Is HealthCare.gov a data risk? Perhaps

Commentary: Protecting Americans' privacy is one more detail to be sorted out in the health-marketplace do-over

A man looks over the Affordable Care Act (commonly known as Obamacare) signup page on the HealthCare.gov website in New York in this October 2, 2013 photo illustration.
Mike Segar/Reuters

If Republicans were slow to pounce on HealthCare.gov's woeful, glitch-filled start this October, it is in part because they had been preparing for a different sort of debacle. This summer, as the Obama Administration and contractors were rushing to finish building the insurance exchanges where uninsured Americans are now attempting to sign up for and purchase health policies, Republicans on Capitol Hill latched onto the argument that the Obamacare website would be an enormous data-management problem — one that just might make millions of Americans’ personal information vulnerable.

On June 5, for example, U.S. Rep. Diane Black, R-Tenn., wrote in U.S. News & World Report that "the potential for abuse is staggering." And on July 17, two committees in the House of Representatives held a joint hearing titled "Evaluating Privacy, Security, and Fraud Concerns with ObamaCare's Information Sharing Apparatus." The GOP, in short, had been assiduously preparing an argument against an ultra-efficient digital apparatus with a built-in privacy risk — not for a website seemingly incapable of turning someone's name and address into a simple user account.

But the GOP's message — that HealthCare.gov promised to be the next big privacy threat — never really garnered headlines because Republicans failed to make it a focus. For one, Republicans wanted Obamacare gone altogether and spent most of their energies instead on scuttling it — in vain.  But they also buried the privacy angle in tangential controversies, tying their HealthCare.gov worries to allegations this past May that the Internal Revenue Service, which will have a major role in implementing Obamacare, had targeted conservative groups seeking tax-exempt status. The "Navigators" and "In-Person Assisters" who would help people register for insurance were perhaps, wrote National Review's John Fund, "a new way to fill the void left by the bankruptcy of ACORN," referring to the liberal political organizing group that filed for Chapter 7 in 2010. In some corners of the Internet, there was even insistence that HealthCare.gov's impending launch represented a biblical doomsday sign, the "Mark of the Beast."

The security argument, one might say, lacked a little focus.

But buried in it was the fact that, on technical grounds, they were not completely off base. Central to what U.S. Rep. James Lankford, R-Okla., has dubbed the "Rube Goldberg construction" of the health care law is what Rep. Black calls "Obamacare's mystery Federal Data Hub." Built under a $55 million contractor with the firm Quality Software Services, the hub ties together nearly a dozen different databases — those of the Social Security Administration, the Department of Homeland Security, the Veterans Health Administration, and so on — to check a customer's eligibility for different insurance plans.

The due date for authorizing the security of Healthcare.gov was pushed back to September 30 – just one day before its launch.

As a purely technological matter, a functioning data hub is a considerable achievement. But what Republicans have said worries them is that an integrated Federal Data Hub becomes an especially high-profile point of vulnerability, akin to piling all your valuables in one room, and then installing a flashing arrow that points straight at the heap. It is a target for hackers — or perhaps, for a government official with no sense of boundaries.

The reassurance the administration has given is one of architecture: The hub is little more than a "conduit" between "already existing, secure Federal and state databases." They say the model is actually safer than the alternative: having scores of federal and state systems talking to one another. The administration's bet is that it is better to have a trusted messenger in the middle, especially one with no long-term memory.

Who is right? The shame of it is this is the rare political fight that would have been possible to settle in real time. The U.S. government has standards for judging such things. In fact, in April, the National Institute for Standards and Technology (NIST) upgraded the framework that the Centers for Medicare and Medicaid Services (CMS), the agency behind HealthCare.gov, was required to use to make sure that the hub was secure, as part of a new "Build It Right" strategy pegged to Obama's cybersecurity reform push. NIST fellow Ron Ross described the approach as fixing the broken lock on your front door rather than constantly checking to see whether anyone had broken in.

But in terms of security, the process of ascertaining whether the Federal Data Hub was indeed "built right" fell victim to the same troubled federal IT process as the rest of HealthCare.gov's creation. In early August, an audit by the Department of Health and Human Services' Office of the Inspector General concluded with bureaucratic understatement that CMS was "working with very tight deadlines." In fact, the audit found that the Sept. 4 due date on a security-authorization decision on the hub had been pushed back all the way to Sept. 30 – just one day before the October 1 launch date. And yet, on September 10, U.S. Chief Technology Officer Todd Park announced that "we have completed security testing and certification to operate." Congress, and reporters, had questions, but the clock was ticking. The site would launch — and largely fail — three weeks later.

Once it launched, HealthCare.gov's very visible problem spots crowded out lingering concerns about what lies beneath. HHS Secretary Kathleen Sebelius has since said the project launched with "almost no testing." After a pause, Republicans have again picked up the security thread. In an October 10 op-ed in USA Today, House Intelligence Committee chairman Mike Rogers warned that the hub contains "every shred of data" of interest to an identity thief.

Given that Americans shop, bank and date online, there is reasonable reluctance to get too ginned up about this sort of thing. But it is also possible to not get ginned up enough. Now that the Obama Administration has to go back and fix the health care exchange glitches, it is being forced to be more transparent about it this time around. This includes opening up about what it has done to ensure the system handles information as safely as it should. This is hard work that is easier to do when people are not shouting about conspiracies. And it is certainly possible that security is one part of the system that is top-notch. But operating on faith that HealthCare.gov will work as well as it is supposed to has not been an especially good strategy thus far, either.

Opinions expressed here do not necessarily reflect those of Al Jazeera America.

Related News

Find Al Jazeera America on your TV

Get email updates from Al Jazeera America

Sign up for our weekly newsletter

Get email updates from Al Jazeera America

Sign up for our weekly newsletter