Cybersecurity researchers slammed HealthCare.gov's security during a House hearing on Thursday, saying the site is still riddled with problems that could put consumers' sensitive health details at risk.
“The reason we’re concluding that this is so shockingly bad is that the issues across the site are so varied,” David Kennedy, founder of the information security firm TrustedSec, told NBC News. “You don’t even have to hack into the system to see big issues – which means there are [major problems] underneath.”
Kennedy was the first of a group of so-called "white-hat hackers" who testified before the House of Representatives Science Committee on Thursday. He previously testified on November 19, when he said he was able to identify 18 major issues with the site – without even hacking into it.
“Nothing’s really changed since our November 19 testimony,” Kennedy said during the hearing. “In fact, it’s worse.”
Only half of one of those 18 issues on HealthCare.gov has been fixed since that November meeting, Kennedy said, and he has since learned of more problems with the site. A separate House Oversight committee hearing held Thursday included testimony from government officials including Teresa Fryer, the chief information officer of the Centers for Medicare and Medicare Services (CMS), which manages HealthCare.gov.
According to Fryer, HealthCare.gov passed a “security control assessment” on December 18 with “no open high findings.” But she and the other officials faced a grilling from the panel about why more tests were not completed earlier, and why warnings about the site’s launch were not heeded.
‘Critical or high-risk findings’
At the Science Committee hearing, TrustedSec’s Kennedy said he isn’t disclosing the specifics of how those vulnerabilities work, as they are active issues that hackers could exploit. But Kennedy did cite issues including the disclosure of user profiles, as well as the ability to access eligibility reports without appropriate credentials.
“Some issues still include critical or high-risk findings to personal information,” Kennedy said in his written testimony. He also submitted statements from seven other security researchers who expressed serious concerns.
CMS released a separate statement Thursday in response to Kennedy’s report, insisting the agency takes security concerns seriously and has a “robust system in place” to address potential issues.
“To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site,” CMS said in the statement, adding that it continually conducts security testing on the site.
The Science Committee, which is chaired by Rep. Lamar Smith (R-Tex.), also heard testimony from Michael Gregg, the CEO of security consulting firm Superior Solutions.
Gregg discussed concerns about Healthcare.gov “going up fast,” comparing the process with those of private companies like Microsoft that roll out products. He also warned HealthCare.gov contains a data goldmine.
“Hacking today is big business,” Gregg told the committee.
When questioned by the panel, Gregg and Kennedy both said they would not put their personal information on HealthCare.gov.
The third of the three cybersecurity researchers on the panel disagreed. Waylon Krush, CEO of the security firm Lunarline, said he would put his information on the site.
Lunarline has worked with federal clients, and Krush used his written testimony to lay out the six-step process that federal information systems use to mitigate risk.
He also criticized Kennedy and Gregg for engaging in what he called speculation, pointing out that “no one at this table” was involved in the setup and management of HealthCare.gov.
“Just as security critics lack the hands on knowledge necessary to make dramatic claims … I cannot claim to understand all of Healthcare.gov's security intricacies,” Krush said in his written testimony.
Gregg argued that a third party should be assigned to do just that: plumb the depths of the site and figure out a way to fix the problems through “an independent assessment.”
‘A house on a bad foundation’
Another security researcher, who was not a part of the committee hearing, was not as optimistic.
“If you build a house on a bad foundation and it’s sinking into a swamp, it’s really hard to pick up the house and rebuild the foundation,” said Alex McGeorge, a senior security researcher at Immunity Inc. Companies hire Immunity to hack into their own systems and show vulnerabilities.
“Security isn’t a bolt-on,” McGeorge said. “It’s not easy to retrofit once you have a system up and running.”
This week the Obama Administration booted the original IT contractor, CGI Federal, that managed Healthcare.gov. CGI Federal’s contract will not be renewed in February, and Accenture will take over instead.
“From a security standpoint, one of the things that’s so interesting about this site is that it’s so dynamic -- and it’s changing quickly,” McGeorge said. “You’ve got so many hands in the pot.”
Unfortunately, “that is the exact opposite of how you create a secure site,” McGeorge said.
There’s also an upside to the ever-changing nature of Healthcare.gov and its stewards: When the site is constantly shifting, it’s tougher for hackers to exploit vulnerabilities they found previously.
“It’s harder to hit a moving target,” McGeorge said. “But a moving target also makes more mistakes.”
NBC News’ Katie Wall contributed to this report.
Julianne Pepitone is a senior technology writer for NBC News Digital. Previously she was a staff writer at CNNMoney, where she covered large tech companies including Apple and Google, as well as the intersection of tech and media. Follow Julianne on Twitter at @julpepitone or email her at julianne.pepitone@nbcuni.com.