Share this article on:
In order to protect the privacy of Americans, Protected Health Information and other highly sensitive data must have a finite lifespan. When data is no longer required it must be securely destroyed. Holding data indefinitely is an unnecessary security risk, yet the government is recording healthcare information in its MIDAS – Multidimensional Insurance Data Analytics System – database indefinitely.
The MIDAS database is maintained by CACI under government contract, and is owned by the Centers for Medicare and Medicaid Services. The MIDAS database is a critical component of Barack Obama’s Healthcare reform, and is instrumental to the smooth running of the system. The database has been in operation for four years, and serves as a perpetual central repository for all data collected. That data includes Personally Identifiable Information (PII) and Protected Health Information (PHI) and well over a million Americans, and that number is growing.
Individual’s full names, addresses, contact telephone numbers and home addresses are stored with passport numbers, Social Security numbers, financial information and the individual’s employment status. The exact data that hackers are looking to steal.
There was a time when government databases and computer networks were considered to be almost impregnable; however the past few days have shown that this is most definitely not the case. The recent mega data breach at the OPM confirmed this and showed the world that instead of using the latest technological safeguards to protect data, it turns out that many of the desktop computers and servers used by the government are too old to even have the data they contain encrypted.
MIDAS Database a Gold Mine for Hackers
The protections put in place by the government to prevent cyber-attacks is being questioned following the OPM breach, but there is another issue that is also causing a great deal of concern among privacy advocates: The quantity of data held in the MIDAS system, and how large that data repository is likely to grow.
The government will not disclose the actual number of individuals currently in the database, but has provided an estimate of 1 million. That figure is likely to be extremely conservative, especially considering incomplete and failed applications are also stored in the database.
At present, despite having four years to come up with a policy on the length of time that MIDAS can store data, a storage time limit has failed to materialize. A ten year limit for data storage has been suggested by the National Archives, but even this lengthy spell has not been written into policy.
Data protection laws demand that data collection and storage should be limited to “the minimum necessary information” and that information should be stored for the minimum period of time. Indefinite data storage is an unnecessary security risk, especially for the government at a time when foreign government-backed attacks are targeting Americans.
Privacy and Security Standards Must Improve
The Center for Democracy & Technology’s deputy director for consumer privacy, Michelle de Moov, told the Associated Press “When people go to government services sites, they don’t have a choice.” Data is recorded and stored regardless of individuals’ wishes. She went on to say “That means the privacy and security bar should be very high.”
Unfortunately the bar appears to be much lower than the one healthcare providers must reach. The Health Insurance Portability and Accountability Act (HIPAA) required all covered entities to conduct a full risk analysis to identify all potential privacy and security vulnerabilities. They must then address all of the risks and reduce them to a minimal and acceptable level.
The Centers for Medicare and Medicaid Services appears to have missed this vital – and basic – security step, according to a report issued by the Government Accountability Office last year. The report states that no privacy risk assessment took place prior to the system going live. It only happened last year.
With no time limit on data storage as well, it would appear that MIDAS data security is well behind the times and the government has some way to go to bring its own security up to public sector standards. Privacy advocates are calling for changes to be made now.