» Subscribe Today!
More of what you want to know.
The Daily News
X

Forgot your password?
Skip Navigation LinksHome >
VOL. 129 | NO. 162 | Wednesday, August 20, 2014

US Won't Reveal Records on Health Website Security

JACK GILLUM | Associated Press

Print | Front Page | Email this story | Comments ()

WASHINGTON (AP) – After promising not to withhold government information over "speculative or abstract fears," the Obama administration has concluded it will not publicly disclose federal records that could shed light on the security of the government's health care website because doing so could "potentially" allow hackers to break in.

The Centers for Medicare and Medicaid Services denied a request by The Associated Press under the Freedom of Information Act for documents about the kinds of security software and computer systems behind the federally funded HealthCare.gov. The AP requested the records late last year amid concerns that Republicans raised about the security of the website, which had technical glitches that prevented millions of people from signing up for insurance under President Barack Obama's health care law.

In denying access to the documents, including what's known as a site security plan, Medicare told the AP that disclosing them could violate health-privacy laws because it might give hackers enough information to break into the service.

"We concluded that releasing this information would potentially cause an unwarranted risk to consumers' private information," CMS spokesman Aaron Albright said in a statement.

The AP is asking the government to reconsider. Obama instructed federal agencies in 2009 to not keep information confidential "merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears." Yet the government, in its denial of the AP request, speculates that disclosing the records could possibly, but not assuredly or even probably, give hackers the keys they need to intrude.

Even when the government concludes that records can't be fully released, Attorney General Eric Holder has directed agencies to consider whether parts of the files can be revealed with sensitive passages censored. CMS told the AP it will not release any parts of any of the records.

The government's decision highlights problems as it grapples with a 2011 Supreme Court decision that significantly narrowed a provision under open records law that protected an agency's internal practices. Federal agencies have tried to use other, more creative routes to keep information censored.

In addition to citing potential health-privacy violations, the government cited exemptions intended to protect personal privacy and law-enforcement records, although the agency did not explain what files about the health care website had been compiled for law-enforcement purposes. Some open-government advocates were skeptical.

"Here you have an example of an agency resorting to a far-fetched privacy claim in an unprecedented attempt to bridge this legal gap and, in the process, making it even worse by going overboard in withholding such records in their entireties," said Dan Metcalfe, a former director of the Justice Department's office of information and privacy who's now at American University's law school.

Keeping details about lockdown practices confidential is generally derided by information technology experts as "security through obscurity." Disclosing some types of information could help hackers formulate break-in strategies, but other facts, such as numbers of break-ins or descriptions of how systems store personal data, are commonly shared in the private sector. "Security practices aren't private information," said David Kennedy, an industry consultant who testified before Congress last year about HealthCare.gov's security.

Last year, the AP found that CMS Administrator Marilyn Tavenner took the unusual step of signing the operational security certificate for HealthCare.gov herself, even as her agency's security professionals balked. That memo said incomplete testing created uncertainties that posed a potentially high security risk for the website. It called for a six-month "mitigation" program, including ongoing monitoring and testing. The site has since passed a full security test.

Government cyber-security experts were also worried that state computers linking to a federal system that verifies the personal information of insurance applicants were vulnerable to attack. About a week before the launch of HealthCare.gov, a federal review found significant differences in states' readiness. The administration says the concerns about state systems have been addressed.

Associated Press writer Ricardo Alonso-Zaldivar contributed to this report.

Follow Jack Gillum on Twitter: twitter.com/jackgillum

Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Sign-Up For Our Free Email Edition
Get the news first with our daily email


 
Blog Get more from The Daily News
Blog News, Training & Events
RECORD TOTALS DAY WEEK YEAR
PROPERTY SALES 72 368 16,413
MORTGAGES 66 422 21,432
FORECLOSURE NOTICES 15 76 4,266
BUILDING PERMITS 176 877 39,378
BANKRUPTCIES 60 294 15,542
BUSINESS LICENSES 20 98 5,491
UTILITY CONNECTIONS 69 423 23,573
MARRIAGE LICENSES 17 95 5,035

Weekly Edition

Issues | About

The Memphis News: Business, politics, and the public interest.