November 20, 2013
MEDIA CONTACT: Phil Sneiderman
Office: 443-997-9907; Cell: 410-299-7462
Avi Rubin, a Johns Hopkins professor of computer science and director of the university’s Health and Medical Security Lab, testified Nov. 19 before the U.S. House Committee on Science, Space, and Technology at a hearing titled, “Is Your Data on Healthcare.gov Secure?”
In a prepared statement submitted to the panel, Rubin said, “HealthCare.gov does not collect nor store Electronic Medical Records, but it does collect whatever personal information is needed for enrollment. This information, in the wrong hands, could potentially be used for identity theft attacks.”
He expressed concern that adequate security measures were not incorporated into the site from the beginning. “One cannot build a system and add security later any more than you can construct a building and then add the plumbing and duct work afterwards,” he said. But he added, “In practice, systems require some post-production ‘bolting on’ of security features and retrofitting security solutions despite any efforts to build security in at the outset. Ongoing vigilance and response are needed to properly maintain a secure Web installation.”
Rubin said he has been following news reports of the HealthCare.gov rollout. “As far as I can tell, so far all of the security problems that have been publicized were easy to fix and have been remedied,” he said. “Assessing whether there are any deep, architectural security flaws will require an in-depth design review by security specialists.”
Rubin offered six recommendations for ensuring the securing of HealthCare.gov:
- Outside, independent experts should review the security of the system annually, including design review, code review and red team exercises
- Security reviews should focus on the interfaces among the components and across systems.
- User authentication mechanisms should be reviewed, and two-factor authentication should be employed wherever practical.
- Security reviews should check for known standard vulnerabilities such as SQL injection attacks, sanitization of user inputs, Cross Site Scripting vulnerabilities, and other standard checks.
- Data at rest should be encrypted, and keys should be cleared from memory when they are not in use.
- Implement mandatory incident reporting, even of suspected and unconfirmed incidents, and contingency plans should be designed for conceivable scenarios.
Rubin’s prepared testimony has been posted on a congressional committee website here.
(Rubin emphasized that his testimony reflected his own opinions and does not necessarily reflect the views of The Johns Hopkins University.)
Rubin is technical director of the university’s Information Security Institute at Johns Hopkins. He also is a former Fulbright Scholar. Before coming to Johns Hopkins almost 11 years ago, he spent nine years working in the Bell systems research lab on projects such as Web security, data privacy and general IT security. He is author or co-author of five books on these topics.
Avi Rubin’s website is here.
To interview Prof. Rubin, please contact Phil Sneiderman.
Johns Hopkins University news releases can be found online at http://releases.jhu.edu/. Information on automatic email delivery of science and medical news releases is available at the same address