Netflix Vs. Healthcare.Gov

Josephine Wolff | Future Tense | August 28, 2014

The two sites demonstrate two very different approaches to cybersecurity.

What could possibly have motivated the Centers for Medicare and Medicaid Services to refuse to release even a single document about the site’s security in response to a Freedom of Information Act request submitted by the Associated Press? The AP announced that its request had been refused last week and, by way of explanation, cited a statement from CMS spokesman Aaron Albright that “releasing this information would potentially cause an unwarranted risk to consumers’ private information.” It’s hard to imagine that any documents the agency could have released would have generated more doubts about the site’s security than those remarks. The best way to protect the site—and its users—would be to stop defending it against legitimate questions and release some of the requested information.

There’s an episode of The West Wing in which staffer Josh Lyman sarcastically tells the White House press corps that the president has a secret plan to fight inflation. Suddenly, that’s the only thing any of the reporters want to talk about. Just replace “secret plan to fight inflation” with “secret plan to fight online intruders,” and it’s the same thing. Is there any surer way to generate a lot of interest in the security of than to shroud it in secrecy?

Concerns were raised about the health care site’s security back when it was launched last fall and a memo revealed that the developers had not had adequate time to complete final security tests prior to the launch. But in January, CMS chief information security officer Teresa Fryer told the House Oversight Committee that the site had passed all of its security tests and that its security protections had successfully prevented any attacks since the problematic October launch. Of course, the website has been roundly criticized for a whole host of other reasons, so perhaps it’s not surprising that CMS is wary of giving the press anything that might lead to another round of negative publicity...