ACA Health Exchange Contractors Have History of Security Failures

Lucas123 writes "Two of the contractors involved in developing online health insurance exchanges under the Affordable Care Act, which have been plagued by technical problems since launching this month, have had serious data security issues in the past. Quality Software Services developed the software for the Affordable Care Act's data services hub and oversaw development of tools to connect the hub to the databases of other federal agencies. Last June, an audit report by the Health and Human Services Inspector General found QSS failed to adhere to federal security standards (PDF) in delivering IT testing services for the Centers for Medicare & Medicaid Services. Additionally, services firm Serco suffered a major security breach in 2012. Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges. Serco's breach exposed sensitive data of more than 123,000 members of the Thrift Savings Plan, a $313 billion retirement plan run by the U.S. Federal Retirement Thrift Investment Board. The exposed data included full names, addresses, Social Security Numbers, financial account information, and bank routing information."

SURPRISE!

[Jhon]

It's bad enough we have private industry in charge of much of our private information. At least THEY can be held accountable and sued or fined out of existence or at least suffer PR so bad that their business fails.

When the Government is in charge, what are you going to do? Sue them? Great. You win money from every tax payer and the problem wont get fixed -- it will just be more expensive to run -- for every tax payer.

Isn't this universal?

[JDG1980]

Are there any contractors that don't have a history of security failures?

The problem isn't with this company, it's with the federal procurement process, which favors large corporations that can handle ridiculous amounts of paperwork over companies that might actually be able to get the job done.

Frankly, I'm amazed the PPACA website came out as well as it did. Most large IT contract jobs, whether public or private sector, are much, much worse. The typical outcome for a multi-million-dollar IT contract project is massive delays, substantial budget overruns, and poor/missing functionality.

is there anyone here....

[phantomfive]

Is there anyone here who had any doubt that the health exchange system would have serious security problems, given how many problems it's had, and security bugs being harder to avoid than many other types of bugs?

The worst part is, since this system integrates with the department of homeland security and the IRS, you don't even necessarily need to use the system for a security vulnerability to affect you.......

Outsourced Lowest Bidder syndrome

[Isca]

This is what happens when you don't hire people in the agencies with technical abilities to even be able to oversee the implementation of complex systems.

Privatization is good as long as you actually have competent people with technological expertise to oversee the development. Outsourcing all of this to the lowest bidder, then that company outsourcing components to the lowest bidder (and so on, and so forth) always causes these type of issues. We need technologist inside the government that can actually manage these projects.

Well..

[TechyImmigrant]

While it may be unsurprising that a government contractor can't get security right, expecting anyone to adhere to government security specifications is unreasonable. Take a look at them, they are a vast mess of poorly written hand waving. There are some with specifics (E.G. some of the crypto algorithm stuff), but the balance of it is 'framework' crap.

You can make an honest job of adhering to federal computer security specs, but it's always possible to dig up another spec somewhere that contradicts it.

And they hire the best H1B candidates they can too

[Virtucon]

They're just a body shop living the H1B dream. [findthecompany.com]

I find it somewhat repugnant that a US Healthcare website is being done by a slipshod vendor who relies on H1B staff for delivery and can't follow FIPS 200 standards? That's a no-brainer for anybody dealing with any Federal agency.

https://oig.hhs.gov/oas/reports/region4/41205045.pdf [hhs.gov]

QSSI had not sufficiently implemented Federal requirements for information system security controls over USB ports and devices. Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft.

So Personally Identifiable Information for over 6 Million Medicare beneficiaries wasn't protected and they still are working and billing to provide shitty software. I wonder how much of this is now in the hands if identity thieves selling Fullz..

your government at work folks, what a wonderful sight to behold.

Fifty-five contractors

[Dachannien]

Just the fact that there were 55 different contractors working on healthcare.gov is reason enough to suspect that major security flaws crept in.

The fact that the website was opened before any appreciable amount of testing was done is reason enough to suspect that most of those flaws are still undiscovered and uncorrected.

The government's project managers didn't even come up with a full specification for the largest contractor until this past Spring, with the expectation that everything would be done and ready for business on 1 October. It's a total clusterfuck, the true scope of which likely won't be discovered for several months.

http://www.newyorker.com/online/blogs/elements/2013/10/why-the-healthcaregov-train-wreck-happened-in-slow-motion.html [newyorker.com]

Re:Yeah, so what?

