Even though it's not yet selling health plans, the Hawaii Health Connector is collecting personal information from people who fill out forms online. But how secure is the site at the center of it all?
KHON2 asked computer experts to look over the site with us, and what we found was surprising -- a website platform the industry considers entry-level, along with what they call some “amateur” mistakes that could have opened the site to real hacker risks.
The main site, and a second forms site, are built on what's called WordPress, a widespread platform.
"When we want cheap, simple websites done right away, it's a perfectly good system,” said computer expert Peter Kay. “But it's a little bit different when you're using it to manage a potentially multibillion-dollar, very confidential health care information system."
He and other programmers KHON2 spoke with found what they called some amateur mistakes. Default logins, which most programmers say they delete from out-of-the-box WordPress code after launch, were still active -- including the login “ADMIN.” A personal staff user name popped right up. In the wrong hands, a hacker wouldn't need much to pass over that threshold.
“They’d launch a brute force attack or a dictionary attack,” Kay said. “You have a computer go through and keep hitting and keep guessing and guessing and guessing passwords. It wouldn't have been months, it would have been more like hours."
Right then and there, KHON2 called the Connector tech line to tell them what we found, so they could fix it before this story aired.
The Connector officials explained to us that they host two sites, one informational, and the other for their application forms.
“All personal information entered via our application forms is captured with encryption, submitted with encryption, and stored on secure and encrypted servers with no outbound internet capabilities,” said Rick Budar, chief marketing officer. “Simply stated, consumer information can enter our secure environment but cannot get out. Safeguarding consumer information is a top priority of the Connector.”
Security experts say the availability of those default and easy-to-hack logins, however, mean even encrypted forms are not infallible.
"If you have administrative access to a Wordpress website, you could essentially install any kind of code you wanted,” Kay said. “You could install it between the form, you could install it so when the data gets submitted you could take a copy and send it to whoever you want to send it to, even though the form itself is getting submitted somewhere else."
Just this spring, hackers launched a widespread attack on WordPress websites that had left the default Admin login enabled.
“There are millions of programmers worldwide who know about the security holes of WordPress,” Kay said, “so you can have a whole global community probing the site for security weaknesses.”
Meanwhile industry experts wonder, is this it?
"Was this WordPress a temporary thing that you slapped together and you're using it right now, or are you planning to use it for the long term,” Kay said. “Why didn't they use the same code base the Obama administration used for the national healthcare web site, that's on a much more sophisticated platform, much more sophisticated secure technology."
KHON2 found source code that revealed the Honolulu Star-Advertiser Online as the “author” of the Hawaii Health Connector site.
"Our digital web design team was responsible for building the bulk of the site," Honolulu Star-Advertiser Dennis Francis told KHON2, “but we obviously have zero connection to the marketplace site where those who are interested in signing up are taken to via a link. That work is being done by a national vendor and that is the part not up and running.”
Francis added that the web job for the Connector had “no connection to how we cover them” from the newsroom. The Star-Advertiser said it does not host the sites or the forms.
“The hawaiihealthconnector.com is an informational website. Our application web forms are on a separate and completely secured environment, which is federally approved with the strictest security standards,” Budar said. “All consumer information is submitted via these forms and is fully encrypted and secure.”
By the time we aired, the Connector had removed the default Admin, User Default, and personal-name logins we warned them about.
Separately, the state-run website known as Kolea, to which people would be linked who seek financial assistance when applying, did not appear to have the same security issues according to initial scans.
Traffic investigators have cleared the scene of a deadly early morning crash in Pearl City. Just after 1 a.m. Friday morning, police say a motorcycle crashed into a parked car along Kaahumanu Street.
When a plane crashes into the ocean, people can increase their chances of survival by keeping in mind a few simple things.
One of the survivors in a plane crash off Molokai was determined to get everyone out and into their life vests, even swimming a half mile to shore to flag down help.