Slashdot Mirror
ACA Health Exchange Contractors Have History of Security Failures
Lucas123 writes "Two of the contractors involved in developing online health insurance exchanges under the Affordable Care Act, which have been plagued by technical problems since launching this month, have had serious data security issues in the past. Quality Software Services developed the software for the Affordable Care Act's data services hub and oversaw development of tools to connect the hub to the databases of other federal agencies. Last June, an audit report by the Health and Human Services Inspector General found QSS failed to adhere to federal security standards (PDF) in delivering IT testing services for the Centers for Medicare & Medicaid Services. Additionally, services firm Serco suffered a major security breach in 2012. Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges. Serco's breach exposed sensitive data of more than 123,000 members of the Thrift Savings Plan, a $313 billion retirement plan run by the U.S. Federal Retirement Thrift Investment Board. The exposed data included full names, addresses, Social Security Numbers, financial account information, and bank routing information."
It's bad enough we have private industry in charge of much of our private information. At least THEY can be held accountable and sued or fined out of existence or at least suffer PR so bad that their business fails.
When the Government is in charge, what are you going to do? Sue them? Great. You win money from every tax payer and the problem wont get fixed -- it will just be more expensive to run -- for every tax payer.
Are there any contractors that don't have a history of security failures?
The problem isn't with this company, it's with the federal procurement process, which favors large corporations that can handle ridiculous amounts of paperwork over companies that might actually be able to get the job done.
Frankly, I'm amazed the PPACA website came out as well as it did. Most large IT contract jobs, whether public or private sector, are much, much worse. The typical outcome for a multi-million-dollar IT contract project is massive delays, substantial budget overruns, and poor/missing functionality.
The government department that contracted this company for the site, are they allowed to use any criteria other than the contract bid amount to decide who to go with? Are they required to go with the lowest bidder, or are they allowed to look at the company history when deciding who to hire?
Technoli
Is there anyone here who had any doubt that the health exchange system would have serious security problems, given how many problems it's had, and security bugs being harder to avoid than many other types of bugs?
The worst part is, since this system integrates with the department of homeland security and the IRS, you don't even necessarily need to use the system for a security vulnerability to affect you.......
"First they came for the slanderers and i said nothing."
This is what happens when you don't hire people in the agencies with technical abilities to even be able to oversee the implementation of complex systems.
Privatization is good as long as you actually have competent people with technological expertise to oversee the development. Outsourcing all of this to the lowest bidder, then that company outsourcing components to the lowest bidder (and so on, and so forth) always causes these type of issues. We need technologist inside the government that can actually manage these projects.
A large part of it is who you know to get your foot in the door. Once you've done government projects it's easier to land more contracts. I suspect in this company's case that the breach happened after they had already signed contracts to work on this project (at least with Serco)
...im just gonna send images of all my hard drives and net logs to the NSA and be done with this nonsense already.
fuck...how many ways are we being spied on and our information leaked until sensible people just throw up their hands and say "enough already!"???
never bring a twinkie to a food fight.
[citation needed]
It's been obvious for months to even the most internet-ignorant that there is no such thing as security on-line. The main concern with regard to health records security is that health insurance companies would deny coverage to people with preexisting conditions based on evidence in medical records. That's been fixed, at least in theory, by obamacare, if they ever manage to get it up and running.
Of course, the real fix would have been to get the insurance companies out of the health insurance business altogether with a single payer system, but we are too stupid to vote for something like that. Even if we did, the insurance lobby's votes mean much more than votes of citizens going to the polls, so even if the majority came to their senses and demanded a single-payer system, it would not happen.
OK, so we'll get more targeted spam about incontinence products, birth control, flatulence control, boner pills, etc. That will just make spam filters work a little harder.
The question is, what contractor do you know who would be do it right? Really, IBM? Would you prefer Oracle did this, do you think that would give it better security?
"First they came for the slanderers and i said nothing."
http://www.amazon.com/Extortion-Peter-Schweizer/dp/0544103343
There ya go, 600 footnotes included.
