Hacking America

Cyber experts: Health care exchanges may be vulnerable to attack

Caroline Purser | Photodisc | Getty Images

Computer glitches plagued the debut this week of the online health care exchanges put in place by the Affordable Care Act, and while there's no evidence the website malfunctions and delays are anything more than a flood of traffic, cyber experts say citizens should be aware of the potential security pitfalls with the new exchanges.

The Affordable Care Act does not mandate security protocols for the exchanges, leaving the 15 states not participating in the federal government's health care exchange to write their own rules.

"I think in general states shouldn't have to require a mandate, they should just be doing it. When you consider the risks to their residents if these sites get compromised then I would think that this would be a no-brainer," said Alex McGeorge, Senior Security Researcher with Immunity.

(Read more: Hackers sell social security info)

McGeorge points out that limited funds may be an issue preventing some states from implementing robust security measures.

Experts agree, however, that the federal health care exchange web site www.healthcare.gov, which serves 35 states, is more secure than the state exchanges.

How secure are health care exchanges?

The Centers for Medicare and Medicaid Services (CMS) says it built the federal exchange with a secure data services "hub," designed to minimize risk by not retaining or storing Personally Identifiable Information.

(Read more: 'Flash Freeze' postmortem: Protecting markets from hackers)

The health care exchanges built individually by 15 states, on the other hand, appear to be less secure based on the web platforms they are running, according to security experts CNBC spoke with.

"Some of these web frameworks that the states have elected to use have had a history of security problems that could allow for an attacker to take over the web server that is running this service," McGeorge said.

Despite that, none of the states CNBC contacted, nor the federal exchange, report any cyber-attacks, and all say they have security measures in place.

A spokesman for California's exchange says the website has a program that checks for malicious behavior. Meanwhile, a spokeswoman for the Connecticut exchange says its website prioritizes traffic from those in state and blocks all international traffic.

New York reportedly had some 30-million hits in a state with fewer than three million uninsured, but the state department of health told CNBC in a statement, "There is no indication of any intentional efforts to overwhelm the site."

(Read more: CNBC's Special Report: Hacking America)

Follow Scott on Twitter @ScottCohnCNBC. Follow Jennifer on Twitter @jennyanne211