Slashdot Mirror
ACA Health Exchange Contractors Have History of Security Failures
Lucas123 writes "Two of the contractors involved in developing online health insurance exchanges under the Affordable Care Act, which have been plagued by technical problems since launching this month, have had serious data security issues in the past. Quality Software Services developed the software for the Affordable Care Act's data services hub and oversaw development of tools to connect the hub to the databases of other federal agencies. Last June, an audit report by the Health and Human Services Inspector General found QSS failed to adhere to federal security standards (PDF) in delivering IT testing services for the Centers for Medicare & Medicaid Services. Additionally, services firm Serco suffered a major security breach in 2012. Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges. Serco's breach exposed sensitive data of more than 123,000 members of the Thrift Savings Plan, a $313 billion retirement plan run by the U.S. Federal Retirement Thrift Investment Board. The exposed data included full names, addresses, Social Security Numbers, financial account information, and bank routing information."
It's bad enough we have private industry in charge of much of our private information. At least THEY can be held accountable and sued or fined out of existence or at least suffer PR so bad that their business fails.
When the Government is in charge, what are you going to do? Sue them? Great. You win money from every tax payer and the problem wont get fixed -- it will just be more expensive to run -- for every tax payer.
Are there any contractors that don't have a history of security failures?
The problem isn't with this company, it's with the federal procurement process, which favors large corporations that can handle ridiculous amounts of paperwork over companies that might actually be able to get the job done.
Frankly, I'm amazed the PPACA website came out as well as it did. Most large IT contract jobs, whether public or private sector, are much, much worse. The typical outcome for a multi-million-dollar IT contract project is massive delays, substantial budget overruns, and poor/missing functionality.
The government department that contracted this company for the site, are they allowed to use any criteria other than the contract bid amount to decide who to go with? Are they required to go with the lowest bidder, or are they allowed to look at the company history when deciding who to hire?
Technoli
Is there anyone here who had any doubt that the health exchange system would have serious security problems, given how many problems it's had, and security bugs being harder to avoid than many other types of bugs?
The worst part is, since this system integrates with the department of homeland security and the IRS, you don't even necessarily need to use the system for a security vulnerability to affect you.......
"First they came for the slanderers and i said nothing."
This is what happens when you don't hire people in the agencies with technical abilities to even be able to oversee the implementation of complex systems.
Privatization is good as long as you actually have competent people with technological expertise to oversee the development. Outsourcing all of this to the lowest bidder, then that company outsourcing components to the lowest bidder (and so on, and so forth) always causes these type of issues. We need technologist inside the government that can actually manage these projects.
So how do firms with a history like this, get these contracts? I'll give benefit of the doubt that not a single firm is 100% bulletproof when it comes to security, but this screams incompetence and malfeasance, since that breach was last year. And 'financial account information and bank routing information'? REALLY? I'd not go so far as to say this was collusion, because this can obviously be explained by stupidity and incompetence, but I'd leave that to the prosecution to argue.
That said, where do they go from here? It would appear the system for the ACA was 'doomed' before it even was developed.
...im just gonna send images of all my hard drives and net logs to the NSA and be done with this nonsense already.
fuck...how many ways are we being spied on and our information leaked until sensible people just throw up their hands and say "enough already!"???
never bring a twinkie to a food fight.
[citation needed]
Seriously, every company has a history of security failures including the Company (CIA).
Nobody is perfect and a conglomeration of people is even more likely to have
been not-perfect. It's as if submitter is a Republitard
It's been obvious for months to even the most internet-ignorant that there is no such thing as security on-line. The main concern with regard to health records security is that health insurance companies would deny coverage to people with preexisting conditions based on evidence in medical records. That's been fixed, at least in theory, by obamacare, if they ever manage to get it up and running.
Of course, the real fix would have been to get the insurance companies out of the health insurance business altogether with a single payer system, but we are too stupid to vote for something like that. Even if we did, the insurance lobby's votes mean much more than votes of citizens going to the polls, so even if the majority came to their senses and demanded a single-payer system, it would not happen.
OK, so we'll get more targeted spam about incontinence products, birth control, flatulence control, boner pills, etc. That will just make spam filters work a little harder.
It's good to see our government supporting do-overs. How are these contractors ever going to get better if we don't give them dump trucks full of money and let them try again and again until they get it right?
