Content

AP denied security docs on HealthCare.gov, a risk to private information

The Associated Press (AP) has made a call to the government, asking it to reconsider a decision to not publicly disclose federal documents related to the security of the HealthCare.gov website.

In a Tuesday report, the AP said that it made a request for records under the Freedom of Information Act to the Centers for Medicare and Medicaid Services (CMS) – the request was for documents pertaining to security software and the computer systems used for the HealthCare.gov website.

The request – which was made in late 2013 and included what the report referred to as a “site security plan” – was denied.

“Documents requested by the [AP] contain specific security information that, if released publicly, could put consumers' personal information at risk,” Aaron Albright, director of Media Relations Group at CMS, told SCMagazine.com in a Tuesday statement.

The CMS considers privacy and security of consumer personal information to be a top priority, Albright said, going on to add, “While we strive to provide the public with details of our operations, we concluded that releasing this information would potentially cause an unwarranted risk to consumers' private information.”

The AP report reminds that President Obama said, in a 2009 memorandum on the Freedom of Information Act, that information should not be kept confidential “because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears.”

In a Tuesday email correspondence, Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation, told SCMagazine.com that he understands the government's concerns, but added that the idea of “security through obscurity” does not work in the real world.

“Microsoft never released the source code to Windows XP, but lots of malicious people and groups still found vulnerabilities that enabled them to attack PCs running Windows XP over the years,” Gillula said.

Although Gillula admitted to not knowing what personal information the HealthCare.gov website contains, he said that if the data is tempting enough for hackers, they will find out and work to bypass whatever software the website is running, as well as the security measures that are in place.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.