MEDIA ADVISORY: HOW SECURE IS PERSONAL DATA ON HEALTHCARE.GOV? Johns Hopkins Web Security Expert Available for Interviews Avi Rubin, a Johns Hopkins professor of computer science and director of the university's Health and Medical Security Lab, testified this week before the House of Representatives Science, Space, and Technology Committee at a hearing titled, "Is Your Data on Healthcare.gov Secure?"
In a prepared statement submitted to the panel, Rubin said, "HealthCare.gov does not collect nor store electronic medical records, but it does collect whatever personal information is needed for enrollment. This information, in the wrong hands, could potentially be used for identity theft attacks."
He expressed concern that adequate security measures might not have been incorporated into the site from the beginning. "One cannot build a system and add security later any more than you can construct a building and then add the plumbing and duct work afterwards," he said. But he added, "In practice, systems require some post-production 'bolting on' of security features and retrofitting security solutions despite any efforts to build security in at the outset. Ongoing vigilance and response are needed to properly maintain a secure Web installation."
Rubin said he has been following news reports of the HealthCare.gov rollout. "As far as I can tell, so far all of the security problems that have been publicized were easy to fix and have been remedied," he said. "Assessing whether there are any deep, architectural security flaws will require an in-depth design review by security specialists."
Rubin offered six recommendations for ensuring the securing of HealthCare.gov:
- Outside, independent experts should review the security of the system annually, including design review, code review and red team exercises- Security reviews should focus on the interfaces among the components and across systems.- User authentication mechanisms should be reviewed, and two-factor authentication should be employed wherever practical.- Security reviews should check for known standard vulnerabilities such as SQL injection attacks, sanitization of user inputs, Cross Site Scripting vulnerabilities, and other standard checks.- Data at rest should be encrypted, and keys should be cleared from memory when they are not in use.- Implement mandatory incident reporting, even of suspected and unconfirmed incidents, and contingency plans should be designed for conceivable scenarios.
Rubin's prepared testimony is posted on a committee website.
(Rubin emphasized that his testimony reflected his own opinions and does not necessarily reflect the views of The Johns Hopkins University.)
Rubin is technical director of the Information Security Institute at Johns Hopkins. He also is a former Fulbright Scholar. Before coming to Johns Hopkins almost 11 years ago, he spent nine years working in a Bell systems research lab on projects such as Web security, data privacy and general IT security. He is author or co-author of five books on these topics.
To interview Professor Rubin, please contact Phil Sneiderman.
RSS