"I say we take off, nuke the site from orbit. It's the only way to be sure."
The larger problem isn't the actual contractor, it's in the selection process.
At least, the companies that get these huge jobs are the ones that can successfully navigate the bidding process, as well as those that have a track record of complying with that process.
It's a matter of the metrics used not matching the result desired.
ACA/Obamacare health exchanges have had a lot of screwups, but I don't know if it'd work any other way initially (based on the fact that there are hundreds of agencies and different systems to interact with,. any end to end testing would have to be on "friendly" / fake results.
Just my $.02, but if you actually *provide* quality work, you don't need to have that in your company's name. Only time will tell if this also applies to the word "affordable" ... :-)
It must have been something you assimilated. . . .
The processes and hoops you have to jump through in order to respond to their requests for proposal are ridiculously complicated. Way too often companies who are not qualified get the contract merely because they knew how to play the system.
The government has programs to support small businesses like 8a for disadvantaged, one for businesses owned by disabled Vets, one for women owned. This does help some, but more often than not those companies are just paid so that bigger companies can bid for work and use them as the vehicle to get it. In my experience as a government contractor for most of my career I've seen countless scenarios of companies bidding for 8 resources on a task but really only using 2. I've seen them work on contracts for over a decade, and despite horrible execution of the project they continue to win the re-compete because they'll purposely squirrel away anyone who can help a new contract winner. They'll eat the cost and give people useless jobs at their corporate offices just to attempt to make the new contracting company fail.
There is also a terrible history of nepotism involved. The entire system is abused. Officers have even set up companies and awarded contracts to themselves right before retirement. When they leave they have a ready made contracting company complete with an ongoing contract and perhaps one or two for their past performance record already. By the time they're caught, they are fined a million or so which at that point is small price to pay for them. They just had the world's best interest free business startup loan. Yes, I have first-hand knowledge of one such instance of this and I know it is definitely not an isolated incident.
Here is an example of waste: When I was on one of my last contracts I spent months doing nothing of real consequence. Through some weird situation I was left with no project manager and no tasks. I informed all of the management who would listen, and requested work. I began to worry I'd be cut, along with the worry that if I sat idle my hard-earned skills would dull. I found another job and quit. I received a call from the vice president of the company telling me she was hearing what a great job I was doing and that they wanted to offer me a substantial raise to stay. It was then I realized they didn't care what I did. They could bill for me. By showing up I was doing a "good job". I couldn't take it and left.
While it may be unsurprising that a government contractor can't get security right, expecting anyone to adhere to government security specifications is unreasonable. Take a look at them, they are a vast mess of poorly written hand waving. There are some with specifics (E.G. some of the crypto algorithm stuff), but the balance of it is 'framework' crap.
You can make an honest job of adhering to federal computer security specs, but it's always possible to dig up another spec somewhere that contradicts it.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
They're just a body shop living the H1B dream.
I find it somewhat repugnant that a US Healthcare website is being done by a slipshod vendor who relies on H1B staff for delivery and can't follow FIPS 200 standards? That's a no-brainer for anybody dealing with any Federal agency.
https://oig.hhs.gov/oas/reports/region4/41205045.pdf
QSSI had not sufficiently implemented Federal requirements for information system security controls over USB ports and devices. Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft.
So Personally Identifiable Information for over 6 Million Medicare beneficiaries wasn't protected and they still are working and billing to provide shitty software. I wonder how much of this is now in the hands if identity thieves selling Fullz..
your government at work folks, what a wonderful sight to behold.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Just the fact that there were 55 different contractors working on healthcare.gov is reason enough to suspect that major security flaws crept in.
The fact that the website was opened before any appreciable amount of testing was done is reason enough to suspect that most of those flaws are still undiscovered and uncorrected.
The government's project managers didn't even come up with a full specification for the largest contractor until this past Spring, with the expectation that everything would be done and ready for business on 1 October. It's a total clusterfuck, the true scope of which likely won't be discovered for several months.
http://www.newyorker.com/online/blogs/elements/2013/10/why-the-healthcaregov-train-wreck-happened-in-slow-motion.html
Is something like angieslist for government contracts and a mandate to force its use. Now, who do we contract to build it?
