Why The Obamacare Data Hub Will Lead To Identity Theft


Forbes.com
By Robert Book, Contributor

Why The Obamacare Data Hub Will Lead To Identity Theft

US President Barack Obama speaks during a pres...

US President Barack Obama speaks during a press conference November 14, 2012 in the East Room of the White House in Washington, DC. (Image credit: AFP/Getty Images via @daylife)

My co-blogger Avik Roy has written an excellent explanation of the privacy and security problems with the ACA “data hub,” along with a summary of the specific laws and regulations that the administration is likely to have to circumvent or ignore to get the exchanges up and running on schedule by October 1. Emily Egan has produced a graph of six key milestone deadlines have either already been missed or pushed back. The final certification is now scheduled for Monday, September 30 – the day before the exchanges are supposed to open for business on October 1.

All I have to add to that excellent discussion is what might be called a “game theory” analysis of why the administration is likely to, as Chris Holt puts it, “push forward with an on time opening even without a properly secured Hub – putting at risk the personal information of millions of Americans.”

Consider the following: If the exchanges fail to open as promised on October 1, it will be a major embarrassment for the Obama administration, possibly with significant political consequences. After a year and a half of pushing back deadlines, delaying major components of the law, and issuing “waivers” over and over again – but all the while promising that thiscomponent will be ready on time, failing to open on time will make it look like the entire health reform effort is just a charade.

On the other hand, if the system is not secure and they open it anyway, what is the cost? To the administration, very little. Although it is very likely that privacy will be violated and identities stolen, it won’t be definite, it won’t happen on Day 1, it won’t happen to everybody, and it won’t be publicly known – or even traceable to the data hub – for some time. By that point, the administration will have taken credit for opening the exchanges on schedule, and the news cycle will have moved on to other issues.

In other words, it will be a disaster – but for randomly selected, mostly non-famous Americans, rather than for the administration. For the administration, it will be a mere inconvenience, occurring at an unspecified time in the future (perhaps even after the current President leaves office).

This is perhaps the ultimate example of a phenomenon described by security expert Steve Hunt: from the point of view of decision-makers, security is just “an annoying layer of cost and inconvenience.”

The only question left is how the administration would go ahead with opening the system without a proper security certification. The answer is, they will just do it. Either the President will issue a “waiver” of the security requirement, as he has done with so many other requirements of the law, or the person with the authority to determine whether the system meets the requirements will be pressured to certify it regardless.

While constantly issuing “waivers” of federal law appears to be an innovation of this administration, certifying things because they “need” to be certified, rather than deserve to be, is not unusual in the federal government. Many years ago, I was asked to certify a system in a different part of the federal government that clearly did not meet its requirements. Even the people asking me to certify it acknowledged that it didn’t meet the requirements. When I pushed back, saying that I was uncomfortable writing a report that wasn’t true, I was told I had to certify it anyway, because they didn’t have the budget to fix it, they wanted to replace it anyway, and if it weren’t certified it wouldn’t be fixed anyway, so would I just please make life easy for them. I didn’t certify it, and got the impression that I was the first person they’d ever seen who actually cared whether the system met the requirements. What did they do? The folks in charge just ignored the requirement that the system be certified.

Fortunately, that other system didn’t involve the security of any private information. With the Obamacare data hub, we won’t be so lucky.