In a recent column, security expert Bruce Schneier proposed breaking up the NSA – handing its offensive capabilities work to US Cyber Command and its law enforcement work to the FBI, and terminating its programme of attacking internet security.
In place of this, Schneier proposed that “instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.” This is a profoundly good idea for reasons that may not be obvious at first blush.
People who worry about security and freedom on the internet have long struggled with the problem of communicating the urgent stakes to the wider public. We speak in jargon that’s a jumble of mixed metaphors – viruses, malware, trojans, zero days, exploits, vulnerabilities, RATs – that are the striated fossil remains of successive efforts to come to grips with the issue.
When we do manage to make people alarmed about the stakes, we have very little comfort to offer them, because Internet security isn’t something individuals can solve.
I remember well the day this all hit home for me. It was nearly exactly a year ago, and I was out on tour with my novel Homeland, which tells the story of a group of young people who come into possession of a large trove of government leaks that detail a series of illegal programmes through which supposedly democratic governments spy on people by compromising their computers.
I kicked the tour off at the gorgeous, daring Seattle Public Library main branch, in a hi-tech auditorium to an audience of 21st-century dwellers in one of the technology revolution’s hotspots, home of Microsoft and Starbucks (an unsung technology story – the coffee chain is basically an IT shop that uses technology to manage and deploy coffee around the world).
I explained the book’s premise, and then talked about how this stuff works in the real world. I laid out a parade of awfuls, including a demonstrated attack that hijacked implanted defibrillators from 10 metres’ distance and caused them to compromise other defibrillators that came into range, implanting an instruction to deliver lethal shocks at a certain time in the future.
Secrecy breeds suspicion. The role of secrecy in health care is practically non-existent so when we see examples of secrecy, as in the operational details of the Federal Data Services Hub, we get the recent outcry from a range of politicians and journalists waving privacy flags. For Patient Privacy Rights, this is a teachable moment relative to both advocates and detractors of the Affordable Care Act.
There’s a clear parallel between the recent concerns around NSA communications surveillance and health care surveillance under the ACA. Some surveillance is justified, to combat terrorism and fraud respectively, but unwarranted secrecy breeds suspicion and may not help our civil society.
“The Hub” is described by the government as:
“For all marketplaces, CMS [the Centers for Medicare and Medicaid Services] is also building a tool called the Data Services Hub to help with verifying applicant information used to determine eligibility for enrollment in qualified health plans and insurance affordability programs. The hub will provide one connection to the common federal data sources (including but not limited to SSA, IRS, DHS) needed to verify consumer application information for income, citizenship, immigration status, access to minimum essential coverage, etc.
CMS has completed the technical design, and reference architecture for this work, is establishing a cross-agency security framework as well as the protocols for connectivity, and has begun testing the hub. The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information. Protecting the privacy of individuals remains the highest priority of CMS.”
Here’s where the secrecy comes in: I tried to find out some specific information about the Hub. Technical or policy details that would enable one to apply Fair Information Practice Principles? Some open evidence of privacy by design? Some evidence of participation by privacy experts? I got nothing. Where’s Mr. Snowden when we need him?
As my head reels at the implications of the IRS scandal mushrooming in Washington, the IRS’s recently disclosed ability to access e-mails without warrant, the intricacy of the NSA PRISM wiretap techniques that includes their ability to acquire tech firms’ digital data, and even the Justice Department’s ability to secretly acquire telephone toll records from the Associated Press, I wonder (as a doctor) what all this means for the privacy protections afforded by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in our new era of mandated electronic medical records. Are such privacy protections credible at all?
It doesn’t seem so.
Now it seems everyone’s health data is just as vulnerable to federal review as their Google search data. This is not a small issue. We have already seen that discovering “leaks” of personal health information has produced some very handsome rewards for the feds, so it is not beyond reason to think that HIPAA might also be a funding tool for our government health care administration disguised as a beneficent effort to protect the health care data of our populace.
But even more concerning is the role the IRS scandal has for America’s health care system. After all, the Affordable Care Act is ultimately funded by the IRS by administering some 47 tax provisions. These include the right to levy a penalty against businesses and individuals who don’t provide or acquire insurance and determining how to distribute annual subsidies to 18 million people who make less than $45,000 a year and thus qualify for subsidies in buying health coverage. In addition, the agency will collect taxes on medical devices and a surtax on people making more than $200,000 a year, as well as conducting compliance audits of tax-exempt hospitals.