QSS failed to adhere to federal security standards
So no known stolen information from contractor 1 (yet).
Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges.
And contractor 2 is only handling the processing of paper applications.
It doesn't appear that these contractors will have a significant effect on the majority of ACA applications. Now, the other contractors...
http://www.amazon.com/Extortion-Peter-Schweizer/dp/0544103343
There ya go, 600 footnotes included.
"I say we take off, nuke the site from orbit. It's the only way to be sure."
The larger problem isn't the actual contractor, it's in the selection process.
At least, the companies that get these huge jobs are the ones that can successfully navigate the bidding process, as well as those that have a track record of complying with that process.
It's a matter of the metrics used not matching the result desired.
ACA/Obamacare health exchanges have had a lot of screwups, but I don't know if it'd work any other way initially (based on the fact that there are hundreds of agencies and different systems to interact with,. any end to end testing would have to be on "friendly" / fake results.
Just my $.02, but if you actually *provide* quality work, you don't need to have that in your company's name. Only time will tell if this also applies to the word "affordable" ... :-)
It must have been something you assimilated. . . .
I'm sure the company has connections to or is owned by some bigshot politician's spouse or cousin, so that makes it ok.
Seven puppies were harmed during the making of this post.
The processes and hoops you have to jump through in order to respond to their requests for proposal are ridiculously complicated. Way too often companies who are not qualified get the contract merely because they knew how to play the system.
The government has programs to support small businesses like 8a for disadvantaged, one for businesses owned by disabled Vets, one for women owned. This does help some, but more often than not those companies are just paid so that bigger companies can bid for work and use them as the vehicle to get it. In my experience as a government contractor for most of my career I've seen countless scenarios of companies bidding for 8 resources on a task but really only using 2. I've seen them work on contracts for over a decade, and despite horrible execution of the project they continue to win the re-compete because they'll purposely squirrel away anyone who can help a new contract winner. They'll eat the cost and give people useless jobs at their corporate offices just to attempt to make the new contracting company fail.
There is also a terrible history of nepotism involved. The entire system is abused. Officers have even set up companies and awarded contracts to themselves right before retirement. When they leave they have a ready made contracting company complete with an ongoing contract and perhaps one or two for their past performance record already. By the time they're caught, they are fined a million or so which at that point is small price to pay for them. They just had the world's best interest free business startup loan. Yes, I have first-hand knowledge of one such instance of this and I know it is definitely not an isolated incident.
Here is an example of waste: When I was on one of my last contracts I spent months doing nothing of real consequence. Through some weird situation I was left with no project manager and no tasks. I informed all of the management who would listen, and requested work. I began to worry I'd be cut, along with the worry that if I sat idle my hard-earned skills would dull. I found another job and quit. I received a call from the vice president of the company telling me she was hearing what a great job I was doing and that they wanted to offer me a substantial raise to stay. It was then I realized they didn't care what I did. They could bill for me. By showing up I was doing a "good job". I couldn't take it and left.
While it may be unsurprising that a government contractor can't get security right, expecting anyone to adhere to government security specifications is unreasonable. Take a look at them, they are a vast mess of poorly written hand waving. There are some with specifics (E.G. some of the crypto algorithm stuff), but the balance of it is 'framework' crap.
You can make an honest job of adhering to federal computer security specs, but it's always possible to dig up another spec somewhere that contradicts it.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
So we should just accept things and move on? Business as usual?
Typical "rabid" political crap. If something has nothing to do with a political party make it about the other side and blame them.
You sir are the retard.
They're just a body shop living the H1B dream.
I find it somewhat repugnant that a US Healthcare website is being done by a slipshod vendor who relies on H1B staff for delivery and can't follow FIPS 200 standards? That's a no-brainer for anybody dealing with any Federal agency.
https://oig.hhs.gov/oas/reports/region4/41205045.pdf
QSSI had not sufficiently implemented Federal requirements for information system security controls over USB ports and devices. Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft.
So Personally Identifiable Information for over 6 Million Medicare beneficiaries wasn't protected and they still are working and billing to provide shitty software. I wonder how much of this is now in the hands if identity thieves selling Fullz..
your government at work folks, what a wonderful sight to behold.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Just the fact that there were 55 different contractors working on healthcare.gov is reason enough to suspect that major security flaws crept in.
The fact that the website was opened before any appreciable amount of testing was done is reason enough to suspect that most of those flaws are still undiscovered and uncorrected.
