Personal Health Information Security

We’ve had HIPAA—the Health Insurance Portability and Accountability Act—for nearly 20 years. This act requires, among other things, all handlers of our personal medical information (primarily, but not exclusively, our doctors, hospitals, and health coverage plan providers) to have our permission to pass that information along, even to other doctors, hospitals, and health coverage plan providers and to take adequate steps to safeguard that information when it’s in their hands or being passed along.

It seems that this administration doesn’t consider itself bound by that same law. The latest example of this evident lawlessness is ObamaMart. The GAO has completed its own assessment of ObamaMart’s security and security practices, and it’s unimpressed.

…weaknesses remained in the security and privacy protections applied to HealthCare.gov and its supporting systems.

This is a year after ObamaMart’s rollout and the discovery of its lack of security. This is four years after HHS, through its CDC, began developing ObamaMart and…testing…it. It boggles my pea brain that security problems of this magnitude could still exist.

In the report, the GAO makes six recommendations to the Department of Health and Human Services to implement security and privacy controls to protect sensitive material. The report also makes 22 recommendations to resolve technical weaknesses in security controls.

Problems with the site ranged from the agency not setting up an alternate processing site for HealthCare.gov systems to allow them to be recovered if the site was hacked or went down to the strength of passwords.

These are basic things that any Computer Science 101 freshman knows. But wait—there’s more.

In addition to these weaknesses, we also identified weaknesses in security controls related to boundary protection, identification and authentication, authorization and configuration management. Collectively, these weaknesses put HealthCare.gov systems and the information they contain at increased and unnecessary risk of unauthorized access, use, disclosure, modification, or loss.

These are more of those things any freshman learns. And these are more of the sorts of things that HIPAA was designed to protect.

The HHS has denied some of these problems exist.

HHS has agreed with three of the six recommendations and has agreed with all 22 technical recommendations.

This isn’t incompetence. These folks are extremely intelligent and talented. Nor is this laziness. These folks are among the hardest working in government. No, this shortfall was deliberate.

Among the issues that concerned the administration’s own technical experts at the time was that security testing could not be completed because the system was undergoing so many last-minute changes.

Because securing citizens’ personal information is only an afterthought to this administration. Because obeying the principles and spirit of HIPAA and related Federal laws, if not their letter, just doesn’t matter to this administration.

Leave a Reply

Your email address will not be published. Required fields are marked *