By John Bambenek
Computer Security Expert
While much of the public attention is directed at the federal government slimdown and upcoming fight on the debt ceiling, a very important milestone was reached for the Affordable Care Act (ACA). Namely, the health care exchanges were “opened.”
One of the potential bright spots of the ACA was having a mechanism for individuals to shop for their own health care coverage instead of the “take what you are given” system we have now. Philosophically, at least, it’s the one thing everyone could be able to support. The devil is in the details, of course, but the ability for me (the consumer) to pick my own provider makes good economic sense, all things being equal. Of course, with the rules governing the exchanges, all things are not equal, but that’s a topic for another article.
In reality, though, despite spending more money to develop the website than Facebook spent to develop theirs, healthcare.gov was a massive and complete technical failure. We are now almost two weeks in and people are still having difficulty registering accounts. This isn’t just a technical glitch; this is now the case study in how to completely and utterly fail in an IT project.
By way of analogy, this would be like buying the latest iPhone and not being able to turn it on after two weeks. Would you keep it, or would you get your money back?
As much as others would like to spin this, we aren’t talking about complex business rules dealing with 36 different states and how they set up their exchanges. We are talking about a simple and known task to “create a username and password.” After more than $600 million, they couldn’t even figure that out.
There are those who say the site suffered under massive load from the number of interested people checking out the exchange. That might be easy to believe on the first day, but no one would continue trying after 10 days to access the exchange. Ask yourself, do you know anyone who kept going to healthcare.gov several times a day for two weeks straight? No one does that.
The fact is, it is clear no one bothered to test this web application before it rolled out for even basic functionality. If they did not bother to even validate people could register an account, what else was missed along the way? Unfortunately, we do have some hints.
In Minnesota, a federal employee e-mailed confidential information, including 2,400 Social Security numbers, to a health insurance broker in the state who had no need for the information and little, if any, involvement to the 2,400 people involved. This may sound like a minor issue, but if your local hospital breached patient privacy this way, they would face millions of dollars in fines under federal law and potentially more under state law.
The government takes privacy very seriously when it comes to enforcing the rules on private health care providers … as they should. And those private health care providers have spent millions to protect your privacy. That a government employee thought e-mailing that information out was legitimate shows failures far beyond that one incident.
This project was three years in the making, and basic footwork was not done and rudimentary security procedures were not implemented. If this were a private business, people would have already been fired, attorney generals would have opened investigations to protect consumers, and likely the business involved would cease to exist.
This administration hyped itself as one of the most technologically advanced administrations in the history of the United States, and their own major IT project, the health care exchange, has failed in every conceivable way. What makes anyone think they will be able to handle the technical complexities involved in the provision of health care in the long term in the light of this massive failure?
John Bambenek is president and chief forensic examiner for Bambenek Consulting, a cybersecurity investigation firm. He resides in Champaign, Ill., and can be reached at email@example.com or http://bambenekconsulting.com.
From the Oct. 16-22, 2013, issue