The government's project managers didn't even come up with a full specification for the largest contractor until this past Spring, with the expectation that everything would be done and ready for business on 1 October. It's a total clusterfuck, the true scope of which likely won't be discovered for several months.
http://www.newyorker.com/online/blogs/elements/2013/10/why-the-healthcaregov-train-wreck-happened-in-slow-motion.html
Is something like angieslist for government contracts and a mandate to force its use. Now, who do we contract to build it?
Silence is a state of mime.
You can sign the petition here.
For those who seek perfection there can be no rest on this side of the grave.
Get ready for the torrent of people who've never dealt with gov't contracting who are just so sure they could do it better. Dunning-Krueger in the house, like usual on /.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
The worse thing about a centralized system like healthcare.gov, is that it represents a tremendously juicy target for criminals of all kinds - from ID thieves to phishers that want some personal info to run a scam. Never mind this company, I'm not sure I trust ANYONE to develop a system that is secure against the number and complexity of attacks that will be made.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And at least Carter has tried to make up for it, often acting as an envoy, or making sure that elections aren't rigged in third world countries.
He needs to check out elections in most US states and organizations that are helping to allow people to undermine the system.
http://dailycaller.com/2012/10/10/new-okeefe-video-obama-campaign-staffer-caught-helping-activist-vote-twice/
http://www.washingtontimes.com/news/2013/feb/19/ohio-poll-worker-who-admits-voting-twice-obama-may/
http://articles.baltimoresun.com/2012-09-14/news/bs-md-wendy-rosen-withdraws-20120910_1_wendy-rosen-maryland-democratic-party-general-election
And it's funny how the DOJ goes after states that try to enact voter ID laws because it will somehow disenfranchise voters. It's one person, one vote.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Use in-house employees instead. Hire well-qualified experienced employees, paid well (considering the costs of living in DC if they are not working from remote).
now we need to go OSS in diesel cars
While you see a lot of US companies there, they were either providing support services (like surveying people about possible use of the system) advertising and publicity services, or secondary systems.
Most of the rest were "consulting" jobs, with only a few real hardware/software production contracts in the mix.
Once you get past the obvious $93 million for CGI, the next one of any size is Maximus Federal Services, which has a certain track record for handling this sort of thing - they were obviously hired to do the connections between the ACA site and things like CHIP and Medicaid. Makes you wonder why they're a secondary contractor, though, instead of the primary.
The big thing to remember is that even CGI isn't the effective primary contractor. That job effectively fell to HHS government bureaucrats, who had a stranglehold on the management of the whole mess, even though they definitely had no experience or training in such matters.
List all the companies who can, in under a year, put together a $50-400M (take you pick at the number) software system to service, conservatively, 30 million people in a day and interface with legacy systems from multiple governmental agencies.
Cross off everyone on the list who isn't set up to do government contracting
Cross off everyone on the list who can't meet HIPAA standards
Cross off everyone who hasn't rolled out at least three systems of similar size and complexity in the past 5 years
Cross off everyone who is headed by a foreign national
You're list is going to be very, very short. I'd have had you cross out those with past roll-out failures or problems, but that would have given you a blank piece of paper to start with.
Is it just my observation, or are there way too many stupid people in the world?
burns the code.
> All you fools who called Bush II "the worst President ever" are now seeing the true worst President
> ever in action.
Obama had not been president during bush, so its not an either or, they can both be the worst president ever for their time in history, and I would submit, that is not only what happened, but its an unbroken tradition since at least Ike.
> Jimmy Carter - previous holder of that title - is ecstatic.
He was dethroned handidly by Reagan. Reagan who continued to push the drug war bringing us the highest murder rate since alcohol prohibition ended. We saw the draining of the SSI trust fund (which was supposed to be firewalled from the rest of the budget) under him. We saw a terrible arms race that helped to set up many of our current day wars...and the massive increase in national debt.
> Don't think 0bama is the worst ever?
Someone might not, but, hes at least on par with the rest of them.
"I opened my eyes, and everything went dark again"
It's interesting that as ObamaCare proves to be a huge disaster, the media outlets begin to call it "ACA" or "Affordable Care Act" in an effort to protect Obama's name.
I think I have heard the actual name of the Act more in the last week than in the last several years.
