health and Human
Services" botched rollout of HealthCare.gov have been overstated, according to a memo released
Friday by two Democratic members of Congress.
HHS officials, in a briefing to lawmakers this week, reported just 32 security incidents at
HealthCare.gov since its Oct. 1 launch, and "there have been no successful security attacks," said
the memo from Democratic Representatives Henry Waxman of California and Diana DeGette of
Colorado.
The briefing was "reassuring," the lawmakers wrote. "The security of Healthcare.gov has not been
breached, and hackers have had no access to personally identifiable information. HHS officials
indicated that they were conducting 24-7 system monitoring and ongoing assessments in order to
ensure and strengthen system security."
But it"s concerning that HHS officials have found so few security incidents, said a spokeswoman for
Representative Mike Rogers, a Michigan Republican who has questioned the site"s security.
Websites of comparable size to HealthCare.gov averaged more than 230 security incidents a day in
the past year, said spokeswoman Kelsey Knight.
The lack of reported security incidents "is more concerning to us," she said. "That report shows that
there"s no system monitoring."
A cybersecurity expert has pointed out one security flaw at the site that could lead to phishing
exploits, said Knight, whose boss is chairman of the House Intelligence Committee.
Eleven of the 32 security events remained under investigation as of Wednesday, Waxman and
DeGette wrote in the memo.
Security investigators at HHS classified one of the remaining 21 events as an unsuccessful probe of
the site and two incidents as inappropriate use of the site in violation of acceptable use policies. One
of those two incidents was a denial-of-service attempt using malware called Destroy Obamacare, the
memo said. Obamacare is the common name for the 2010 Affordable Care Act, the health insurance
reform law that created HealthCare.gov.
Security investigators classified 15 of the incidents as unauthorized access, in which a website user
gained unauthorized access to information. Those cases "were isolated in nature" and generally
involved software bugs, the memo said. In one case that"s been publicized, one user"s personal
information was shared with another user, the memo said, but "none of these events involved a
significant breach of personal information."
In addition, security researchers ultimately decided two other events turned out to be "nonincidents," the memo said.