Skip to main content

Healthcare.gov Security Concerns Won't Go Away

 |  By smace@healthleadersmedia.com  
   January 21, 2014

At least one critic is calling for the federal health information exchange website to be shut down until a complete security audit can be conducted. Since that's unlikely to happen, let's hope the government is judiciously reinforcing its data breach prevention policies.

For months, Republicans in Congress have been feeding fears of a massive data breach at healthcare.gov. Given the site's many, many shortcomings, healthcare.gov would appear to be a prime target for some sort of data compromise. Its sheer size is reason enough for the bad guys to perpetually keep trying to break in.

And yet, to date, no breaches of any significance have occurred.

In part, that's because at its heart, healthcare.gov isn't one gigantic database. Like Target, which recently sustained a data breach affecting up to 70 million customers, the federal health information exchange is networked to multiple databases, each one housing valuable data.

Therein lies the trouble. By penetrating multiple systems, the Target hackers were able to grab more than just credit card numbers. They got PINs, addresses, email addresses, and other personal information. As one data expert writes, the Target hackers

"…didn't gain access just once. In fact, they kept coming back to harvest data almost daily over the course of several weeks. As we now know, they didn't just stop with the sales data. They roamed across Target's network of servers looking for interesting information..."

At its heart, healthcare.gov is a data "hub" that allows much of the data in seven massive databases to remain at rest between queries, such as whether someone has applied for health insurance on one of the state or federal exchanges, the type of plan they have selected, what the status of that application is, related information about the applicant's income level (as supplied by the IRS) and what tax credits those applicants are eligible for.

Each of those databases has individually been protected by a variety of data security measures for years. To the best of my knowledge, healthcare.gov does not copy all this information into one massive table. In this way, healthcare.gov, in all its buggy glory, still manages to resemble another distributed computing system that seems to continue to survive all manner of cyber-attack—the Internet itself.

Still, voices calling for healthcare.gov to be shut down until a complete risk assessment and security audit can be conducted persist. And they're coming from some startling sources, such as Mac McMillan, the chair of the HIMSS privacy and security task force.

"If that were the standard, they would have to shut down most of the Internet," was the terse comment I elicited from Bruce Schneier, one of the world's foremost data security experts.

McMillan is also chief executive officer of Cynergistek, a security audit and risk assessment firm in Austin, TX. He contends that the American public would be safer with healthcare.gov being taken down for however long is necessary to ensure that not just the hub, but the spokes—the state-associated exchanges plus the databases of the seven participating federal agencies undergo a thorough security assessment.

"There's just a tremendous amount of information about you as an individual in databases that quite frankly, in terms of access, is unprecedented, with this health insurance exchange," McMillan told me in November.

McMillan argues that insider abuse is a huge risk, and he's concerned that operatives in any of these agencies could use the rapidly accumulating information to commit identity theft. But the political cost of taking the site down is one of the big reasons that, HHS refuses to unplug it for an extended period of time.

Where McMillan and I fundamentally disagree is in his contention that the well-documented cases of consumers being unable to log on to healthcare.gov are grounds for an immediate takedown of the site.

"If you don't take it down, and we do have a major event, or a major issue, I think that the harm of that will be ten times worse than if you were to actually take it down and take care of the site and put it back up and have it work properly," McMillan says.

Since healthcare.gov's much-publicized problems began, critics have pointed consistently to Silicon Valley-powered sites such as Amazon and Google as evidence that large sites can scale securely. And yet, Target's very real recent woes point out that healthcare.gov has no monopoly on bad Web site execution.

I pointed out to McMillan that the many articles we've read about bringing high-tech security experts to the rescue rarely, if ever, mention the real possibility that health insurance companies could themselves be great resources to assist healthcare.gov and address its security and performance issues.

"They stand to benefit from this, right?" McMillan replied. "You would think they would want this to work."

Perhaps, and I have no evidence to support this, governments keep the insurers from lending their help for fear that once insurers get their hands on the code running healthcare.gov, they might try to tilt that code to bestow ever-so-subtle preference to that insurer.

"Whichever way this thing goes, they're going to be left standing," McMillan said. However it turns out, McMillan and I agree that poor management, not technology, is the villain here.

"We should stop managing by crisis," he said. "That's how we got into this mess in the first place."

Perhaps, in that sense, the decision to keep healthcare.gov going, and to try to fix its flaws in mid-flight, is the right decision. And yet, if we get through this startup period without a major breach, it could be dumb luck, rather than savvy management, as our saving grace.

Bruce Schneier may be right. You might as well shut down the Internet. But the stakes have never been this high for a mission-critical Internet Web site.

Meanwhile, let's hope the government is judiciously reinforcing its security policies, ranging from employee policies to data-loss prevention infrastructure. Before all is said and done, every bit of those precautions will be necessary.

Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.

Tagged Under:


Get the latest on healthcare leadership in your inbox.