Cyber security experts told Congress today that the Obama administration should take Healthcare.gov offline until privacy vulnerabilities are addressed and detection capabilities are improved.
David Kennedy, a so-called "white hat hacker" who tests security flaws by hacking online systems to help identify weaknesses, warned that there are critical flaws and exposures "currently on the website that hackers could use to extract sensitive information."
"The purpose of security isn't to say, 'Hey, we're 100 percent impenetrable all the time,' but can we detect the hackers in the very early stages of the life cycle of the attack, monitor that, and prevent the attacks from happening. And none of those are clearly being done on the Healthcare.gov website," Kennedy said before the Science, Space and Technology Committee.
"Just by looking at the website, we can see that there is just fundamental security principles that are not being followed," he said.
Kennedy demonstrated how hackers are attempting to exploit the website's vulnerabilities to access personal information and testified that he believes the website has either already been subject to cyber attacks or will be hacked soon.
"We can actually enable their web cam, monitor their web cam, listen to their microphone, steal passwords," he explained. "Anything that they do on their computer we now have full access to."
Three of the four witnesses agreed that the Obama administration should take the site offline in order to address the security flaws.
"If you're asking from a technology standpoint, it would be easier to start over again, lay a foundation of security and start from the beginning because security has to be the foundation of this site," said Morgan Wright, CEO of Crowd Sourced Investigations, LLC.
The one dissenting witness, Dr. Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University, called for a security review of the system "to establish whether there's a deep infrastructural problem" with the website.
Rep. Lamar Smith, chairman of the committee, said the "massive amount" of personal information collected by the website "creates a tempting target for scam artists," which he said reinforces his belief that the law should be repealed.
"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure. Unfortunately, in their haste to launch the Healthcare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals," said Smith, R-Texas.
"Perhaps it is time to take Obamacare off of life-support," Smith added.
Democrats on the committee, however, contend that the vulnerabilities are not unique to Healthcare.gov.
"The only way to avoid being vulnerable to such attacks is to not be connected to the Internet at all," said Rep. Eddie Bernice Johnson, D-Texas, though she conceded that is "not a reasonable option" for most government agencies, businesses or individuals.
After the hearing, Smith issued a statement calling on President Obama to immediately take down Healthcare.gov in order to ensure the safety and security of the personal data of Americans who have used the Obamacare website.
"President Obama has a responsibility to ensure that the personal and financial data collected as part of Obamacare is secure. It is clear that is not the case today," Smith stated. "Given the testimony we have heard today, there is only one reasonable course of action. Mr. President, take down this website."