Why is this racist crap modded up. I work with H1Bs and most of them went to better colleges than I did and have better degrees than I do. Were talking about people with 10, 15 years of experiance. Now some outsourcing outfits hire people directly out of college. Quality can be low with these teams because there is alot of turnover and poor communication with an offsite team. But those people tend to work in India for a few years. The compitition for visas is high and people with no experiance don't normally get them.
is so going to end in tears.
I think it goes to show that there's nothing extraordinary difficult about this web site. I suspect cronyism on the part of the federal government. How else can you explain that they paid ~ $600M for a web site that doesn't work. I think they could have handed that money to most anyone who posted to this discussion and gotten a better result.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
H1B's exist to drive down labor rates in the US, screwing over folks who are already here and they're not necessarily getting the best talent either. If you're telling me that Quality Shit Software couldn't find qualified candidates in the beltway for this project, then you're full of crap. That's not racist by the way and I object to the use of the term, but since QShit was looking for Business Analysts and Engineers, I know that there are plenty of those in DC who could have done the job. There's lots of these outfits out there, WiPro, InfoSys, Tata and others who use the H1B and pay less than other companies for the same work and sell themselves as saving money for the companies they work for. These are Indian outsourcing firms and they get called out even in their own nation. If we're going to have H1B Visas in this nation, then we damn well better insist that 1) Companies who are sponsoring H1Bs have done their due diligence in trying to find a qualified candidate already here. That means verification with screening results not just Taleo bullshit disqualification. 2) That the wages the H1B employee are paid are at least above the 80% percentile for the work, in the area where they're working and only for the duration of that work. 3) Once the work is finished, if the H1B candidate doesn't have a Green Card or is not on the path to citizenship, they need to go back and not job hop. Did you also know that the top ten sponsors of H1B visas or offshore outsourcing companies? That's another gap that has to be fixed, specifically companies that are in the body shop business need to be excluded from sponsoring H1Bs. I'm for letting people work in this country but the playing field needs to be a bit more balanced and indexed on unemployment figures as well, if that's racist to you then fuck off.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Or Saudi Arabia. So much for being the Messiah and bringing the world together in a Kum By Ya moment.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Great book! I'm halfway through it and it has got me riled up enough to ...Hey! Shiny ponies!
I'm all in favor of the ACA. In fact, on the state level, they've done just fine (it's notable that the only reason the federal system is even necessary is because a number of states refused to do it).
On the other hand, how the fuck did we end up with this crap? You cannot roll out a project to millions of users this quickly and without adequate load testing. Also, why the hell aren't the contractors American? All this lip service the Democrats pay every election year to eliminating tax breaks for outsourcing and they can't bother to use American companies that will guarantee the work won't be subcontracted to some other company outside the US?
We actually have competent IT contracting firms in the US. They tend to be expensive, but they have enough experience that they can predict how long and how much it will cost to deliver working software. Ultimately, it ends up costing less in the long run to pay more up front, because the software actually does what you want it to do.
(Of course, this might not be a matter of corruption rather than cost, but my points still apply.)
Just about. One of the two, Obama or Bush II, is the worst president since Harding or perhaps Filmore. By the numbers, things that can be objectively
compared, Obama comes out significantly worse than Bush. It's mostly economic numbers that can be objectively compared.
One thing about Bush is he really began to suck in the final year or two of his eight years. It wasn't until 2008 that economic growth dropped below 3%,
and the country didn't go into recession until Obama took office (recession meaning negative growth). Seven of Bush's eight years weren't bad,
looking at the objective numbers, and subjective approval ratings tell the same story.
In 2004, Bush's approval rating was 65%, Obama rated 45% at the same point in his presidency. Again that's 45% Obama, 65% Bush.
Absolutely Bush was a below average president - nearly 80% of historians agree on that. For this month the October following re-election,
only Nixon has a lower approval rating than Bush and Obama, who are tied for second worst.
So yeah, we've done a TERRIBLE job of picking the last two presidents. Their two predecessors, Clinton and Bush Sr., were average to slightly above average,
by the numbers. Not great picks, but significantly better than these last two. (Compare approval average for all presidents 54%, Clinton average approval 55%, Bush Sr. average approval 60%).
DEY TURK OUR JERBS!!!!1!
I don't believe it is helpful to look at particular years and their figures. We need to look into what caused those years to be good or bad and those are the previous years.
