You’ve heard of the law of unintended consequences. We’ve all experienced it. You change or “improve” something and suddenly you find yourself suffering through side-effects you didn’t anticipate. As we move into its initial implementation stages, we’re seeing that the poster child for unintended consequences may prove to be the Affordable Care Act, or Obamacare as it is commonly referred to.
Whether you believe Obamacare is the transformational fix American healthcare needed or, like me, see it as another means for political appeasement and control, there’s no doubting one ugly fact: improperly secured personal health information being stored and processed in the state-controlled Health Insurance Exchange (HIE) marketplaces are not being properly secured. Government officials are not even dancing around this revelation. They freely admit the security requirements have not been achieved.
Obamacare’s HIEs are supposed to be the vehicle in which more than 50 million people will be purchasing health insurance. So to say there will be a lot of sensitive electronic health information coming and going is a monumental understatement.
Part of the Obamacare infrastructure includes something called the Federal Data Services Hub. If you are like me, this was not a term I had heard previously discussed. This system will connect numerous government agencies such as DHS, DOJ, VA, IRS, HHS, individual state governments -- even the Peace Corps -- to verify eligibility for tax credits and subsidies of health insurance plans doled out through Obamacare. Nice. I can’t think of a more fertile information environment to target by those with ill intent.
The real kicker: no one really knows how secure any of these information systems are going to be, including the people in charge of pulling this off. Based on experiences I’ve had testing the security of large web application environments, I can tell you what’s going to happen in these HIEs and the Federal Data Services Hubs:
Applications and supporting systems will be deployed
Security will be discussed, but given the time sensitivity for the HIEs to be operational, security issues will not be properly addressed
A select few states and federal agencies may run some basic vulnerability scans or IT audit checks, but nothing of significance will be uncovered. Don’t be misled, if you look in the right areas, using the proper tools, you can find tons of security flaws in most application environments -- especially newly-developed applications such as these.
The cycle of information security apathy will continue. Unfortunately, it’s now impacting one of the largest repositories of personal information ever amassed in the history of the United States
External threats are not the only source of information risk. We have to consider the insider threat – especially given the vast array of moving parts associated with these marketplaces.
With all of these government agencies involved in the HIEs the sheer volume of data entry points, network exit points, the potential hands in the pie are staggering. Where’s the accountability?
It is Interesting to note that a recent Commonwealth Fund study found that nearly three-fourths of adults between the ages of 19 and 29 are unaware of Obamacare’s health insurance marketplaces. It’s difficult for the average citizen to demand that their personal health information be protected if they don’t even know where, when, and how it’s being used.
What makes this entire affair even more frustrating is that while states are getting tens of millions of tax dollars to market their HIEs, had only a fraction of this money been used to properly plan out security strategies and test for security weaknesses, I wouldn’t be writing this column.