Netflix and healthcare.gov serve very different functions, but both sites collect personally identifiable information from users. The health care data may be more sensitive—or more strongly protected by health care privacy laws—but it’s not clear that healthcare.gov actually collects medical data. Writing in Forbes last year, Rick Ungar noted that on the site “there are no medically specific questions that require disclose of any medical information beyond learning whether or not you smoke.” That doesn’t mean there are no differences between the data Netflix and healthcare.gov protect—or the threats they have to defend against—but it may undermine the idea that healthcare.gov is in a completely different situation because disclosing security information would “violate health-privacy laws.”
So the contrasting decisions by Netflix and CMS end up suggesting different levels of confidence. But they also suggest two totally different attitudes about information security. The Netflix announcement is indicative of an outlook in which defenders view the outside world as largely composed of allies, or people who face similar security problems and who can learn from their tools and security decisions, or even provide useful critiques and suggestions. The CMS approach, however, suggests a defender that views the rest of the world as a large population of potential attackers, liable to seize any provided information and immediately use it for evil.
Certainly, there are bad guys out there, and Netflix knows that every bit as well as the government. But those bent on serious criminal activity will probably be able to figure out many of the security measures healthcare.gov is using just by testing different ways of trying to access it. So if those measures are any good, they won’t depend too heavily on being kept secret in order to be effective, just like Scumblr and Sketchy will continue to gather useful threat intelligence information for the Netflix security team even after being posted on GitHub. And if CMS really has developed a secret plan, if it’s actually got cool new security tools protecting healthcare.gov that no one else knows about, maybe it should consider following Netflix’s example and releasing more information, not less, so that other organizations trying to protect sensitive information and health care data can learn from them.
There’s a certain irony in a private company taking steps toward providing a public service by voluntarily releasing some security information about how it protects its site and its customers while a public government agency refuses to release so much as a single high-level document even when explicitly requested to do so under FOIA. The CMS decision suggests a considerable lack of confidence in its own security measures, but it also represents a refusal to be part of a larger endeavor, an unwillingness to work with others who handle health care information online, providing guidance, developing common tools, or finding those “new and interesting uses” that might help keep everyone safer.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.
TODAY IN SLATE
Smash and Grab
Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?
Stop Panicking. America Is Now in Very Good Shape to Respond to the Ebola Crisis.
The 2014 Kansas City Royals Show the Value of Building a Mediocre Baseball Team
The GOP Won’t Win Any Black Votes With Its New “Willie Horton” Ad
Sleater-Kinney Was Once America’s Best Rock Band
Can it be again?
Forget Oculus Rift
This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.