How does one do a report on an important commerce-related web site without mentioning serious known security problems which are so bad that respected IT experts warn that it shouldn't be used? Ask Kate Pickert at Time's Swampland blog and Kelli Kennedy at the Associated Press, because that's exactly what they did.
Pickert and Kennedy reviewed the new and not much improved HealthCare.gov on December 2 and 3, respectively. No variation of the word "security" is in either writeup. Both reports ignore the fact that IT experts are absolutely appalled at the site's lack of security.
Here are the first six paragraphs from an astonishing November 25 CNBC report (bolds are mine throughout this post) by Matthew J. Belvedere:
No security ever built into Obamacare site: Hacker
It could take a year to secure the risk of "high exposures" of personal information on the federal Obamacare online exchange, a cybersecurity expert told CNBC on Monday.
"When you develop a website, you develop it with security in mind. And it doesn't appear to have happened this time," said David Kennedy, a so-called "white hat" hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.
"It's really hard to go back and fix the security around it because security wasn't built into it," said Kennedy, chief executive of TrustedSec. "We're talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself."
According to the Department of Health and Human Services, which oversaw the implementation of the website, the components used to build the site are compliant with standards set by Federal security authorities.
"The privacy and security of consumers' personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers' personal information," said the spokesperson.
Another online security expert—who spoke at last week's House hearing and then on CNBC—said the federal Obamacare website needs to be shut down and rebuilt from scratch. Morgan Wright, CEO of Crowd Sourced Investigations said: "There's not a plan to fix this that meets the sniff test of being reasonable."
Then there's this from Elizabeth Harrington today at the Washington Free Beacon, wherein Kennedy claims that things are worse now than they were on the first day of the site's rollout:
Expert: Healthcare.gov Security Risks Even Worse After ‘Fix’
The Obamacare insurance marketplace is even more vulnerable to security breaches since the administration “fixed” Healthcare.gov, according to a cyber security expert.
... After warning Americans when testifying before Congress on Nov. 19 to stay away from Healthcare.gov, Kennedy now says the situation is even worse.
“They said they implemented over 400 bug fixes,” he said. “When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code.”
“I’m a little bit more skeptical now, and I would still definitely advise individuals to not use the website because it’s definitely something that I don’t believe is secure and neither did the four individuals that testified in front of Congress,” Kennedy said. “I think there’s some major security concerns there around privacy and information, and they haven’t even come close to being addressed, and won’t be in the short term.”
So as IT experts are telling people not to use the site, reporters at Time and the AP "review" the situation and fail to even recognize their existence.
They are outdone in their negligence only be the government itself.
Cross-posted at BizzyBlog.com.