This past Thursday the House Committee on Oversight and Government Reform held a hearing at which the security of HealthCare.gov was again called into question. The catalyst for the line of questioning came in the form of a recently published report from the Government Accountability Office (GAO) suggesting 28 different ways in which the Center for Medicare and Medicaid Services (CMS) could significantly improve the website’s security. This lack of security was noticed when test servers were attacked by malware back in August, and then went unnoticed for approximately two weeks. This is not the first time that the security of HealthCare.gov has been called into question as there were breaches in data during the complicated roll out process. In response to critics of the websites’ security, the CMS and some Democratic Representatives assured that there was no malicious attack on personal identifiable information (PII). Still, most of these individuals mentioned that the security of the site is a major concern.
Though a majority of individuals understand that this security breach is a concern, there are still those who simply do not seem to understand the severity of the situation. Among these individuals is Rep. Speier (D-CA), who at the hearing claimed that the investigation into these matters and subsequent hearings were a complete waste of time. The notion that ensuring that a network containing PII is secure is a waste of time is like claiming that it is not a big deal if someone brakes into your house and lays in your bed for weeks without you noticing. Sure they may not have taken anything, but now they know how to get into your house and stay undetected, and next time they could take you for all you have. The problem is that if we dismiss these security issues as no big deal simply because not PII was maliciously attacked, we just continue to leave the door open for more attacks on HealthCare.gov and leave PII (i.e. name, income, and social security number) unlocked for those who should not have access to it.
During the hearing, the chair of the CMS, Ms. Tavenner, was incredibly open to the criticisms that were coming her way and understood that there were things that needed to be improved on. She recognized that there were mishandlings of the technology in her department and that they were not adequately prepared for the roll out last year. It was clear from Ms. Tavenner’s discussion that the safety of patients and their information in the healthcare system is the most important issue at CMS. Ms. Tavenner stated that she still has a lot to learn and that she, along with the rest of CMS, are committed to work with the GAO to ensure that the 28 recommendations for security improvement are implemented for the roll out beginning November 15.
So if CMS recognizes that there is value in this hearing and in the report published by the GAO, why do individuals like Rep. Speier, who is not alone in her stance, insist that continuing to meet on the security of HealthCare.gov is a waste of time? Shouldn’t the security of the American people’s information be one of the most important things for our government to discuss? If the government had waited until it was too late to discuss these security issues, they could have had to deal with recovering what personal information was taken, who took it, and what are they attempting to do with that data. All of which would be much more difficult fixes than the ones that they accomplished because of this hearing. The government wants the American healthcare system to move to a preventative approach because of the belief that it will cut costs and serious health complications. Shouldn’t we handle security the same way?