Silence is a state of mime.
They will never get it right. That's how they keep the dump trucks coming in.
now we need to go OSS in diesel cars
You can sign the petition here.
For those who seek perfection there can be no rest on this side of the grave.
Get ready for the torrent of people who've never dealt with gov't contracting who are just so sure they could do it better. Dunning-Krueger in the house, like usual on /.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
The worse thing about a centralized system like healthcare.gov, is that it represents a tremendously juicy target for criminals of all kinds - from ID thieves to phishers that want some personal info to run a scam. Never mind this company, I'm not sure I trust ANYONE to develop a system that is secure against the number and complexity of attacks that will be made.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And at least Carter has tried to make up for it, often acting as an envoy, or making sure that elections aren't rigged in third world countries.
He needs to check out elections in most US states and organizations that are helping to allow people to undermine the system.
http://dailycaller.com/2012/10/10/new-okeefe-video-obama-campaign-staffer-caught-helping-activist-vote-twice/
http://www.washingtontimes.com/news/2013/feb/19/ohio-poll-worker-who-admits-voting-twice-obama-may/
http://articles.baltimoresun.com/2012-09-14/news/bs-md-wendy-rosen-withdraws-20120910_1_wendy-rosen-maryland-democratic-party-general-election
And it's funny how the DOJ goes after states that try to enact voter ID laws because it will somehow disenfranchise voters. It's one person, one vote.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Use in-house employees instead. Hire well-qualified experienced employees, paid well (considering the costs of living in DC if they are not working from remote).
now we need to go OSS in diesel cars
While you see a lot of US companies there, they were either providing support services (like surveying people about possible use of the system) advertising and publicity services, or secondary systems.
Most of the rest were "consulting" jobs, with only a few real hardware/software production contracts in the mix.
Once you get past the obvious $93 million for CGI, the next one of any size is Maximus Federal Services, which has a certain track record for handling this sort of thing - they were obviously hired to do the connections between the ACA site and things like CHIP and Medicaid. Makes you wonder why they're a secondary contractor, though, instead of the primary.
The big thing to remember is that even CGI isn't the effective primary contractor. That job effectively fell to HHS government bureaucrats, who had a stranglehold on the management of the whole mess, even though they definitely had no experience or training in such matters.
List all the companies who can, in under a year, put together a $50-400M (take you pick at the number) software system to service, conservatively, 30 million people in a day and interface with legacy systems from multiple governmental agencies.
Cross off everyone on the list who isn't set up to do government contracting
Cross off everyone on the list who can't meet HIPAA standards
Cross off everyone who hasn't rolled out at least three systems of similar size and complexity in the past 5 years
Cross off everyone who is headed by a foreign national
You're list is going to be very, very short. I'd have had you cross out those with past roll-out failures or problems, but that would have given you a blank piece of paper to start with.
Is it just my observation, or are there way too many stupid people in the world?
burns the code.
> All you fools who called Bush II "the worst President ever" are now seeing the true worst President
> ever in action.
Obama had not been president during bush, so its not an either or, they can both be the worst president ever for their time in history, and I would submit, that is not only what happened, but its an unbroken tradition since at least Ike.
> Jimmy Carter - previous holder of that title - is ecstatic.
He was dethroned handidly by Reagan. Reagan who continued to push the drug war bringing us the highest murder rate since alcohol prohibition ended. We saw the draining of the SSI trust fund (which was supposed to be firewalled from the rest of the budget) under him. We saw a terrible arms race that helped to set up many of our current day wars...and the massive increase in national debt.
> Don't think 0bama is the worst ever?
Someone might not, but, hes at least on par with the rest of them.
