Cyber security experts are prepared to slam government officials over the embattled Obamacare website during today's Department of Health and Human Services (HHS) hearing on its "own security concerns about healthcare.gov," citing vulnerabilities they think make the site easy to hack. 

David Kennedy, the head of security consulting firm TrustedSec, told Reuters that he and others identified 20 weak points on healthcare.gov that the government has not yet resolved, even though the warning was issued months ago. According to Kennedy, the problems with the site make it susceptible to a number of security breaches. Users could see their personal information stolen by thieves, their data modified or their personal computers attacked. Hackers could also mess with the site's already fragile infrastructure.

In November, Kennedy testified with three other experts on the site's security during a Science Committee Hearing. Three out of the four witnesses said the site was so vulnerable to attack that it should be shut down. 

Kennedy has conducted "passive analysis" of healthcare.gov — which means he didn't hack into the site himself to conclude that it would be easy to steal user information. Reuters reports

One security flaw that Kennedy first uncovered and reported to the government in October exposes information including a user's full name and email address. He said he wrote a short computer program in five minutes that automatically collects that data, which was able to import some 70,000 records in about four minutes. He said the information was accessible via the Internet and he did not have to hack the site to get it. He declined to elaborate.

Still, some say that experts who have not hacked into the site are all just speculating on security concerns. 

The cyber security weaknesses are likely to be the second embarrassment for healthcare.gov this week. The government launched a Spanish-language website of the site, CuidadoDeSalud.gov, in December of last year — months after healthcare.gov — and the Associated Press reported on Sunday that users are not pleased with the "Spanglish" site: 

A Web page with Spanish instructions linked users to an English form. And the translations were so clunky and full of grammatical mistakes that critics say they must have been computer-generated — the name of the site itself can literally be read "for the caution of health." "When you get into the details of the plans, it's not all written in Spanish. It's written in Spanglish, so we end up having to translate it for them," said Adrian Madriz, a health care navigator who helps with enrollment in Miami.

According to the AP, the awkward site has likely discouraged Spanish speakers from signing up for health care. A New Mexico Spanish professor said that the site reads as a computer-generated translation of the English:

"There are problems with the verbs and word order that make sentences hard to understand," said Plaza, who helped develop an audio version to help residents in New Mexico sign up. "Sometimes," she added, "it's just the terms they use."The website translates "premium" into "prima," but that Spanish word is more commonly used to mean a female cousin, Plaza said. A more accurate translation, she said, would be "cuotas," ''couta mensual" or "costo annual."

One woman reported calling the Spanish-language healthcare hotline after signing up online proved too complicated. She was told to call back because the site was down, but never got hold of service representative. "I've spent at least one week on the phone, and I couldn't get it done," she told the AP through a translator. Various states have reported few registrations through the Spanish language site. In California, where roughly 4.3 million residents speak only Spanish, only up to 5,500 people signed up for Obamacare in October and November. 

Between security and language problems, the healthcare.gov re-rollout is disappointing, and makes us wonder when — if ever — the government will get the Affordable Care Act snags worked out.

Update: The HHS's Centers for Medicare and Medicaid Services (CMS) reached out to The Wire with a statement in response to Kennedy of TrustedSec's analysis of healthcare.gov. They write:

Because this individual had no direct access to the operations of the healthcare.gov website, the information in the report is based on assumptions, not direct knowledge of the website. To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site. Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information. The security of the system is also monitored by sensors and other tools to deter and prevent any unauthorized access such as regular penetration testing and continuous monitoring of computer systems. As part of the ongoing testing process, and in line with federal and industry standards, any open risk findings are being appropriately addressed with risk mitigation strategies and compensating controls.  There are currently no open high risk findings for the FFM.

CMS also offered a statement on the Spanish-language site, noting: 

Terminology is standardized using a CMS-produced translation “glossary” of terms.  These terms are based on accepted industry standards, feedback and recommendations from advocacy organizations and other Federal partners, consumer feedback (both unsolicited and through targeted research), and consistency with other Federal products.

As an example, “prima” has long been the Spanish term used for all Spanish materials and web content for Medicare beneficiaries.  

They add: 

We do not use automated translations.

See their full statement below:

CMS Statement on TrustedSec:

CMS takes seriously any legitimate concerns about the security of the website.  We have a robust system in place to quickly investigate and address any potential vulnerabilities.  We respond appropriately to anyone who contacts us with information about potential vulnerabilities or incidents.  Because this individual had no direct access to the operations of thehealthcare.gov website, the information in the report is based on assumptions, not direct knowledge of the website.  

To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site. Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information. The security of the system is also monitored by sensors and other tools to deter and prevent any unauthorized access such as regular penetration testing and continuous monitoring of computer systems. As part of the ongoing testing process, and in line with federal and industry standards, any open risk findings are being appropriately addressed with risk mitigation strategies and compensating controls.  There are currently no open high risk findings for the FFM.

The components of the HealthCare.gov website that are operational have been determined to be compliant with the Federal Information Security Management Act (FISMA), based on standards promulgated by the National Institutes of Standards and Technology (NIST) and promulgated through the Office of Management and Budget (OMB).

Background from CMS officials:

The report includes the following disclosure statement: “Information contained in this report was obtained through passive analysis of readily available information. Under no circumstance did TrustedSec conduct any type of “hacking” efforts or attempt to exploit any weaknesses in thehealthcare.gov web site.” 

Background from CMS officials on Spanish language website:

·         Terminology is standardized using a CMS-produced translation “glossary” of terms.  These terms are based on accepted industry standards, feedback and recommendations from advocacy organizations and other Federal partners, consumer feedback (both unsolicited and through targeted research), and consistency with other Federal products.

·         As an example, “prima” has long been the Spanish term used for all Spanish materials and web content for Medicare beneficiaries.  Based on studies and the Spanish Dictionary of the Real Academia Española, it is used to explain premium (an amount of money given first or an amount of money given to stimulate operations in addition to a standard price or rate. It is also known as an amount that the insured pays the insurer) www.rae.es   The word has proven to be better understood by the majority of Hispanics.  It is also used

·         by other federal agencies (SSA, IRS) and we aim for consistency. Univision also uses “prima” in its Marketplace glossary (attached). 

·         On CDS.gov, where we must link to information that isn’t available yet in Spanish, such as the anonymous shopping tool, we always include an “en inglés” identifier to alert users that the language is changing.

·         In some areas that display content generated by a database that uses content health plans enter about their plans, there is an unavoidable mix of Spanish and English content.  Health insurers are not required to supply their plan information in Spanish and the Plan Comparison tool on CuidadodeSalud.gov can display only the plan information that is available in the database.

·         In every language, there are different opinions about terminology and word choice.  We are committed to ongoing improvements in our content when they increase understandability. Sometimes, as with any website or other product, there are typos or errors – when we become aware of them and confirm them, we work to get them corrected.

·         The translation of CuidadodeSalud.gov is a collaboration between several in-house translators and employees of contracted translation companies.  We do not use automated translations.