WASHINGTON (CBS NEWS/AP) – According to a report being released Tuesday, a critical vulnerability was found when the government’s own watchdogs tried to hack into HealthCare.gov earlier this year.
The report, conducted by the Health and Human Services Department inspector general who focuses on health care fraud, is a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for Americans.
CBS News reported that a weakness was found by the “white hat” or ethical hackers from the inspector general’s office. However, when they tried to exploit it like a malicious hacker would, they were blocked by the system’s defenses.
The public version of the report was condensed and a heavily edited summary of detailed findings were delivered to the Obama administration.
To bolster security on the site, more work needs to be done, the report concluded. The congressional Government Accountability Office released similar conclusions after its own review last week.
This is the second independent security assessment in as many weeks to find problems.
CBS News reported that the inspector general found that the administration “has taken actions to lower the security risks associated with HealthCare.gov systems and consumer (personal information).”
However, auditors explained that they “remain concerned” about the use of encryption technology that is not certified to meet certain government standards.
In a formal response to the findings, the administrations stated that it has taken other actions to resolve the encryption issue. Using a standard technique called “vulnerability scanning,” the inspector general’s office tried to break into HealthCare.gov in April and May.
“Scanners simulate an outside malicious attack on the system and may identify … vulnerabilities that could put a system’s security at risk,” the report explained. “Scanners use the same techniques as hackers, so the scanners test the security from an outside perspective.”
One “critical” vulnerability was found by hackers from the inspector general’s office during their security scans of the website. It was described as a flaw that could enable an attacker to take over the system and execute commands, or download and modify information. The system’s defenses blocked the next move of what a malicious hacker might try next when the office’s technical experts tried.
Two other critical vulnerabilities in databases that support the website were also found. Specific descriptions of the flaws were not released, but apparently none has been exploited by hackers, CBS News reported.
“Not all vulnerabilities lead to security breaches,” the report said.
Last fall, the federal site had countless technical problems when it was launched and for weeks it didn’t work for most consumers. The office said it will keep monitoring security on HealthCare.gov and state operated sites.
Open enrollment season begins Nov. 15