Netflix and healthcare.gov serve very different functions, but both sites collect personally identifiable information from users. The health care data may be more sensitive—or more strongly protected by health care privacy laws—but it’s not clear that healthcare.gov actually collects medical data. Writing in Forbes last year, Rick Ungar noted that on the site “there are no medically specific questions that require disclose of any medical information beyond learning whether or not you smoke.” That doesn’t mean there are no differences between the data Netflix and healthcare.gov protect—or the threats they have to defend against—but it may undermine the idea that healthcare.gov is in a completely different situation because disclosing security information would “violate health-privacy laws.”
So the contrasting decisions by Netflix and CMS end up suggesting different levels of confidence. But they also suggest two totally different attitudes about information security. The Netflix announcement is indicative of an outlook in which defenders view the outside world as largely composed of allies, or people who face similar security problems and who can learn from their tools and security decisions, or even provide useful critiques and suggestions. The CMS approach, however, suggests a defender that views the rest of the world as a large population of potential attackers, liable to seize any provided information and immediately use it for evil.
Certainly, there are bad guys out there, and Netflix knows that every bit as well as the government. But those bent on serious criminal activity will probably be able to figure out many of the security measures healthcare.gov is using just by testing different ways of trying to access it. So if those measures are any good, they won’t depend too heavily on being kept secret in order to be effective, just like Scumblr and Sketchy will continue to gather useful threat intelligence information for the Netflix security team even after being posted on GitHub. And if CMS really has developed a secret plan, if it’s actually got cool new security tools protecting healthcare.gov that no one else knows about, maybe it should consider following Netflix’s example and releasing more information, not less, so that other organizations trying to protect sensitive information and health care data can learn from them.
There’s a certain irony in a private company taking steps toward providing a public service by voluntarily releasing some security information about how it protects its site and its customers while a public government agency refuses to release so much as a single high-level document even when explicitly requested to do so under FOIA. The CMS decision suggests a considerable lack of confidence in its own security measures, but it also represents a refusal to be part of a larger endeavor, an unwillingness to work with others who handle health care information online, providing guidance, developing common tools, or finding those “new and interesting uses” that might help keep everyone safer.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.