We Know More About Netflix’s Cybersecurity Than Healthcare.gov’s. That’s Shameful.

What's to come?
Aug. 28 2014 1:43 PM

Netflix vs. Healthcare.gov

The two sites demonstrate two very different approaches to cybersecurity.

(Continued from Page 1)

Netflix and healthcare.gov serve very different functions, but both sites collect personally identifiable information from users. The health care data may be more sensitive—or more strongly protected by health care privacy laws—but it’s not clear that healthcare.gov actually collects medical data. Writing in Forbes last year, Rick Ungar noted that on the site “there are no medically specific questions that require disclose of any medical information beyond learning whether or not you smoke.” That doesn’t mean there are no differences between the data Netflix and healthcare.gov protect—or the threats they have to defend against—but it may undermine the idea that healthcare.gov is in a completely different situation because disclosing security information would “violate health-privacy laws.”

So the contrasting decisions by Netflix and CMS end up suggesting different levels of confidence. But they also suggest two totally different attitudes about information security. The Netflix announcement is indicative of an outlook in which defenders view the outside world as largely composed of allies, or people who face similar security problems and who can learn from their tools and security decisions, or even provide useful critiques and suggestions. The CMS approach, however, suggests a defender that views the rest of the world as a large population of potential attackers, liable to seize any provided information and immediately use it for evil.

Certainly, there are bad guys out there, and Netflix knows that every bit as well as the government. But those bent on serious criminal activity will probably be able to figure out many of the security measures healthcare.gov is using just by testing different ways of trying to access it. So if those measures are any good, they won’t depend too heavily on being kept secret in order to be effective, just like Scumblr and Sketchy will continue to gather useful threat intelligence information for the Netflix security team even after being posted on GitHub. And if CMS really has developed a secret plan, if it’s actually got cool new security tools protecting healthcare.gov that no one else knows about, maybe it should consider following Netflix’s example and releasing more information, not less, so that other organizations trying to protect sensitive information and health care data can learn from them.

Advertisement

There’s a certain irony in a private company taking steps toward providing a public service by voluntarily releasing some security information about how it protects its site and its customers while a public government agency refuses to release so much as a single high-level document even when explicitly requested to do so under FOIA. The CMS decision suggests a considerable lack of confidence in its own security measures, but it also represents a refusal to be part of a larger endeavor, an unwillingness to work with others who handle health care information online, providing guidance, developing common tools, or finding those “new and interesting uses” that might help keep everyone safer.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

Josephine Wolff is a Ph.D. candidate in the Engineering Systems Division at the Massachusetts Institute of Technology studying cybersecurity and Internet policy.

TODAY IN SLATE

History

Slate Plus Early Read: The Self-Made Man

The story of America’s most pliable, pernicious, irrepressible myth.

Rehtaeh Parsons Was the Most Famous Victim in Canada. Now, Journalists Can’t Even Say Her Name.

Mitt Romney May Be Weighing a 2016 Run. That Would Be a Big Mistake.

Amazing Photos From Hong Kong’s Umbrella Revolution

Transparent Is the Fall’s Only Great New Show

The XX Factor

Rehtaeh Parsons Was the Most Famous Victim in Canada

Now, journalists can't even say her name.

Doublex

Lena Dunham, the Book

More shtick than honesty in Not That Kind of Girl.

What a Juicy New Book About Diane Sawyer and Katie Couric Fails to Tell Us About the TV News Business

Does Your Child Have Sluggish Cognitive Tempo? Or Is That Just a Disorder Made Up to Scare You?

  News & Politics
History
Sept. 29 2014 11:45 PM The Self-Made Man The story of America’s most pliable, pernicious, irrepressible myth.
  Business
Moneybox
Sept. 29 2014 7:01 PM We May Never Know If Larry Ellison Flew a Fighter Jet Under the Golden Gate Bridge
  Life
Dear Prudence
Sept. 29 2014 3:10 PM The Lonely Teetotaler Prudie counsels a letter writer who doesn’t drink alcohol—and is constantly harassed by others for it.
  Double X
Doublex
Sept. 29 2014 11:43 PM Lena Dunham, the Book More shtick than honesty in Not That Kind of Girl.
  Slate Plus
Slate Fare
Sept. 29 2014 8:45 AM Slate Isn’t Too Liberal, but … What readers said about the magazine’s bias and balance.
  Arts
Brow Beat
Sept. 29 2014 9:06 PM Paul Thomas Anderson’s Inherent Vice Looks Like a Comic Masterpiece
  Technology
Future Tense
Sept. 29 2014 11:56 PM Innovation Starvation, the Next Generation Humankind has lots of great ideas for the future. We need people to carry them out.
  Health & Science
Medical Examiner
Sept. 29 2014 11:32 PM The Daydream Disorder Is sluggish cognitive tempo a disease or disease mongering?
  Sports
Sports Nut
Sept. 28 2014 8:30 PM NFL Players Die Young. Or Maybe They Live Long Lives. Why it’s so hard to pin down the effects of football on players’ lives.