August 19 2014
HealthCare.gov’s “security through obscurity”
Vicki E. Alger
Earlier this summer a Government Accountability Office investigation revealed that undercover agents were able to use fake IDs to qualify for ObamaCare subsidies, undermining assurances from the Obama administration that rigorous verification processes are in place to prevent fraud.
The Associated Press wanted to investigate just how secure those processes are when it comes to the federal healthcare exchange website. Yet the White House denied the AP’s Freedom of Information Act Request. This denial doesn’t square with what the president said back in 2009, according to Fox News:
In denying access to the documents, including what's known as a site security plan, Medicare told the AP that disclosing them could violate health-privacy laws because it might give hackers enough information to break into the service.
"We concluded that releasing this information would potentially cause an unwarranted risk to consumers' private information," CMS [Centers for Medicare and Medicaid Services] spokesman Aaron Albright said in a statement.
The AP is asking the government to reconsider. Obama instructed federal agencies in 2009 to not keep information confidential "merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears." Yet the government, in its denial of the AP request, speculates that disclosing the records could possibly, but not assuredly or even probably, give hackers the keys they need to intrude.
Even when the government concludes that records can't be fully released, Attorney General Eric Holder has directed agencies to consider whether parts of the files can be revealed with sensitive passages censored. CMS told the AP it will not release any parts of any of the records.
Respect for citizens’ personal privacy isn’t exactly a hallmark of this administration, and technology industry experts scoff at the notion that describing security measures would compromise HealthCare.gov users’ information:
Keeping details about lockdown practices confidential is generally derided by information technology experts as "security through obscurity." Disclosing some types of information could help hackers formulate break-in strategies, but other facts, such as numbers of break-ins or descriptions of how systems store personal data, are commonly shared in the private sector. "Security practices aren't private information," said David Kennedy, an industry consultant who testified before Congress last year about HealthCare.gov's security.
It’s more likely, based on actions since the president’s 2009 transparency promise, that the White House is refusing to come clean precisely because of public officials’ “errors and failures,” as Fox News continues:
Last year, the AP found that CMS Administrator Marilyn Tavenner took the unusual step of signing the operational security certificate for HealthCare.gov herself, even as her agency's security professionals balked. That memo said incomplete testing created uncertainties that posed a potentially high security risk for the website. It called for a six-month "mitigation" program, including ongoing monitoring and testing. The site has since passed a full security test.
Government cyber-security experts were also worried that state computers linking to a federal system that verifies the personal information of insurance applicants were vulnerable to attack. About a week before the launch of HealthCare.gov, a federal review found significant differences in states' readiness. The administration says the concerns about state systems have been addressed.
The way to assure the American people of that claim is for the White House to come clean about the basic security actions the administration is taking to protect HealthCare.gov users and taxpayers.