We Know More About Netflix’s Cybersecurity Than Healthcare.gov’s. That’s Shameful.

What's to come?
Aug. 28 2014 1:43 PM

Netflix vs. Healthcare.gov

The two sites demonstrate two very different approaches to cybersecurity.

(Continued from Page 1)

Netflix and healthcare.gov serve very different functions, but both sites collect personally identifiable information from users. The health care data may be more sensitive—or more strongly protected by health care privacy laws—but it’s not clear that healthcare.gov actually collects medical data. Writing in Forbes last year, Rick Ungar noted that on the site “there are no medically specific questions that require disclose of any medical information beyond learning whether or not you smoke.” That doesn’t mean there are no differences between the data Netflix and healthcare.gov protect—or the threats they have to defend against—but it may undermine the idea that healthcare.gov is in a completely different situation because disclosing security information would “violate health-privacy laws.”

So the contrasting decisions by Netflix and CMS end up suggesting different levels of confidence. But they also suggest two totally different attitudes about information security. The Netflix announcement is indicative of an outlook in which defenders view the outside world as largely composed of allies, or people who face similar security problems and who can learn from their tools and security decisions, or even provide useful critiques and suggestions. The CMS approach, however, suggests a defender that views the rest of the world as a large population of potential attackers, liable to seize any provided information and immediately use it for evil.

Certainly, there are bad guys out there, and Netflix knows that every bit as well as the government. But those bent on serious criminal activity will probably be able to figure out many of the security measures healthcare.gov is using just by testing different ways of trying to access it. So if those measures are any good, they won’t depend too heavily on being kept secret in order to be effective, just like Scumblr and Sketchy will continue to gather useful threat intelligence information for the Netflix security team even after being posted on GitHub. And if CMS really has developed a secret plan, if it’s actually got cool new security tools protecting healthcare.gov that no one else knows about, maybe it should consider following Netflix’s example and releasing more information, not less, so that other organizations trying to protect sensitive information and health care data can learn from them.

Advertisement

There’s a certain irony in a private company taking steps toward providing a public service by voluntarily releasing some security information about how it protects its site and its customers while a public government agency refuses to release so much as a single high-level document even when explicitly requested to do so under FOIA. The CMS decision suggests a considerable lack of confidence in its own security measures, but it also represents a refusal to be part of a larger endeavor, an unwillingness to work with others who handle health care information online, providing guidance, developing common tools, or finding those “new and interesting uses” that might help keep everyone safer.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

Josephine Wolff is a Ph.D. candidate at MIT and a fellow at Harvard’s Berkman Center for Internet and Society. Follow her on Twitter.

TODAY IN SLATE

Politics

Smash and Grab

Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?

Stop Panicking. America Is Now in Very Good Shape to Respond to the Ebola Crisis.

The 2014 Kansas City Royals Show the Value of Building a Mediocre Baseball Team

The GOP Won’t Win Any Black Votes With Its New “Willie Horton” Ad

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?

Technocracy

Forget Oculus Rift

This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.

One of Putin’s Favorite Oligarchs Wants to Start an Orthodox Christian Fox News

These Companies in Japan Are More Than 1,000 Years Old

Trending News Channel
Oct. 20 2014 6:17 PM Watch Flashes of Lightning Created in a Lab  
  News & Politics
Politics
Oct. 20 2014 8:14 PM You Should Be Optimistic About Ebola Don’t panic. Here are all the signs that the U.S. is containing the disease.
  Business
Moneybox
Oct. 20 2014 7:23 PM Chipotle’s Magical Burrito Empire Keeps Growing, Might Be Slowing
  Life
Outward
Oct. 20 2014 3:16 PM The Catholic Church Is Changing, and Celibate Gays Are Leading the Way
  Double X
The XX Factor
Oct. 20 2014 6:17 PM I Am 25. I Don't Work at Facebook. My Doctors Want Me to Freeze My Eggs.
  Slate Plus
Tv Club
Oct. 20 2014 7:15 AM The Slate Doctor Who Podcast: Episode 9 A spoiler-filled discussion of "Flatline."
  Arts
Brow Beat
Oct. 20 2014 9:13 PM The Smart, Talented, and Utterly Hilarious Leslie Jones Is SNL’s Newest Cast Member
  Technology
Technocracy
Oct. 20 2014 11:36 PM Forget Oculus Rift This $25 cardboard box turns your phone into an incredibly fun virtual-reality experience.
  Health & Science
Bad Astronomy
Oct. 21 2014 7:00 AM Watch the Moon Eat the Sun: The Partial Solar Eclipse on Thursday, Oct. 23
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.