For the second time in less than a week, Center for Medicare and Medicaid Services Deputy Chief IT Director Henry Chao heads to Capitol Hill. Chao will face tough questions about whether he and his staff took enough steps to ensure that HealthCare.gov -- the website where Americans can purchase insurance -- is secure.
While CMS works to improve the site so consumers can enroll, IT security analysts say it may be better if consumers stay away. Last month, Ben Simo, a professional software tester, tried to enroll his granddaughter in an insurance plan on the site. As the glitches mounted, Simo, the former president of the Association of Software Testing, started poking around. He found it was relatively simple to obtain a person’s name and email address -- a field day for a hacker.
“Armed with that information, someone could potentially engage in phishing to trick someone into giving them access to their account,” says Simo. He alerted federal authorities of the security risk.
Over the last month, IT health officials have begun patching security problems within HealthCare.gov. But that’s no guarantee to consumers.
“If my mom asked, I think that the honest answer would be, I just don’t think we can know whether the site is safe,” says Matthew Prince, the CEO of CloudFlare, a company that works with federal agencies to help protect sensitive digital information. Prince says it’s possible to enhance HealthCare.gov protections, but says CMS must be transparent about its upgrades.
“We need to understand what is happening behind the scenes and how data is being secured,” he says.
“The privacy and security of consumers’ personal information are a top priority for us,” according to a CMS spokesperson. “When consumers fill out their online marketplace applications, they can trust that the information that they are providing is protected by stringent security standards.”