The HealthCare.gov website has a notorious history already. The site's launch last fall was marred by crashes, and it took months before the service was easy to access for most users. Now, it might have hit another hiccup, because government hackers found a few critical vulnerabilities in the site that could allow criminals to break in and steal important information like Social Security numbers.
The "white hat" hackers are good guys working for the Department of Health and Human Services' inspector general. The Department has since released a report detailing its findings. The government is lucky they found the problem before the bad guy hackers did. Otherwise, we could be facing an even worse situation right now.
Earlier this year, the government's hacking team mimicked techniques other hackers would use to see if HealthCare.gov was vulnerable to attack.
"Scanners simulate an outside malicious attack on the system and may identify ... vulnerabilities that could put a system's security at risk," the report explained. "Scanners use the same techniques as hackers, so the scanners test the security from an outside perspective."
HealthCare.gov runs the healthcare exchange for 36 states, with the other 14 states operating their own. The inspector general also tested New Mexico and Kentucky's sites, with mixed results. The Kentucky site had some weaknesses but it did a good overall job protecting information. The New Mexico site, on the other hand, had 64 vulnerabilities.
What they found on HealthCare.gov poses some serious questions about the security of the site. It wasn't all bad, though. The report also states HealthCare.gov's security features did a few things right, too.
HealthCare.gov's security checkup
The inspector general's hackers found that the government has taken some steps to make sure HealthCare.gov is safe, but it needs to do more. One particular weak spot is the site's encryption technology. Its current encryption doesn't even meet government standards.
In its formal response, the administration said it has taken other actions to resolve the encryption issue.
The hackers also found a security flaw labeled "critical" in the report that could let a hacker "take over the system and execute commands, or download and modify information." But, this is where HealthCare.gov's defenses stepped up. When the hackers tried to move on to the next step of the hack, the site's security blocked them.
There were two additional "critical" vulnerabilities related to databases that support HealthCare.gov in the report, but it didn't mention any further details about them.
Until the government fixes all of these errors, there's no guarantee your information is secure when using the site. In the event of a real HealthCare.gov hack, make sure you're protected.