We Know More About Netflix’s Cybersecurity Than Healthcare.gov’s. That’s Shameful.

What's to come?
Aug. 28 2014 1:43 PM

Netflix vs. Healthcare.gov

The two sites demonstrate two very different approaches to cybersecurity.

(Continued from Page 1)

Netflix and healthcare.gov serve very different functions, but both sites collect personally identifiable information from users. The health care data may be more sensitive—or more strongly protected by health care privacy laws—but it’s not clear that healthcare.gov actually collects medical data. Writing in Forbes last year, Rick Ungar noted that on the site “there are no medically specific questions that require disclose of any medical information beyond learning whether or not you smoke.” That doesn’t mean there are no differences between the data Netflix and healthcare.gov protect—or the threats they have to defend against—but it may undermine the idea that healthcare.gov is in a completely different situation because disclosing security information would “violate health-privacy laws.”

So the contrasting decisions by Netflix and CMS end up suggesting different levels of confidence. But they also suggest two totally different attitudes about information security. The Netflix announcement is indicative of an outlook in which defenders view the outside world as largely composed of allies, or people who face similar security problems and who can learn from their tools and security decisions, or even provide useful critiques and suggestions. The CMS approach, however, suggests a defender that views the rest of the world as a large population of potential attackers, liable to seize any provided information and immediately use it for evil.

Certainly, there are bad guys out there, and Netflix knows that every bit as well as the government. But those bent on serious criminal activity will probably be able to figure out many of the security measures healthcare.gov is using just by testing different ways of trying to access it. So if those measures are any good, they won’t depend too heavily on being kept secret in order to be effective, just like Scumblr and Sketchy will continue to gather useful threat intelligence information for the Netflix security team even after being posted on GitHub. And if CMS really has developed a secret plan, if it’s actually got cool new security tools protecting healthcare.gov that no one else knows about, maybe it should consider following Netflix’s example and releasing more information, not less, so that other organizations trying to protect sensitive information and health care data can learn from them.

Advertisement

There’s a certain irony in a private company taking steps toward providing a public service by voluntarily releasing some security information about how it protects its site and its customers while a public government agency refuses to release so much as a single high-level document even when explicitly requested to do so under FOIA. The CMS decision suggests a considerable lack of confidence in its own security measures, but it also represents a refusal to be part of a larger endeavor, an unwillingness to work with others who handle health care information online, providing guidance, developing common tools, or finding those “new and interesting uses” that might help keep everyone safer.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

Josephine Wolff is a Ph.D. candidate in the Engineering Systems Division at the Massachusetts Institute of Technology studying cybersecurity and Internet policy.

TODAY IN SLATE

Politics

Meet the New Bosses

How the Republicans would run the Senate.

Even by Russian Standards, Moscow’s Anti-War March Was Surprisingly Grim

I Wrote a Novel Envisioning a Nigerian Space Program. Then I Learned Nigeria Actually Has One.

The Best Thing About the People’s Climate March in NYC

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059

Medical Examiner

Did America Get Fat by Drinking Diet Soda?  

A high-profile study points the finger at artificial sweeteners.

The Government Is Giving Millions of Dollars in Electric-Car Subsidies to the Wrong Drivers

A Futurama Writer on How the Vietnam War Shaped the Series

Trending News Channel
Sept. 20 2014 11:13 AM Watch Flashes of Lightning Created in a Lab  
  News & Politics
The World
Sept. 22 2014 12:30 PM Turkey Just Got Forty-Six Hostages Back From ISIS. How Did That Happen?
  Business
Moneybox
Sept. 22 2014 12:07 PM Divestment Isn’t the Answer To destroy demand for fossil fuels, universities can do a lot better than just selling some stocks.
  Life
The Shortcut
Sept. 22 2014 12:31 PM Down With Loose Laces A simple trick to tighten your running shoes for good.
  Double X
The XX Factor
Sept. 22 2014 12:29 PM Escaping the Extreme Christian Fundamentalism of "Quiverfull"
  Slate Plus
Science
Sept. 22 2014 8:08 AM Slate Voice: “Why Is So Much Honey Clover Honey?” Mike Vuolo shares the story of your honey.
  Arts
Brow Beat
Sept. 22 2014 12:22 PM The Age of the Streaming TV Auteur
  Technology
Future Tense
Sept. 22 2014 12:14 PM Family Court Rules That You Can Serve Someone With Legal Papers Over Facebook
  Health & Science
Science
Sept. 22 2014 12:15 PM The Changing Face of Climate Change Will the leaders of the People’s Climate March now lead the movement?
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.