You’ve heard of the law of unintended consequences. We’ve all experienced it. You change or “improve” something and suddenly you find yourself suffering through side-effects you didn’t anticipate. As we move into its initial implementation stages, we’re seeing that the poster child for unintended consequences may prove to be the Affordable Care Act, or Obamacare as it is commonly referred to.
Whether you believe Obamacare is the transformational fix American healthcare needed or, like me, see it as another means for political appeasement and control, there’s no doubting one ugly fact: improperly secured personal health information being stored and processed in the state-controlled Health Insurance Exchange (HIE) marketplaces are not being properly secured. Government officials are not even dancing around this revelation. They freely admit the security requirements have not been achieved.
Obamacare’s HIEs are supposed to be the vehicle in which more than 50 million people will be purchasing health insurance. So to say there will be a lot of sensitive electronic health information coming and going is a monumental understatement.
Part of the Obamacare infrastructure includes something called the Federal Data Services Hub. If you are like me, this was not a term I had heard previously discussed. This system will connect numerous government agencies such as DHS, DOJ, VA, IRS, HHS, individual state governments -- even the Peace Corps -- to verify eligibility for tax credits and subsidies of health insurance plans doled out through Obamacare. Nice. I can’t think of a more fertile information environment to target by those with ill intent.
The real kicker: no one really knows how secure any of these information systems are going to be, including the people in charge of pulling this off. Based on experiences I’ve had testing the security of large web application environments, I can tell you what’s going to happen in these HIEs and the Federal Data Services Hubs:
- Applications and supporting systems will be deployed
- Security will be discussed, but given the time sensitivity for the HIEs to be operational, security issues will not be properly addressed
- A select few states and federal agencies may run some basic vulnerability scans or IT audit checks, but nothing of significance will be uncovered. Don’t be misled, if you look in the right areas, using the proper tools, you can find tons of security flaws in most application environments -- especially newly-developed applications such as these.
- The cycle of information security apathy will continue. Unfortunately, it’s now impacting one of the largest repositories of personal information ever amassed in the history of the United States
External threats are not the only source of information risk. We have to consider the insider threat – especially given the vast array of moving parts associated with these marketplaces. As we’ve seen with Edward Snowden and the subsequent announcement by the NSA that they’re laying off 90 percent of their network administrators, just because an employee passes a background check and has good references doesn’t ensure trustworthiness.
With all of these government agencies involved in the HIEs the sheer volume of data entry points, network exit points, the potential hands in the pie are staggering. Where’s the accountability? Will we, as citizens, ever know when our personal information is abused? Given the information systems complexities, will the agencies involved even know? I hesitate to think most IT or information security practitioners are willing, much less qualified, to assume the risk or the responsibility.
It is Interesting to note that a recent Commonwealth Fund study found that nearly three-fourths of adults between the ages of 19 and 29 are unaware of Obamacare’s health insurance marketplaces. It’s difficult for the average citizen to demand that their personal health information be protected if they don’t even know where, when, and how it’s being used.
I suspect that information security has been largely ignored during the strategic planning sessions for Obamacare’s initial roll out. And if it hasn’t, shame on the administration for rushing it to market before security protocols were in place. I find this a perfect case of ignorance is bliss in action
What makes this entire affair even more frustrating is that while states are getting tens of millions of tax dollars to market their HIEs, had only a fraction of this money been used to properly plan out security strategies and test for security weaknesses, I wouldn’t be writing this column.
I’m not even sure where we go from here. If your business or government agency is involved in these health insurance marketplaces, don’t be afraid to ask the tough security questions and even test the environments on your own. It’s this type of grass-roots effort that could introduce some sanity into Obamacare. In administration’s defense, I’m sure this is an unfortunate oversight that will be quickly remediated. But will it be quick enough to avert a disastrous information breach or worse?
About the author:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 24 years of experience in the industry, Kevin specializes in performing independent IT security vulnerability assessments of networks, computers, and applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.