"I opened my eyes, and everything went dark again"
Why is this racist crap modded up. I work with H1Bs and most of them went to better colleges than I did and have better degrees than I do. Were talking about people with 10, 15 years of experiance. Now some outsourcing outfits hire people directly out of college. Quality can be low with these teams because there is alot of turnover and poor communication with an offsite team. But those people tend to work in India for a few years. The compitition for visas is high and people with no experiance don't normally get them.
I think it goes to show that there's nothing extraordinary difficult about this web site. I suspect cronyism on the part of the federal government. How else can you explain that they paid ~ $600M for a web site that doesn't work. I think they could have handed that money to most anyone who posted to this discussion and gotten a better result.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
H1B's exist to drive down labor rates in the US, screwing over folks who are already here and they're not necessarily getting the best talent either. If you're telling me that Quality Shit Software couldn't find qualified candidates in the beltway for this project, then you're full of crap. That's not racist by the way and I object to the use of the term, but since QShit was looking for Business Analysts and Engineers, I know that there are plenty of those in DC who could have done the job. There's lots of these outfits out there, WiPro, InfoSys, Tata and others who use the H1B and pay less than other companies for the same work and sell themselves as saving money for the companies they work for. These are Indian outsourcing firms and they get called out even in their own nation. If we're going to have H1B Visas in this nation, then we damn well better insist that 1) Companies who are sponsoring H1Bs have done their due diligence in trying to find a qualified candidate already here. That means verification with screening results not just Taleo bullshit disqualification. 2) That the wages the H1B employee are paid are at least above the 80% percentile for the work, in the area where they're working and only for the duration of that work. 3) Once the work is finished, if the H1B candidate doesn't have a Green Card or is not on the path to citizenship, they need to go back and not job hop. Did you also know that the top ten sponsors of H1B visas or offshore outsourcing companies? That's another gap that has to be fixed, specifically companies that are in the body shop business need to be excluded from sponsoring H1Bs. I'm for letting people work in this country but the playing field needs to be a bit more balanced and indexed on unemployment figures as well, if that's racist to you then fuck off.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Google. They manage huge amounts of data, know how to do it, have had relatively few (if any) data breaches, etc.
But then again, they got out of the Health Care business when they realized what a cluster fuck it really was. My guess, Obama, Reid and Pelosi have no idea what the hell they were doing, crafted legislation as if they were experts, and have left us holding the bag of an unworkable system which was designed to get us to a single payer system, which each one of them said they preferred.
This is the problem with politics, nobody cares what people say they are doing, only want they appear to be doing. In this case they appear to be "giving health care insurance to everyone (they aren't but that is besides the point) while saying they want a single payer system. It was Broken by Design. It should be repealed and those people should NEVER be allow anywhere near health care system ever again. However, they will get a pass for "trying" (noisy way of doing nothing) to fix health care system that they think is broken. Unfortunately for us, they have to break it some more before they can try to "fix" it with single payer.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Or Saudi Arabia. So much for being the Messiah and bringing the world together in a Kum By Ya moment.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Great book! I'm halfway through it and it has got me riled up enough to ...Hey! Shiny ponies!
My guess, Obama, Reid and Pelosi have no idea what the hell they were doing, crafted legislation as if they were experts, and have left us holding the bag of an unworkable system
That's a real possibility.
"First they came for the slanderers and i said nothing."
I'm all in favor of the ACA. In fact, on the state level, they've done just fine (it's notable that the only reason the federal system is even necessary is because a number of states refused to do it).
On the other hand, how the fuck did we end up with this crap? You cannot roll out a project to millions of users this quickly and without adequate load testing. Also, why the hell aren't the contractors American? All this lip service the Democrats pay every election year to eliminating tax breaks for outsourcing and they can't bother to use American companies that will guarantee the work won't be subcontracted to some other company outside the US?
We actually have competent IT contracting firms in the US. They tend to be expensive, but they have enough experience that they can predict how long and how much it will cost to deliver working software. Ultimately, it ends up costing less in the long run to pay more up front, because the software actually does what you want it to do.
(Of course, this might not be a matter of corruption rather than cost, but my points still apply.)
I don't believe it is helpful to look at particular years and their figures. We need to look into what caused those years to be good or bad and those are the previous years.
