Obamacare’s data ‘Hub’ is an identity theft risk for us all

Theresa Payton Former White House CIO
Font Size:

They are plenty of scary stories you can read by the beach this summer, but for a real thrill I suggest you read the 78th volume of the Federal Register, pages 8538-8542. These four published pages explicitly detail an unprecedented change in the collection of personal data for every American. Here’s how:

The federal government needs you to answer some questions in order to find out if you’re eligible for the Affordable Health Care Act. How old are you? Where were you born? Are you a legal resident? Have you served in the military? Where do they go to the answers to these questions? The Social Security Administration, the Department of Homeland, and the Veterans Administration, respectively. What will they do with this data once they have it? That is the $64,000 question.

We do know it will be going into “the Hub,” a one-stop destination where all your data will be compiled as your profile. Reports are not clear if the “Hub” is going to be a database or an interface. Regardless, it will contain all your biographical information extracted from seven federal agencies, and state agencies, and put into one place. It is a hacker’s dream. Instead of having to go from agency to agency to access personal data, now identity thieves will find it in one place.

This unprecedented aggregation of your personal information to one place is taking place at a time when data breaches are escalating, and amidst wide acknowledgment that healthcare data breaches are a growing concern. According to a report by the Identity Theft Resource Center, 34.1 percent of all data breaches were tied back to health care.

What makes this more alarming is the recent report from the Inspector General’s office. The IG announced that, after reviewing draft documents and interviewing the project team, the overall tasks on the schedule were being completed later than anticipated.  It is not uncommon for large scale implementations to have dates slide but the IG indicated that security testing for the “Hub” was behind schedule and that the system testing results might be available for review as late as one day before the exchanges will open. If the federal government were a business that was about to implement new procedures to compile and secure data, this would be my advice:

There are no hack-proof computers, interfaces, data transfers, databases or systems. It is not a matter of whether you will get hacked, but when. The technology should be designed to watch the data and warn when data is being accessed with abnormal patterns. This includes timely notifications to the organization and the victims when data has been compromised. A key guiding principle for the system design should be that cybercriminals want access to this information and they will be ready to attack on the first day it’s implemented.

Three additional design considerations are critical: (1) since a data breach is inevitable, build into the design a blockade that traps the bad guys or stops them from absconding with the data they want to grab from the “one stop shop” to minimize damages. (2) Hire good guy hackers, also known as white hat or ethical hackers to try to steal the data and review their findings; and (3) make sure the staff is highly trained on both privacy and fraud prevention procedures so we can avoid a repeat of recent breaches in healthcare, most notably the Kim Kardashian situation where hospital workers, with authorized access, broke policy to snoop on Kim’s life.

But the federal government isn’t run like a business, we all know that, which is why their shoddy efforts to protect our data should be especially concerning. Empower yourself, and be vigilant about what you post on social media. Identity thieves can follow the information you post like digital bread crumbs leading back to your house. Contact your local legislator and let them know you aren’t comfortable with a database/interface that creates a one-stop shop for cyber hackers. Use one email address only for your health insurance company. Ask your Doctor what happens with your data, not medical history per se, but your address, phone number, etc. Be on guard. The unprecedented changes being made to the collection of data may have only one line of defense that it can’t penetrate.  The line of defense is most likely going to be you, the consumer.