(NBC) - Cybersecurity researchers slammed HealthCare.gov's security during a House hearing on Thursday morning, saying the site is still riddled with problems that could put consumers' sensitive health details at risk.
“The reason we’re concluding that this is so shockingly bad is that the issues across the site are so varied,” David Kennedy, founder of the information security firm TrustedSec, told NBCNews.com. “You don’t even have to hack into the system to see big issues – which means there are [major problems] underneath.”
Kennedy was the first of a group of so-called "white-hat hackers" who testified before the House Science Committee on Thursday. He previously appeared before the committee on November 19, when he said he was able to identify 18 major issues with the site – without even hacking into it.
“Nothing’s really changed since our November 19 testimony,” Kennedy said during the hearing. “In fact, it’s worse.”
Only half of one of those 18 issues on HealthCare.gov has been fixed since that November meeting, Kennedy said, and he has since learned of more problems with the site. A separate House Oversight committee hearing began Thursday morning with testimony expected from the Department of Health and Human Service's chief information security officer.
TrustedSec isn’t disclosing the specifics of how those vulnerabilities work, as they are active issues that hackers could exploit. But Kennedy did cite issues including the disclosure of user profiles and the “ability to access anyone’s eligibility report on the website without the need for any authentication or authorization.”
“Some issues still include critical or high-risk findings to personal information or risk of loss of confidentiality or integrity of the infrastructure itself,” Kennedy said in his written testimony. He also submitted statements from seven other security researchers who expressed serious concerns.
The committee, which is chaired by Lamar Smith (R-Tex.), also heard testimony from Michael Gregg, the CEO of security consulting firm Superior Solutions.
Gregg discussed concerns about Healthcare.gov “going up fast,” comparing the process with those of private companies like Microsoft, which roll out products in waves and spend a lot of time testing them. Healthcare.gov didn’t follow that type of process, he said, and the data it contains is a goldmine.
“Hacking today is big business,” Gregg told the committee. “It’s no longer the lone hacker in the basement.”
It’s possible to fix the problems, Gregg said, but he stressed the need for “an independent assessment of the site.”
Another security researcher, who was not a part of the committee hearing, was not as optimistic.
“If you build a house on a bad foundation and it’s sinking into a swamp, it’s really hard to pick up the house and rebuild the foundation,” said Alex McGeorge, a senior security researcher at Immunity Inc. Companies hire Immunity to hack into their own systems and show vulnerabilities.
“Security isn’t a bolt-on,” McGeorge said. “It’s not easy to retrofit once you have a system up and running.”
McGeorge agreed with Gregg’s assessment of Healthcare.gov as “hugely enticing to hackers,” however.
“They’re hawking [Healthcare.gov] as an insurance hub, the place where you can find everything – and that’s exactly why it’s so attractive to hackers,” McGeorge said. “You get into the site, and the fun doesn’t stop there.”
This week the Obama Administration booted the original IT contractor, CGI Federal , that managed Healthcare.gov. CGI Federal’s contract will not be renewed in February, and Accenture won the contract instead.
“From a security standpoint, one of the things that’s so interesting about this site is that it’s so dynamic -- and it’s changing quickly,” McGeorge said. “You’ve got so many hands in the pot.”
Unfortunately, “that is the exact opposite of how you create a secure site,” McGeorge said. When new developers come in to save the day, working quickly to fix issues,
There’s also an upside to the ever-changing nature of Healthcare.gov and its stewards: When the site is constantly shifting, it’s tougher for hackers to exploit vulnerabilities they found previously.
“It’s harder to hit a moving target,” McGeorge said. “But a moving target also makes more mistakes.
Written by Julianne Pepitone, NBC News