The Associated Press (AP) has made a call to the government, asking it to reconsider a decision to not publicly disclose federal documents related to the security of the HealthCare.gov website.
In a Tuesday report, the AP said that it made a request for records under the Freedom of Information Act to the Centers for Medicare and Medicaid Services (CMS) – the request was for documents pertaining to security software and the computer systems used for the HealthCare.gov website.
The request – which was made in late 2013 and included what the report referred to as a “site security plan” – was denied.
“Documents requested by the [AP] contain specific security information that, if released publicly, could put consumers' personal information at risk,” Aaron Albright, director of Media Relations Group at CMS, told SCMagazine.com in a Tuesday statement.
The CMS considers privacy and security of consumer personal information to be a top priority, Albright said, going on to add, “While we strive to provide the public with details of our operations, we concluded that releasing this information would potentially cause an unwarranted risk to consumers' private information.”
The AP report reminds that President Obama said, in a 2009 memorandum on the Freedom of Information Act, that information should not be kept confidential “because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears.”
In a Tuesday email correspondence, Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation, told SCMagazine.com that he understands the government's concerns, but added that the idea of “security through obscurity” does not work in the real world.
“Microsoft never released the source code to Windows XP, but lots of malicious people and groups still found vulnerabilities that enabled them to attack PCs running Windows XP over the years,” Gillula said.
Although Gillula admitted to not knowing what personal information the HealthCare.gov website contains, he said that if the data is tempting enough for hackers, they will find out and work to bypass whatever software the website is running, as well as the security measures that are in place.