Tuesday, November 26, 2013

Slowdown Healthcare.Gov

(This blog is completely apolitical, and is focused solely on the security and technology issues of the Affordable Care Act (ALA))

It’s almost the ‘end of November’, and it may seem counter-intuitive to some who have never run a large technology project before, but creating artificial deadlines like these and racing to the finish line runs counter to good security practices, and thus might do more harm than good in the quest to launch Healthcare.Gov

Imagine a programmer faced with this ‘end of November deadline’, and being pushed to get her new code checked in and functional. Is she going to take the extra time necessary to ensure that these most recent changes didn’t adversely effect the security policy? Or is she going to do a quick review and submit the code, because the “President of the United States” needs this to work by the end of November!

By all accounts, Healthcare.Gov is the work of many different parties, with many different bosses, aiming to do something great (I realize that might be political, but wouldn’t it be great if all Americans really could have good healthcare without our rates/taxes rising or our quality of care declining!) that has never been achieved before. And in order to achieve that greatness, it needs to capture, route, and hold much of our personal information (PII).

I’ve worked on the security of many a healthcare system, going back to President Clinton’s (ok, Mrs. Clinton’s) pet Healthcare Open Systems and Trials (HOST) project in the 90’s. The security and privacy of patient and insurance records was always the lynchpin in the system. Finding ways to keep patient information away from those that shouldn’t have it, yet available to those that need it, is not an easy concept to balance, and as an industry we’ve been working on the online version of that very equation for the past 20 years. In fact, Mrs. Clinton challenged us with her healthcare version of Star Trek’s Kobayashi Maru, the impossible test that needed to be cheated to win. We failed back then, because we couldn’t compromise on security.

The problem is much harder now than it was back in the 90’s, since much of what the Internet uses to protect itself-- system encryption, air-gaps, firewalls, and more—has proven to be childs play to a determined attacker, and the more hands involved in the process, the more gaps they are able to slip through. When there’s this much money at stake (the average medical or insurance record sells for over $50 bucks on the black market -- multiply that by the number of Americans!), there are some VERY determined attackers out there (criminals looking for money, foreign powers looking for the ability to destabilize, hacktivists looking to push their agenda).

So while the goal of creating this November line in the sand is commendable, in practice it is counterproductive. All these last minute changes WILL change the security situation, and SHOULD be given the time it takes to test every way possible. I have good friends desperate for this to work, as they aren’t able to buy real insurance any other way. But I’d rather have them is a safer system soon, than a rushed system that might compromise not only their information, but all others too, which will undermine the trust in the overall ALA program and put everyone’s healthcare at risk.

So Secretary Sebelius, please slow down. Mr. Zients, take your time. It’s more important to get it right. It’s really important.