How hackers could hijack HealthCare.gov

President Obama may have tapped Jeff Zients, one of his economic advisers, and communications giant Verizon to start fixing the troubled HealthCare.gov, but a bigger problem may be on the horizon: hackers.

A Mother Jones article investigates how the site could be hacked and would expose users' Social Security numbers and other sensitive information. Based on interviews with several online security experts, the article finds the site has a coding problem that would let hackers "clickjack"--hide malicious invisible links on a legitimate site.

"Using this scheme, hackers could trick users into giving up personal data as they enter it into the website, potentially placing Americans at risk of identity theft or allowing fraudsters to file bogus healthcare claims," the author writes. "And it's not just the federal exchange that has security problems--some 15 states [aren't using standard encryption], leaving user information at risk."

When users sign up for coverage under the Affordable Care Act online, they must enter personal information including name, Social Security number, email address, income, phone number, employer and information on their family members directly into the site.

Kyle Wilhoit, threat researcher at Trend Micro, a Japanese security software company, told Mother Jones that HealthCare.gov is at "moderate risk" for clickjacking, but said it's a relatively easy fix. He noted, though, that hackers could easily create fake identities, fake credit cards and fake accounts.

When asked about clickjacking, the Department of Health and Human Services directed Mother Jones to a September statement from the Centers for Medicare and Medicaid Services about the controversial data hub, the most important piece of technology of the Affordable Care Act, which states: "If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents."

This certainly isn't the first time HHS has addressed fears about the site and the data hub. In August, it was reported that security testing for the data hub was behind schedule. In July, Rep. Pat Meehan (R-Pa.) called for a one-year delay in the launch of the hub, arguing the potential for abuse and theft was "unprecedented."

Despite the real threat of clickjacking, user information is not permanently stored on the site. That's what the secure data hub is for.

"It is important to understand the hub is not a database. It does not retain or store information," CMS Administrator Marilyn Tavenner said in July, when CMS announced the hub had been completed.

To learn more:
- read the Mother Jones article
- look at the September statement from CMS