The launch of the health exchanges has produced diverse images of failure: blank screens, improperly released Social Security numbers; a White House official undermining congressional oversight on September 6, 2013, with a phony security certification; and political appointees blaming their failures on unexpected enthusiasm for the exchanges—a fiction reminiscent of Cold War Soviets touting food lines as evidence of enthusiasm for a five-year agricultural plan causing widespread starvation.
One of the most striking recent images was that of a shaken president twice reciting the toll-free number for the exchanges. He did so to encourage frustrated Americans to abandon HealthCare.gov temporarily as he made the unfulfillable promise that contractors would “fix” in just one month a sick system that took 42 months to metastasize into its current form. It is an image to remember because you will see it again when President Obama acknowledges he cannot honor that promise.
One of the nicest and most competent members of the Obama administration, former acting OMB director Jeffrey Zients, has been tasked with fixing HealthCare.gov in one month by leading a tech “surge” (I’ll leave the ironies of that phrase alone). Poor Jeff is set up for inevitable failure. While the HHS definition of “fix” will surely become whatever level of functionality its armies of contractors have achieved by December 1, any claim of a “fix” will haunt this administration.
Due to inept planning in the first two years of implementation, HealthCare.gov became a patchwork of hastily constructed systems that contractors then even more hastily stitched together. To meet their deadlines, these contractors, with the blessing of their political overseers, cut corners on key security features, such as encryption of sensitive personal data. HHS has been inexcusably evasive with Congress on its security certifications, and CBS has reported that the security certification work is still incomplete—despite previous assurances by the White House and HHS to the contrary.
The White House aggravated this security problem with its insistence on maximal use of “the cloud,” a clever marketing term for servers supplied by contractors in shared data centers. This combination of choices means that unencrypted data of every purchaser of insurance through HealthCare.gov crosses the Internet and travels unprotected into “the cloud” many times—every hacker’s dream.
Several major media organizations have confirmed first-hand how easy it is to hack into HealthCare.gov. As just one example of some of the issues, an expert hired by CNN found that the system: (1) confirmed a guessed user name; (2) exposed unencrypted source code in the browser that allowed access to the password resetting mechanism; and (3) with the user name and the reset code, displayed a person’s three security answers. The resulting damage will not be limited to other sensitive data in the exchanges. Since many systems use the same security questions, theft of these answers will allow hackers, directly and indirectly, to access Americans’ bank accounts, brokerage accounts and other sensitive data bases. CNN concluded that this kind of theft from HealthCare.gov “wouldn’t have even taken a skilled hacker.”
It may not be just the hardware and software, though, that opens up millions of Americans to a loss of their sensitive personal information, including their Social Security numbers. As we have learned from the Edward Snowden and Bradley Manning incidents, poorly screened employees and contractors pose at least as great a threat to our security as shoddy information technology. Decisions such as maximizing use of the cloud and hiring inadequately screened “navigators” as unsupervised salespeople for HealthCare.gov have greatly increased the risk of repeated thefts of Americans’ sensitive personal data.
Undoing the administration’s poor design choices that led to this insecure mish-mash and replacing them with reliable and secure systems would take far longer than a month; it would also require hundreds of millions of dollars that Congress—now angry on a bipartisan basis—will surely refuse to appropriate. In the alternative, the unfortunate Mr. Zients will be overseeing thousands of incremental rewrites of code that will increase some functionality but will also create many new problems. One month does not provide anyone with anywhere near enough time to make needed changes in this huge and tangled system, and one month certainly does not provide enough time to fix problems identified in testing. To sum it up, the fundamental HHS failures that caused this mess are repeating themselves in a greatly compressed period of time.