Federal officials told the House Oversight Committee on Tuesday that lack of funding, outdated technology and the absence of coordinated approach from the Office of Management and Budget have stalled their ability to move away from Social Security numbers as identification markers inside federal agencies.
This meeting comes as agencies are still trying to wrestle with an OMB memo from 2007 requiring federal agencies to reduce or replace Social Security numbers use as identifiers across federal government. The memo required agencies to identify opportunities to reduce the use of SSNs and establish a plan to discontinue unnecessary use within 18 months.
The Social Security Administration currently processes approximately 2 billion SSN verifications per year, with more than half of these at the request of federal or state agencies.
Rep. Tom Rice, R-S.C., took note of the work still needed, citing the Office of Personnel Management hack as an example of federal negligence in protecting Social Security numbers.
“Unfortunately, while some progress has been made in reducing the use of Social Security numbers, 10 years later, there’s still much work to be done,” Rice said. “This hearing is about making sure that Social Security numbers are only used when necessary, and that the federal government is doing what it can — and what it should — to make sure that when Social Security numbers are used and collected, they are kept safe.”
OPM Chief Information Officer David DeVries said that the size and complexity of the government provides a challenge to creating a parallel architecture that will function in the same way as that which currently exists for SSNs, especially when promulgated down to lower levels of government.
The current solution for these agencies centers on the idea of creating alternative means of identification that can eventually replace the SSN within each agency.
Reps. David Schweikert, R-Ariz., and Paul Mitchell, R-Mich., expressed concerns with the effectiveness of creating several different sets of identification numbers, as this solution could lead to future complications and still have the possibility of being compromised by hacks and data breaches.
Both Schweikert and Mitchell raised the possibility of the use of “token systems” and encryption as an alternative solution. IT Subcommittee Chair Will Hurd, R-Texas, noted that Estonia, though its population is comparable to that of a large U.S. city at around 1.3 million, has achieved a tokenized system.
The issue, DeVries said, is translating private sector token technology to the government structure.
Mariana LaCanfora, acting deputy commissioner for the Social Security Administration’s Office of Retirement and Disability Policy, said that while essential to maintaining records, the SSN is being used in ways that it was not designed for.
“The SSN and SSN card were never intended, nor do they serve, as identification,” LaCanfora said. “We strongly encourage other agencies and the public to minimize their use.”
Two out of three notices from the Social Security Administration still include Social Security numbers. These notices are generated by 60 separate systems, providing a barrier to simply discontinuing the use of the SSN on these documents.
John Oswalt, an associate deputy assistant secretary at the Department of Veterans Affairs, is taking strides to eliminate excessive use of SSNs on prescription bottles and some other forms. But due to the lack of equally accurate means of identification, the SSN continues to be the “best means of insuring patient identification.”
“Elimination of the SSN use is not solely a function of information technology,” Oswalt said. “Business processes used by the Veterans Health Administration, the Veterans Benefits Administration and VA offices require a complete overhaul in how they establish absolute identity verification inside VA, and equally important, outside VA.”