Untested Security Controls Leave Citizens At Risk
On October 1, 2013, the Affordable Healthcare Act’s exchanges went live, a process that will ultimately co-mingle data from: the Internal Revenue Service (IRS), Health and Human Services (HHS), the Department of Justice (DOJ),Homeland Security, and various state governments. This data store, The Federal Data Services Hub (FDSH), per media accounts and President Obama, is new and therefore has some “kinks” that will need to be ironed out.
FDSH reportedly will contain Social Security numbers, employment data, birth dates, protected health information (PHI), personal private data, and data from tax returns. Having been a developer, quality assurance manager, and now privacy and data security executive, I question the government’s secure coding practices and subsequent testing of that code. There is no reasonable evidence that any citizen enrolling in this hub will be properly protected!
This should be a huge red flag to the American public, as the federal government has a poor track record of protecting access to sensitive data. In the past year, the IRS improperly used information to target Tea Party members, Edward Snowden allegedly stole data from internal resources and the Anonymous hacking group stole data from the DOJ. If that’s not enough, USA Today reported that the federal government had revealed 655 data breaches comprising of over 148 million personal records since May 2005.
These cases do nothing to instill confidence that the government has the means and desire to properly control access to this very sensitive information. Information that in the wrong hands can be used to steal one’s identity – financial identity or medical identity!
Forget the arguments regarding the merits of Obamacare, the focus here is that the new hub just created a lucrative data store for nation-states, criminals and curious hackers. The likely untested security controls are now being tested – by those hoping for monetary/political gain from stealing citizens’ data!
The Obamacare debate will likely churn for years, but the amount of data, access to that data, retention periods, and more importantly, the security of that data, are suspect. As with any time you provide personal information, it is prudent to be stingy in providing it, even if it’s the US federal government. Given the large data stores they are creating and possible lax security, even more so.