More red flags concerning Obama's signature health care website from security experts:
Hopefully Congress will act with oversight legislation that (at minimum):
- requires overnight mail notifications of every participant whose personal information has been, is suspected of being or is at risk of compromise.
- require 24-hour notification of the oversight committee of data compromise, suspected compromise and at-risk data
- require notification of all individual members of Congress with the same disclosure for that individual's constituents
- require 30-day certification by HHS Secretary to Congress regarding data security including disclosures of breaches, suspected breaches, at-risk data, any notification from outside sources of security risks - including the chain-of-custody for these notifications and completion of notification requirements
- criminalize obfuscation, alteration or withholding of notification requirements
- prevent IRS from collecting health care tax penalties for those years where security breaches exist.
Quote:
“It doesn’t appear that any security fixes were done at all,” David Kennedy, CEO of the online security firm TrustedSec, told the Washington Free Beacon. Kennedy said fundamental safeguards missing from Healthcare.gov that were identified by his company more than a month ago have yet to be put in place. “There are a number of security concerns already with the website, and that’s without even actually hacking the site, that’s just a purely passive analysis of [it],” he said. “We found a number of critical exposures that were around sensitive information, the ability to hack into the site, things like that. We reported those issues and none of those appear to have been addressed at all.” After warning Americans when testifying before Congress on Nov. 19 to stay away from Healthcare.gov, Kennedy now says the situation is even worse. ... “I’m a little bit more skeptical now, and I would still definitely advise individuals to not use the website because it’s definitely something that I don’t believe is secure and neither did the four individuals that testified in front of Congress,” Kennedy said. “I think there’s some major security concerns there around privacy and information, and they haven’t even come close to being addressed, and won’t be in the short term.” ... Kennedy said the team working on Healthcare.gov is more likely to hide its security flaws than address them. When it was revealed that the most popular searches on the website were hack attempts—confirmed by entering a semicolon in the search bar—the website simply removed the tool. “The top results were hacker attempts,” Kennedy said. “Their fix for it wasn’t, ‘Hey let’s restrict people from inputting malicious code into the website,’—because that’s how hackers break into websites—it was, ‘we’re just going to completely disable that entire function completely, and not even show the search results back.’” |
Hopefully Congress will act with oversight legislation that (at minimum):
- requires overnight mail notifications of every participant whose personal information has been, is suspected of being or is at risk of compromise.
- require 24-hour notification of the oversight committee of data compromise, suspected compromise and at-risk data
- require notification of all individual members of Congress with the same disclosure for that individual's constituents
- require 30-day certification by HHS Secretary to Congress regarding data security including disclosures of breaches, suspected breaches, at-risk data, any notification from outside sources of security risks - including the chain-of-custody for these notifications and completion of notification requirements
- criminalize obfuscation, alteration or withholding of notification requirements
- prevent IRS from collecting health care tax penalties for those years where security breaches exist.
via JREF Forum http://forums.randi.org/showthread.php?t=269686&goto=newpost
Aucun commentaire:
Enregistrer un commentaire