On 1 October, the public health insurance exchanges being created under the U.S. Patient Protection and Affordable Care Act [pdf] are planned to open. Last week, the U.S. Department of Health and Human Services Centers for Medicare & Medicaid Services (CMS) said that the Data Services Hub used to determine a person's eligibility for government subsidies for this new healthcare program was “ready to go,” according to Reuters.
The CMS stated that, “The completion of this testing confirms that the Hub complies with federal standards and that HHS and CMS have implemented the appropriate procedures and safeguards necessary for the Hub to operate securely on October 1.”
The CMS announcement was very good news indeed considering that: (a) The data hub “can access personal records from seven different agencies—the Internal Revenue Service, the Social Security Administration, the Department of Homeland Security, the Veterans Health Administration, the Department of Defense, the Office of Personnel Management, and the Peace Corps—in order to determine eligibility for exchange subsidies and mandate penalties,” according to Forbes. (b) The HHS Inspector general had released a report [pdf] in August seriously questioning whether the security of the exchanges could be completed by the 1 October deadline, given that a previously estimated 51-day security review was completed in only 10-days. And (c) the exchanges are likely a priority target for hackers.
The good news didn’t last long, however.
Government Executive magazine ran a story this week that reported that “due to limited means, Health and Human Services Department internal watchdogs do not intend to examine key security designs they did not have a chance to assess during [their] recent audit.” Apparently, while security risks posed by the exchanges are an important concern, it was only one among many needing assessment that was competing for HHS “limited resources.” The higher priority risks—technical and political—were that the exchanges weren’t going to be officially “open for business" on 1 October, the HHS implied.
Republicans have grabbed onto the security doubts as a political gambit to postpone Obamacare, which they are threatening to do by other means as well. Their case was bolstered a bit this week when a Minnesota exchange employee accidentally “sent an e-mail file to an Apple Valley insurance broker’s office on Thursday that contained Social Security numbers, names, business addresses and other identifying information on more than 2400 insurance agents,” the Star Tribune reported. While small from a numbers standpoint, it was significant from a political perspective.
Politics aside, the Obama Administration better hope that not only is the Data Services Hub secure, but that all the state exchanges are secure as well. If a major breach occurs at an individual state exchange, the public will likely view all health exchanges regardless of ownership as being insecure. With “software issues” already occurring in exchanges (Iowa’s Gov.Terry Branstead this week basically said to expect problems with the state's exchange), any data breach could sour more of the public on Obamacare. (A recent survey showed that 53 percent of Americans view the law unfavorably.)
Security a Wee Bit Lax at NSA
NPR radio’s Morning Edition interviewed National Security Agency’s chief technology officer, Lonny Anderson and other unnamed government officials this week, who provided more details on how Edward Snowden was able to make off with the treasure trove of highly classified NSA documents without getting caught. According to the NPR interview, as part of his job, Snowden was able to access part of the NSA's intranet website where the documents he stole were put “so NSA analysts could read them online and discuss them. Anyone with the right top secret clearance could visit that page and read the documents. … As a systems administrator, Snowden actually had the responsibility to go to that intranet page and move especially sensitive documents to a more secure location.”
In fact, Snowden was “actually observed accessing secret documents, but the assumption was he was just doing his job.” It was, the officials admitted, the “prefect cover” for someone wanting to steal documents.
The officials refused to discuss how Snowden actually was able to download the documents and leave NSA premises with them undetected. The hypothesis is that Snowden took them out on a USB thumb drive. As of last June, some NSA computers still allowed access to USB thumb drives, a practice highly restricted in DoD since 2008 because of a major security breach.
Anderson told NPR that the NSA finally has a good idea of what Snowden took, but that has taken four months of effort even with hints from Snowden himself. So much for NSA’s vaunted 100 percent audit capability. Probably more worrying to NSA officials is that someone else already preceded Snowden but hasn't ever gone public about it.
Budding Cybercriminals Go To School
Finally, a story at ComputerWorld reports that security company RSA has found that “a growing number of experienced hackers have begun offering structured hacking courses for crooks seeking to make a career in cybercrime.”
According to the ComputerWorld story, “The courses range from the basics of online fraud to advanced courses on online anonymity tools, botnets, cleaning up electronic evidence and dealing with law enforcement.” In addition, the course curriculum follows those found at major academic institutions.
Hackers pay about $75 per lecture, with lectures on using credit and debit cards fraudulently highly popular. Lectures are usually held via Skype. The only drawback is that many of the courses are taught in Russian.
No, the story did not discuss the possible transferability of course credit towards a college degree.
Of Other Interest ….
Photo: Stephen Lam/Getty Images
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.