Slashdot Mirror
ACA Health Exchange Contractors Have History of Security Failures
Lucas123 writes "Two of the contractors involved in developing online health insurance exchanges under the Affordable Care Act, which have been plagued by technical problems since launching this month, have had serious data security issues in the past. Quality Software Services developed the software for the Affordable Care Act's data services hub and oversaw development of tools to connect the hub to the databases of other federal agencies. Last June, an audit report by the Health and Human Services Inspector General found QSS failed to adhere to federal security standards (PDF) in delivering IT testing services for the Centers for Medicare & Medicaid Services. Additionally, services firm Serco suffered a major security breach in 2012. Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges. Serco's breach exposed sensitive data of more than 123,000 members of the Thrift Savings Plan, a $313 billion retirement plan run by the U.S. Federal Retirement Thrift Investment Board. The exposed data included full names, addresses, Social Security Numbers, financial account information, and bank routing information."
Are there any contractors that don't have a history of security failures?
The problem isn't with this company, it's with the federal procurement process, which favors large corporations that can handle ridiculous amounts of paperwork over companies that might actually be able to get the job done.
Frankly, I'm amazed the PPACA website came out as well as it did. Most large IT contract jobs, whether public or private sector, are much, much worse. The typical outcome for a multi-million-dollar IT contract project is massive delays, substantial budget overruns, and poor/missing functionality.
Is there anyone here who had any doubt that the health exchange system would have serious security problems, given how many problems it's had, and security bugs being harder to avoid than many other types of bugs?
The worst part is, since this system integrates with the department of homeland security and the IRS, you don't even necessarily need to use the system for a security vulnerability to affect you.......
"First they came for the slanderers and i said nothing."
This is what happens when you don't hire people in the agencies with technical abilities to even be able to oversee the implementation of complex systems.
Privatization is good as long as you actually have competent people with technological expertise to oversee the development. Outsourcing all of this to the lowest bidder, then that company outsourcing components to the lowest bidder (and so on, and so forth) always causes these type of issues. We need technologist inside the government that can actually manage these projects.
Just the fact that there were 55 different contractors working on healthcare.gov is reason enough to suspect that major security flaws crept in.
The fact that the website was opened before any appreciable amount of testing was done is reason enough to suspect that most of those flaws are still undiscovered and uncorrected.
The government's project managers didn't even come up with a full specification for the largest contractor until this past Spring, with the expectation that everything would be done and ready for business on 1 October. It's a total clusterfuck, the true scope of which likely won't be discovered for several months.
http://www.newyorker.com/online/blogs/elements/2013/10/why-the-healthcaregov-train-wreck-happened-in-slow-motion.html
I've done some work as a government contractor. It's messy. They demand that you account for every hour. If you are working on 3 different projects, you have to fill out a timesheet in which you detail which hours of every day you spent on each of those 3 projects. This sort of thing misses the point that it's results that count, not hours.
They are keenly aware of the public perception of them as bungling bureaucrats. Consequently, they can be extremely pushy and demanding. Often they bear down so hard that it is counterproductive.
They're also paranoid control freaks. They want contractors to work on computer systems that are under their control. Instead of working on your own equipment in your own offices, they'll insist you use their facilities. Then they provide antiquated, slow computers with ancient versions of Windows, and take weeks to getting around to details like installing a phone line. There are also a ton of rules. They'll want you to pay for a cell phone, but they don't want your cell phone to have any privacy. You basically need permission to sneeze, and more permission to wipe your nose. Want to encrypt a hard drive? Maybe just keep a few encrypted files on a hard drive? Can't do that without authorization.
It takes a good contractor to stop them from hamstringing a project with red tape. You have to trample upon all sorts of rules to get anything done, and you need a smooth management team to keep the bureaucrats from worrying about violations. They will overlook all kinds of petty violations as long as there are good results. Let a project falter though, and the piranhas come out.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"