WASHINGTON — The government’s own watchdogs tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability — but also came away with respect for some of the health insurance site’s security features.
Those are among the conclusions of a report released Tuesday by the Health and Human Services Department inspector general, who focuses on health care fraud.
The report amounts to a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for millions of Americans. Open enrollment season starts Nov. 15.
So-called “white hat” or ethical hackers from the inspector general’s office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system’s defenses.
HealthCare.gov had some advance warning of the hacking attempt — a date range, but not specific times. HHS spokesman Kevin Griffis said the agency did not take additional precautions during that period.
The report came on the heels of the massive breach at Home Depot stores, which affected 56 million credit and debit cards. The inspector general’s office released a public version that summarizes detailed findings delivered to the Obama administration.
It concludes that more work needs to be done to bolster security. Last week, the congressional Government Accountability Office released similar conclusions after its own review.
The inspector general found that the administration “has taken actions to lower the security risks associated with HealthCare.gov systems” and consumers’ personal information.
But the auditors said they “remain concerned” about the use of encryption technology that is not certified to meet certain government standards. Encryption refers to the encoding of data traveling back and forth between consumers and HealthCare.gov to make it more secure.
In its formal response, the administration said it has taken other actions to resolve the encryption issue.
The inspector general’s office tried to break into HealthCare.gov in April and May. Experts used a technique called “vulnerability scanning” and also conducted simulated attacks.
“Scanners simulate an outside malicious attack on the system and may identify … vulnerabilities that could put a system’s security at risk,” the report explained. “Scanners use the same techniques as hackers, so the scanners test the security from an outside perspective.”
HHS itself also runs similar scans regularly, part of its own security program.
The hackers from the inspector general’s office found one “critical” vulnerability, described as a flaw that would let an attacker take over the system and execute commands, or download and modify information.
But the office said that when its “white-hat” experts attempted to mimic what a malicious hacker might try next, they were blocked by the system’s defenses.
Separately, the review also found two critical vulnerabilities in databases that support the website.
Specific descriptions of the flaws were not released, but apparently none has been exploited by hackers.
HealthCare.gov serves 36 states, while the remaining states run their own enrollment websites.
The federal site had numerous technical problems when it was launched last fall and for weeks it was unworkable for most consumers.
At the time, technical experts within HHS were concerned that full security testing could not be completed because the system was undergoing so many last-minute changes. Nonetheless, Medicare administrator Marilyn Tavenner issued a six-month security authorization for the site, keyed to an action plan for reducing risks.
HealthCare.gov was hacked this summer, but the administration said no consumer information was stolen. Instead, hackers installed malicious software that could have been used to launch an attack on other websites.
“We have not had any malicious attacks on the site that have resulted in personal identification being stolen,” Tavenner told Congress last week.
The inspector general’s office also probed security for two state-run health care websites, the Kentucky exchange and New Mexico’s small-business portal.
It found that Kentucky, seen as a national model, sufficiently protected consumers’ personal information. But there were some weaknesses in who had access to the system.
“White-hat” hacking of New Mexico’s site revealed 64 vulnerabilities.
The office said it will keep monitoring security on HealthCare.gov and state sites.