Slowdown Healthcare.Gov

(This blog is completely apolitical, and is focused solely on the security and technology issues of the Affordable Care Act (ALA))

It’s almost the ‘end of November’, and it may seem counter-intuitive to some who have never run a large technology project before, but creating artificial deadlines like these and racing to the finish line runs counter to good security practices, and thus might do more harm than good in the quest to launch Healthcare.Gov

Imagine a programmer faced with this ‘end of November deadline’, and being pushed to get her new code checked in and functional. Is she going to take the extra time necessary to ensure that these most recent changes didn’t adversely effect the security policy? Or is she going to do a quick review and submit the code, because the “President of the United States” needs this to work by the end of November!

By all accounts, Healthcare.Gov is the work of many different parties, with many different bosses, aiming to do something great (I realize that might be political, but wouldn’t it be great if all Americans really could have good healthcare without our rates/taxes rising or our quality of care declining!) that has never been achieved before. And in order to achieve that greatness, it needs to capture, route, and hold much of our personal information (PII).

I’ve worked on the security of many a healthcare system, going back to President Clinton’s (ok, Mrs. Clinton’s) pet Healthcare Open Systems and Trials (HOST) project in the 90’s. The security and privacy of patient and insurance records was always the lynchpin in the system. Finding ways to keep patient information away from those that shouldn’t have it, yet available to those that need it, is not an easy concept to balance, and as an industry we’ve been working on the online version of that very equation for the past 20 years. In fact, Mrs. Clinton challenged us with her healthcare version of Star Trek’s Kobayashi Maru, the impossible test that needed to be cheated to win. We failed back then, because we couldn’t compromise on security.

The problem is much harder now than it was back in the 90’s, since much of what the Internet uses to protect itself-- system encryption, air-gaps, firewalls, and more—has proven to be childs play to a determined attacker, and the more hands involved in the process, the more gaps they are able to slip through. When there’s this much money at stake (the average medical or insurance record sells for over $50 bucks on the black market -- multiply that by the number of Americans!), there are some VERY determined attackers out there (criminals looking for money, foreign powers looking for the ability to destabilize, hacktivists looking to push their agenda).

So while the goal of creating this November line in the sand is commendable, in practice it is counterproductive. All these last minute changes WILL change the security situation, and SHOULD be given the time it takes to test every way possible. I have good friends desperate for this to work, as they aren’t able to buy real insurance any other way. But I’d rather have them is a safer system soon, than a rushed system that might compromise not only their information, but all others too, which will undermine the trust in the overall ALA program and put everyone’s healthcare at risk.

So Secretary Sebelius, please slow down. Mr. Zients, take your time. It’s more important to get it right. It’s really important.

Tom in the Media

What do you see when you gaze into the clouds?

When I was young, I would gaze up into the clouds and see white fluffy shapes against brilliant blue sky, floating gently across my sky. When I read and hear the 'cloud' ads these days, they seem to paint this same image in my mind-- just put your stuff in our cloud, and you never have to worry again.

Which is why I like this painting that hangs in my study by Howard Finster, "...a backwoods Baptist preacher inspired by the Gospel, visitations from the dead, and visions of extraterrestrial life."[1] Finster had a different way of looking at everyday things, and often provides more truth than a first glance reveals. While Finster painted this well before internet marketing types renamed their data centers as 'clouds', his view of the same clouds I looked at in the sky bears quite the similarity to what I see when I look at the current state of cloud computing.

While I love the fluffy whites and brilliant blues of today's cloud marketing hype, which include cost savings, elastic capacity, mobile leverage, and customer self-service, I see the technological equivalent of his angels and demons floating around happy and sad clouds, as well as hosts of other risks in and around that are all too real.

I love the benefits the cloud offers us all, and want to ensure we look clearly at what it takes to move our business or personal data into it, so those risks can be addressed and the benefits securely gained. Most board directors I talk with first see the fluffy side, and can't wait to gain all those advantages. Sometimes it's difficult to explain why they should integrate a cloud security plan into their transition, which lowers their costs and risks, when they don't hear or see about these risks in the airport posters. It turns out there are great new products available that can be used to establish manageable risk in the cloud, but it must be architected and planned before you throw everything up there. Advances in encryption and key management, audit-ability, constant vigilance, advanced threat detection, and more are all tools that can be brought to bear in the cloud now.

It's possible, but not automatic, to work more safely in the cloud that in your old data center!

Maybe if we all share the wisdom of Howard Finster that he saw and painted all those years ago, people will think about the true picture of the clouds today, and then take the available steps to paint their own picture.

[1] Howard Finster, Stranger from Another World: Man of Visions Now on This Earth by Howard Finster, Roger Manley (Photographer), Victor Faccinto (Photographer), Tom Patterson {no relation]

Cloud Security -- Making those words work together!

RSA Conference 2012

I'll be at this year's RSA Conference 2012, talking about the ART and SCIENCE of Security. Will you?

When it comes to accessing your information:

--Organized criminals are innovating.

--Foreign Intelligence services are innovating.

--Global terrorists are innovating.

So it's now CRITICAL that the security industry step up it's INNOVATION.

Big ideas often come from small compaines, and the people closest to the problems often come up with the best solutions, so I'm proud to join General Keith Alexander, Commander, U.S. Cyber Command on the steering committee for the:



The Security Innovation Network presents Showcase 2011 at the National Press Club

Apply to be selected as a SINET 16 that will present in front of 400 Buyers, Builders, Researchers & Investors

Call for Papers please click here June 10th deadline

Supported by the Department of Homeland Security Science & Technology Directorate



Keynote: General Keith B. Alexander, Commander, U.S. Cyber Command &Director, National Security Agency/Chief, Central Security Service

Three of the top SINET 16 automatically receive entry into ASC’s second round

October 26th (Workshop) & 27th (Showcase) 2010, Washington DC www.security-innovation.org

Tom Patterson
Tom Patterson Reviews
Cyberwar
Privacy
Security
Critical Infrastructure Protection
Mobile Security
Cloud Security
Cyber
Cloud Computing
financial services
powered by Speaker Wiki