[mcgrew]

The main concern with regard to health records security is that health insurance companies would deny coverage to people with preexisting conditions based on evidence in medical records. That's been fixed, at least in theory, by obamacare, if they ever manage to get it up and running.

The ACA was passed and signed and gone through the courts; it's the law. Obamacare is in fact up and running, what's not is the federal web site.

Your state's isn't in place? That isn't the Feds' fault, it's your state government's. Illinois' is in place, and we have the most dysfunctional government in the US. Why isn't yours?

Of course, the real fix would have been to get the insurance companies out of the health insurance business altogether with a single payer system

I'd mod you up if I had points. The reason the US has such expensive health care is the insurance companies. They're simply parasitic middlemen who do nothing but add cost.

You're surprised?

[Overzeetop]

List all the companies who can, in under a year, put together a $50-400M (take you pick at the number) software system to service, conservatively, 30 million people in a day and interface with legacy systems from multiple governmental agencies.

Cross off everyone on the list who isn't set up to do government contracting
Cross off everyone on the list who can't meet HIPAA standards
Cross off everyone who hasn't rolled out at least three systems of similar size and complexity in the past 5 years
Cross off everyone who is headed by a foreign national

You're list is going to be very, very short. I'd have had you cross out those with past roll-out failures or problems, but that would have given you a blank piece of paper to start with.

Re:And they hire the best H1B candidates they can

[ZombieBraintrust]

Why is this racist crap modded up. I work with H1Bs and most of them went to better colleges than I did and have better degrees than I do. Were talking about people with 10, 15 years of experiance. Now some outsourcing outfits hire people directly out of college. Quality can be low with these teams because there is alot of turnover and poor communication with an offsite team. But those people tend to work in India for a few years. The compitition for visas is high and people with no experiance don't normally get them.

Re:Isn't this universal?

[smooth wombat]

and Spanish speaking Americans are one of the key groups of the uninsured.

Then maybe they should learn to speak English instead of expecting the entire country to bend over backwards for them. The same goes the various Asian folks as well.

It's all well and good to speak two languages, but you shouldn't expect people to accommodate you because you're too lazy. If I emigrated to Vietnam, should I expect them to bend over backwards for me because I didn't learn their language? They'd laugh at me day and night if I told them they need to go out of their way to post everything in English.

But I guess it's easier to find a technical solution to a human problem than it is to fix the human problem.

Re:A few problems with that list...

[bzipitidoo]

I've done some work as a government contractor. It's messy. They demand that you account for every hour. If you are working on 3 different projects, you have to fill out a timesheet in which you detail which hours of every day you spent on each of those 3 projects. This sort of thing misses the point that it's results that count, not hours.

They are keenly aware of the public perception of them as bungling bureaucrats. Consequently, they can be extremely pushy and demanding. Often they bear down so hard that it is counterproductive.

They're also paranoid control freaks. They want contractors to work on computer systems that are under their control. Instead of working on your own equipment in your own offices, they'll insist you use their facilities. Then they provide antiquated, slow computers with ancient versions of Windows, and take weeks to getting around to details like installing a phone line. There are also a ton of rules. They'll want you to pay for a cell phone, but they don't want your cell phone to have any privacy. You basically need permission to sneeze, and more permission to wipe your nose. Want to encrypt a hard drive? Maybe just keep a few encrypted files on a hard drive? Can't do that without authorization.

It takes a good contractor to stop them from hamstringing a project with red tape. You have to trample upon all sorts of rules to get anything done, and you need a smooth management team to keep the bureaucrats from worrying about violations. They will overlook all kinds of petty violations as long as there are good results. Let a project falter though, and the piranhas come out.

My state exchange web site works fine.

[rock_climbing_guy]

For what it's worth, I recently moved to Colorado and I've found that their state health insurance exchange web site works just fine. I was able to browse plans available within a few minutes.

I think it goes to show that there's nothing extraordinary difficult about this web site. I suspect cronyism on the part of the federal government. How else can you explain that they paid ~ $600M for a web site that doesn't work. I think they could have handed that money to most anyone who posted to this discussion and gotten a better result.