Just as an example, Clinton did very well by the time he left office, right? Well, he was helped by the internet bubble. And the stock market tanked in April-May of the election year when it looked like Gore would beat Bush. Also, he and his Republican congress couldn't agree on spending, so spending was held in check.
Bush started out okay, then 9/11 happened and knocked the U.S. into a recession. They decided on doing Afghanistan. That wasn't costly, but Iraq was. In the meantime, he pushed through tax cuts and didn't fund the Iraq war with tax increases. The tax cuts put the budget firmly in the red. He also extended Medicare with Part D, that was more money. Meanwhile the housing bubble was happening, and neither Greenspan, nor Bush, nor the Republicans, nor the Democrats wanted to puncture that balloon. Had they done that in 2005, Obama wouldn't have been dealt the bad deck he got. That decade also helped shake out moderates in both parties, the 2010 census and subsequent redistricting cemented it.
Obama isn't blameless, he turned healthcare over to the Dems in Congress who proceeded to decorate it like a Christmas tree and who decided they didn't need any Republican buy-in since they controlled both Houses figuring that Americans were going to love them for it and make their majorities unassailable for years. Obama shot himself in the foot on that one. It only took 3 years for them chickens to come home to roost. The Dems also sold the soul of the ACA to the insurance companies guaranteeing it would be FrankenCare. There were supposed to be healthcare cooperatives like Germany has. The insurance companies have all but spiked those. Most will go out of business shortly.
Before I forget, the individual mandate for buying healthcare, that was a Republican idea from the Heritage Institute (I believe in the 2000's if not before in the 1990's) before it was taken over by Jim Demint.
" (Compare approval average for all presidents 54%, Clinton average approval 55%, Bush Sr. average approval 60%)."
Context people, the numbers are meaningless unless you take the effect of the conditions(economic, political, cultural, etc) going on during the each presidents reign(for some leaders reign describes better than administration).
Nobody gives a hoot about their universities or degree. Show us the product. Thank you, that will be all.
Sure that has something to do with it. Clinton took office while growth was strong and he's given credit for what he was handed. This even though growth slowed a lot over his eight years and his final two budget years, with his policies having been in place for a few years, were much worse than what Bush Sr. handed him.
On the other hand, Reagan and Obama both took over during poor economic conditions. Eight years of Reagan saw great improvement and people recognize that. Six years of Obama have had things go from bad to worse, and people can see that too. Eight years is a long time, and people see if things get better or get worse .
So which of the 10 "colleges" per city block is the superior one again? Anybody forging their resumes on a massive scale? Having others take their interviews?
so they can't make them in 60-80+ hour workers who get kicked out if they say no.
Right, they are terrible at it. But are other IT companies better?
The bare concept of a contracted IT project has issue. Some engineers will work during the project time, and will move to something else once completed. That means they never face the consequences of their bad practice.
You're probably just propagandizing, but in case you believe that:
http://data.bls.gov/timeseries/LNS11300000
What that's showing you is that 3% if the population have used up their benefit. They are still unemployed, they just aren't getting benefits anymore. In 2008, 66% of the population was either working or eligible for umployment. 2013, 63% are - 3% have either used up their two years of unemployment benefits or simply given up.
7.2% are getting unemployment benefits, 3% are no longer eligible = 10.2% real unemployment.
Yes, people see that since the republicans took the house in 2011 after the 2010 election they haven't been real cooperative.
Some people also realize nothing got done for the years that Obama had his own democrats in charge of the house and senate.
A few people remember that Reagan got things done while the opposing party controlled both house and senate.
I was in the same situation at my last company. My job was to correct their amateur coding errors and make the product work.
As with most groups of people, there are good ones and there are bad ones. I am glad you got the good ones but that isn't everyone's experience.
http://www.amazon.com/Extortion-Peter-Schweizer/dp/0544103343 There ya go, 600 footnotes included.
Except your citation isn't for what the AC posted, i.e. "The ACA has been a such a failure and promises to bankrupt the country."
Well, if the Red states weren't so stubborn as to opt-out, at least we'd have 50 different systems.
Wow, 50 different targets to crack sure is an even better choice! Especially when they all go against the same central server to record and search for sensitive data! Nothing better than giving a guy 50 chances to break into a warehouse with hundreds of millions of items of juicy data!
"There is more worth loving than we have strength to love." - Brian Jay Stanley