Just as an example, Clinton did very well by the time he left office, right? Well, he was helped by the internet bubble. And the stock market tanked in April-May of the election year when it looked like Gore would beat Bush. Also, he and his Republican congress couldn't agree on spending, so spending was held in check.
Bush started out okay, then 9/11 happened and knocked the U.S. into a recession. They decided on doing Afghanistan. That wasn't costly, but Iraq was. In the meantime, he pushed through tax cuts and didn't fund the Iraq war with tax increases. The tax cuts put the budget firmly in the red. He also extended Medicare with Part D, that was more money. Meanwhile the housing bubble was happening, and neither Greenspan, nor Bush, nor the Republicans, nor the Democrats wanted to puncture that balloon. Had they done that in 2005, Obama wouldn't have been dealt the bad deck he got. That decade also helped shake out moderates in both parties, the 2010 census and subsequent redistricting cemented it.
Obama isn't blameless, he turned healthcare over to the Dems in Congress who proceeded to decorate it like a Christmas tree and who decided they didn't need any Republican buy-in since they controlled both Houses figuring that Americans were going to love them for it and make their majorities unassailable for years. Obama shot himself in the foot on that one. It only took 3 years for them chickens to come home to roost. The Dems also sold the soul of the ACA to the insurance companies guaranteeing it would be FrankenCare. There were supposed to be healthcare cooperatives like Germany has. The insurance companies have all but spiked those. Most will go out of business shortly.
Before I forget, the individual mandate for buying healthcare, that was a Republican idea from the Heritage Institute (I believe in the 2000's if not before in the 1990's) before it was taken over by Jim Demint.
If you are sure, then you surely must have some evidence for why you believe this, yes?
Nobody gives a hoot about their universities or degree. Show us the product. Thank you, that will be all.
Sure that has something to do with it. Clinton took office while growth was strong and he's given credit for what he was handed. This even though growth slowed a lot over his eight years and his final two budget years, with his policies having been in place for a few years, were much worse than what Bush Sr. handed him.
On the other hand, Reagan and Obama both took over during poor economic conditions. Eight years of Reagan saw great improvement and people recognize that. Six years of Obama have had things go from bad to worse, and people can see that too. Eight years is a long time, and people see if things get better or get worse .
So which of the 10 "colleges" per city block is the superior one again? Anybody forging their resumes on a massive scale? Having others take their interviews?
so they can't make them in 60-80+ hour workers who get kicked out if they say no.
Right, they are terrible at it. But are other IT companies better?
The bare concept of a contracted IT project has issue. Some engineers will work during the project time, and will move to something else once completed. That means they never face the consequences of their bad practice.
You're probably just propagandizing, but in case you believe that:
http://data.bls.gov/timeseries/LNS11300000
What that's showing you is that 3% if the population have used up their benefit. They are still unemployed, they just aren't getting benefits anymore. In 2008, 66% of the population was either working or eligible for umployment. 2013, 63% are - 3% have either used up their two years of unemployment benefits or simply given up.
7.2% are getting unemployment benefits, 3% are no longer eligible = 10.2% real unemployment.
Yes, people see that since the republicans took the house in 2011 after the 2010 election they haven't been real cooperative.
Some people also realize nothing got done for the years that Obama had his own democrats in charge of the house and senate.
A few people remember that Reagan got things done while the opposing party controlled both house and senate.
http://www.amazon.com/Extortion-Peter-Schweizer/dp/0544103343 There ya go, 600 footnotes included.
Except your citation isn't for what the AC posted, i.e. "The ACA has been a such a failure and promises to bankrupt the country."
Well, if the Red states weren't so stubborn as to opt-out, at least we'd have 50 different systems.
Wow, 50 different targets to crack sure is an even better choice! Especially when they all go against the same central server to record and search for sensitive data! Nothing better than giving a guy 50 chances to break into a warehouse with hundreds of millions of items of juicy data!
"There is more worth loving than we have strength to love." - Brian Jay Stanley