Audit finds excellent cybersecurity at HealthCare.gov
Matthew Martin
9/25/2015 02:57:00 PM
Tweetable
Except, the audit did not find "slipshod" security at HealthCare.gov.
There was something screwy about all this coverage because the AP published a piece that, while not verbatim, was nearly identical to this one back in September 2014. By an accident involving a local news affiliate, Charles Gaba from the esteemed acasignups.net pointed me to the previous story here. That prompted me to chase down the HHS Inspector General's audit, no thanks to AP who failed to properly source their article.1 It turns out that the audit actually had the opposite to say about HealthCare.gov: security there is great.
The report released on 21 September 2015 was the formal writeup of an audit that the HHS Inspector General's office had conducted from August through December in 2014. In other words, this is the same audit as the AP covered in it's previous story in September 2014, and that's why the two AP stories are identical--they are literally talking about the exact same audit. The first AP story was based on a preliminary report produced by the HHS Inspector General's office about the preliminary findings in their security audit of MIDAS, a database system that HealthCare.gov and insurers use to store users' information to allow them to buy insurance through the HealthCare.gov interface. The new story is based on the formal write up of the audit (which is short because the actual technical details of the vulnerabilities were redacted to avoid giving hackers any ideas) conducted a year ago.
But here's the thing. The main reason for this new report is in fact to say that all of the security vulnerabilities have been fixed to the satisfaction of the HHS Inspector General's security team. The final line of the report:
"We have since reviewed the supporting documentation and verified CMS's remediation."In otherwords, the point of the new report is to say that cybersecurity at HealthCare.gov is now excellent. That's the only news here. But none of the News is covering it that way.
1. See what I did there, AP? It's called a hyperlink. It turns out that when you are writing about a thing on the internet, you can "link" to that thing and then users can click it and be redirected to that thing. You do this by typing what's called an "anchor tag" into the HTML code, which looks like this
<a href="[insert url here]">[insert display text here]</a>
.You should try it sometime.
That would be a tendentious way of reporting it. Like declaring that "the safety of the Space Shuttle is now excellent" after Nasa fixed the o-ring problem.