It's a Huge undertaking to do this...
Sen. Tammy Baldwin (D-Wis.) recently introduced an amendment to an annual defense department appropriations bill requiring the U.S. Department of Veterans Affairs to stop using social security numbers (SSN) as identification numbers for our veterans. The “huge undertaking” she referred to is the work effort associated with eliminating the SSN as a unique identifier. She has a good idea of the effort required for this endeavor; this is her second effort to change SSN policy through the amendment process.
The primary driver for this change is simple. We need to protect 23 million veterans against the dangers of identity theft using policies that reduce risk, instead of increasing risk, for all consumers of healthcare services. Her proposal follows the proven cyber security doctrine of shrinking the ‘attack surface,’ which limits exposure and reduces risk. This is a case where the legislative proposal aligns with good risk management practice: Gather as little sensitive information as possible so you can focus your resources on protecting essential data.
So why is shrinking the cyber threat attack surface such a huge undertaking, as indicated by Sen. Baldwin? This problem has been many years in the making. The SSN arose as a general identifier of records in 1943 through Executive Order 9397, requiring federal agencies to use the SSN in any new systems and processes. While there was not a lot of uptake in the 1940s and 1950s, the Civil Service Commission and the IRS adopted the SSN as the unique identifier in 1961 and 1962. Explosive growth in computer technology during the 1970s enabled even broader adoption of the SSN as a unique identifier.
President Obama recently signed a bill requiring the Department of Health and Human Services to issue Medicare cards without SSNs to new and existing beneficiaries
Use of the SSN grew incrementally through the 1980s and 1990s for the military, immigration administration, Medicare and Medicaid, federal employees, and for U.S. citizens participating in entitlement benefit programs like food stamps. Veterans who served in the military in the 1980s and 1990s may remember receiving duffle bags with their SSNs printed on them for easier identification. In 1996, use of the SSN was expanded to enhance child support enforcement. For a long time, SSNs were the easiest way to identify an individual for professional licenses, drivers’ licenses, death certificates, birth records, divorce decrees, marriage licenses and more.
The gradual adoption of the SSN as the primary method for identification in the public and private sector has resulted in its pervasive use in core systems and processes. The healthcare industry is heavily dependent on the use of the SSN for patient identification, and there are many intermediaries with access to this information. This has led to a large attack surface and more opportunities for threat actors to gain access to this sensitive data for malicious purposes.
President Obama recently signed a bill requiring the Department of Health and Human Services to issue Medicare cards without SSNs to new and existing beneficiaries. Public policies like this, including the proposed amendment from Sen. Baldwin, are good steps in the right direction because they help reduce our dependence on the SSN as a unique identifier.
For its part, Aetna has taken several steps to reduce the use of SSNs and reinforce our security when we must handle this sensitive piece of member data.
In late 2013, Aetna changed its information classification policy by adding a new category of information: Restricted. This category requires added controls for information containing SSNs. The result of that policy change has been a gradual reduction in handling SSNs across the enterprise and better adherence to prudent risk management practices.
Several years ago, Aetna identified all of its core systems that process SSNs and began either eliminating them or reinforcing them with better protection. By the end of this year, close to a billion instances of SSN processing will have been eliminated or better-protected using format preserving encryption technology.
Aetna employees avoid sending SSNs via email thanks to programs and technology that blocks email messages with attachments containing SSNs. The result is a shrinking attack surface for Aetna members and a reduction in the probability of a security breach.
The significant progress made by Aetna is not without challenges. Plan sponsors and vendors can face difficulties absorbing the financial cost of changing systems and related business processes. As a result, we sometimes receive requests for policy exceptions asking for the handling of SSNs to continue. Fortunately, there is a growing population of plan sponsors that welcome the change, as there are vendors that have already eliminated the handling of SSNs for the right reasons.
Sen. Baldwin is right. It is a huge undertaking to eliminate the use of SSNs as a unique identifier, but we have long believed it is the right thing to do. Consumers, businesses and government all benefit when we reduce opportunities for data theft and increase protections for sensitive information.