Security, Privacy and the Affordable Care Act: A Prescription for What Ails U.S.?
By MacDonnell Ulsch, CEO & Chief Analyst
On the subject of the Affordable Care Act (ACA) or Obamacare and protecting healthcare information, take no comfort in the words from the U.S. Department of Health and Human Services on the difficulties of implementation: “Developing effective oversight strategies to prevent, detect, and correct any problems that occur is critical. The large number of new and complex program responsibilities under the ACA makes achieving these twin goals challenging.” Challenging, indeed.
As I write this CyberBreach Situation Report, the Privacy Rights Clearing House reports that 616,417,491 electronic records in the U.S. have been breached since January 2005. That’s roughly two breached records for every man, woman, and child in this country. Then consider that these breaches are only the reported ones. Many data breaches are never reported to regulators and entered into the public record. I have personally worked on breach investigations that have not been reported to state and federal regulators because disclosure was not, for a variety of reasons, required. In some cases, disclosure was required in foreign countries with stricter laws, but not in the U.S. Here’s the uncomfortable truth: we don’t really know how many paper and electronic records have been breached. This should disturb everyone. And now, we are preparing to aggregate, electronically, perhaps the largest interactive data repository in the history of the nation—and we’re not prepared to protect these records.
Here are a few unsettling trends that pose a threat to all personal information records, including healthcare records:
1. The Office of the Inspector General of the U.S. Department of Health & Human Services has said that there was only a limited amount of time to test ACA security. The August 2013 HHS report stated that “several critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges.”
2. Effective security and privacy is further complicated by the fact that both the federal government and states must coordinate on all such issues, findings, vulnerabilities, remediation, and other factors. History shows that security has not been anywhere near even acceptable.
3. Who are these “navigators,” those workers who have access to precious personal information? What level of background checks did they receive? Were they drug tested? Have any committed felonies? Who did the background checks and declared them employable and trustworthy? Was it the same organization that assessed the integrity of Edward Snowden of NSA infamy? How are they monitored? Are they able to snap photos with their cell phones of on-screen personal information? Do they have access to pen and paper so that they can write down information, including Social Security Numbers? Are they under video surveillance to ensure protection against the insider threat?
4. The explosion of social media has led to numerous data breaches, many of them unreported. Hackers troll social media sites as they develop profiles of social media users. Company employees are targeted. The use of weak, poorly constructed passwords has resulted in the acquisition of detailed information that is used in a variety of cyber attacks.
5. Mobile device proliferation and Bring Your Own Device (BYOD) options mean that more data is distributed across many more hardware units, from smartphones to tablets, often with less security.
6. Many security and privacy healthcare professionals freely admit that the healthcare industry information protection practices are approximately ten years behind the financial services industry.
7. Employees and budgets in many healthcare operations are being cut back due to uncertainties in the ACA.
8. Cyber attacks are increasing and the cost of breaches, according to a new Ponemon Institute study on the subject, is on the rise.
9. Cyber crime is escalating as information maintains its marketable value in transnational organized crime.
10. Compliance with U.S. federal and state information privacy laws is low, perhaps in the single digits according to some regulators.
11. U.S. government agencies have not fared well historically in passing information security tests. In 2012, about 40 percent of agencies were out of compliance with the Domain Name System Security Extensions or DNSSEC, a full two years after these agencies were required to comply. It was designed to protect certain applications against attack.
12. Cloud computing is a central theme in the U.S. government’s information technology strategy. Given that a large number of companies are participating in the cloud initiative, there is much uncertainty in the security effectiveness of each participant.
When reminiscing about the security and privacy in practice inside the federal government, think back to 2006. This was the year of the Veteran’s Administration data breach. A Veterans Affairs analyst had been taking home his government laptop for three years. It was stolen from his house. The laptop contained unencrypted information on more than 26 million veterans and their family members. Due to delays in escalating the incident to the Veterans Affairs Secretary, several weeks passed before an investigation began in earnest.
This was a serious breach, including compromised names, Social Security Numbers, dates of birth, and some medical information.
The breach remains problematic. In fact, seven years later, the government admits that it still does not know the full extent of the impact this breach will have, nor its cost. The government estimates that the breach will ultimately cost between $100 million and $500 million to prevent and cover possible losses. At half a billion dollars, this comes to less than $20 per name, a figure that seems suspiciously low, depending on record configuration.
Whether or not the ACA is good for the country is a political question. But the security and privacy readiness of the highly complex ACA information management system is, at best, highly suspect, based on the compressed—and ultimately inadequate—testing timeframe. At its worst, this is the beginning of an information integrity nightmare that could result in immense unanticipated cost associated with catastrophic data breaches.
Here’s what we do know. Perhaps the most complex, complicated record management system is being launched without adequate security testing. It is being launched by a government that has experienced serious failures of security testing in the past across multiple agencies. This is occurring at a time of unprecedented cyber crime, and exacerbated by lightning-fast changes in technology and its cultural adaptation. It comes at a time when external vendor breaches are also at an all-time high, and the number of external vendors hitching their stars to the ACA is legion.
And finally, this vast aggregation of data, and the staggering dimension of the information management system, is coming under the direct control of a federal agency that remains inadequate to the task of ensuring integrity. It does not possess the technical infrastructure, capacity, headcount or budget to meaningfully monitor, audit and enforce the security and privacy provisions that are intended to protect the identities and personal information of those who assume their data will remain uncompromised.
Ulsch can be reached at Don.Ulsch@ZeroPointRisk.com or at 1.978.808.6526.