Slashdot Mirror
ACA Health Exchange Contractors Have History of Security Failures
Lucas123 writes "Two of the contractors involved in developing online health insurance exchanges under the Affordable Care Act, which have been plagued by technical problems since launching this month, have had serious data security issues in the past. Quality Software Services developed the software for the Affordable Care Act's data services hub and oversaw development of tools to connect the hub to the databases of other federal agencies. Last June, an audit report by the Health and Human Services Inspector General found QSS failed to adhere to federal security standards (PDF) in delivering IT testing services for the Centers for Medicare & Medicaid Services. Additionally, services firm Serco suffered a major security breach in 2012. Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges. Serco's breach exposed sensitive data of more than 123,000 members of the Thrift Savings Plan, a $313 billion retirement plan run by the U.S. Federal Retirement Thrift Investment Board. The exposed data included full names, addresses, Social Security Numbers, financial account information, and bank routing information."
It's bad enough we have private industry in charge of much of our private information. At least THEY can be held accountable and sued or fined out of existence or at least suffer PR so bad that their business fails.
When the Government is in charge, what are you going to do? Sue them? Great. You win money from every tax payer and the problem wont get fixed -- it will just be more expensive to run -- for every tax payer.
Are there any contractors that don't have a history of security failures?
The problem isn't with this company, it's with the federal procurement process, which favors large corporations that can handle ridiculous amounts of paperwork over companies that might actually be able to get the job done.
Frankly, I'm amazed the PPACA website came out as well as it did. Most large IT contract jobs, whether public or private sector, are much, much worse. The typical outcome for a multi-million-dollar IT contract project is massive delays, substantial budget overruns, and poor/missing functionality.
The government department that contracted this company for the site, are they allowed to use any criteria other than the contract bid amount to decide who to go with? Are they required to go with the lowest bidder, or are they allowed to look at the company history when deciding who to hire?
Technoli
Is there anyone here who had any doubt that the health exchange system would have serious security problems, given how many problems it's had, and security bugs being harder to avoid than many other types of bugs?
The worst part is, since this system integrates with the department of homeland security and the IRS, you don't even necessarily need to use the system for a security vulnerability to affect you.......
"First they came for the slanderers and i said nothing."
This is what happens when you don't hire people in the agencies with technical abilities to even be able to oversee the implementation of complex systems.
Privatization is good as long as you actually have competent people with technological expertise to oversee the development. Outsourcing all of this to the lowest bidder, then that company outsourcing components to the lowest bidder (and so on, and so forth) always causes these type of issues. We need technologist inside the government that can actually manage these projects.
A large part of it is who you know to get your foot in the door. Once you've done government projects it's easier to land more contracts. I suspect in this company's case that the breach happened after they had already signed contracts to work on this project (at least with Serco)
It's been obvious for months to even the most internet-ignorant that there is no such thing as security on-line. The main concern with regard to health records security is that health insurance companies would deny coverage to people with preexisting conditions based on evidence in medical records. That's been fixed, at least in theory, by obamacare, if they ever manage to get it up and running.
Of course, the real fix would have been to get the insurance companies out of the health insurance business altogether with a single payer system, but we are too stupid to vote for something like that. Even if we did, the insurance lobby's votes mean much more than votes of citizens going to the polls, so even if the majority came to their senses and demanded a single-payer system, it would not happen.
OK, so we'll get more targeted spam about incontinence products, birth control, flatulence control, boner pills, etc. That will just make spam filters work a little harder.
http://www.amazon.com/Extortion-Peter-Schweizer/dp/0544103343
There ya go, 600 footnotes included.
"I say we take off, nuke the site from orbit. It's the only way to be sure."
The larger problem isn't the actual contractor, it's in the selection process.
At least, the companies that get these huge jobs are the ones that can successfully navigate the bidding process, as well as those that have a track record of complying with that process.
It's a matter of the metrics used not matching the result desired.
ACA/Obamacare health exchanges have had a lot of screwups, but I don't know if it'd work any other way initially (based on the fact that there are hundreds of agencies and different systems to interact with,. any end to end testing would have to be on "friendly" / fake results.
The processes and hoops you have to jump through in order to respond to their requests for proposal are ridiculously complicated. Way too often companies who are not qualified get the contract merely because they knew how to play the system.
The government has programs to support small businesses like 8a for disadvantaged, one for businesses owned by disabled Vets, one for women owned. This does help some, but more often than not those companies are just paid so that bigger companies can bid for work and use them as the vehicle to get it. In my experience as a government contractor for most of my career I've seen countless scenarios of companies bidding for 8 resources on a task but really only using 2. I've seen them work on contracts for over a decade, and despite horrible execution of the project they continue to win the re-compete because they'll purposely squirrel away anyone who can help a new contract winner. They'll eat the cost and give people useless jobs at their corporate offices just to attempt to make the new contracting company fail.
There is also a terrible history of nepotism involved. The entire system is abused. Officers have even set up companies and awarded contracts to themselves right before retirement. When they leave they have a ready made contracting company complete with an ongoing contract and perhaps one or two for their past performance record already. By the time they're caught, they are fined a million or so which at that point is small price to pay for them. They just had the world's best interest free business startup loan. Yes, I have first-hand knowledge of one such instance of this and I know it is definitely not an isolated incident.
Here is an example of waste: When I was on one of my last contracts I spent months doing nothing of real consequence. Through some weird situation I was left with no project manager and no tasks. I informed all of the management who would listen, and requested work. I began to worry I'd be cut, along with the worry that if I sat idle my hard-earned skills would dull. I found another job and quit. I received a call from the vice president of the company telling me she was hearing what a great job I was doing and that they wanted to offer me a substantial raise to stay. It was then I realized they didn't care what I did. They could bill for me. By showing up I was doing a "good job". I couldn't take it and left.
While it may be unsurprising that a government contractor can't get security right, expecting anyone to adhere to government security specifications is unreasonable. Take a look at them, they are a vast mess of poorly written hand waving. There are some with specifics (E.G. some of the crypto algorithm stuff), but the balance of it is 'framework' crap.
You can make an honest job of adhering to federal computer security specs, but it's always possible to dig up another spec somewhere that contradicts it.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
They're just a body shop living the H1B dream.
I find it somewhat repugnant that a US Healthcare website is being done by a slipshod vendor who relies on H1B staff for delivery and can't follow FIPS 200 standards? That's a no-brainer for anybody dealing with any Federal agency.
https://oig.hhs.gov/oas/reports/region4/41205045.pdf
QSSI had not sufficiently implemented Federal requirements for information system security controls over USB ports and devices. Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft.
So Personally Identifiable Information for over 6 Million Medicare beneficiaries wasn't protected and they still are working and billing to provide shitty software. I wonder how much of this is now in the hands if identity thieves selling Fullz..
your government at work folks, what a wonderful sight to behold.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Just the fact that there were 55 different contractors working on healthcare.gov is reason enough to suspect that major security flaws crept in.
The fact that the website was opened before any appreciable amount of testing was done is reason enough to suspect that most of those flaws are still undiscovered and uncorrected.
The government's project managers didn't even come up with a full specification for the largest contractor until this past Spring, with the expectation that everything would be done and ready for business on 1 October. It's a total clusterfuck, the true scope of which likely won't be discovered for several months.
http://www.newyorker.com/online/blogs/elements/2013/10/why-the-healthcaregov-train-wreck-happened-in-slow-motion.html
Is something like angieslist for government contracts and a mandate to force its use. Now, who do we contract to build it?
Silence is a state of mime.
You can sign the petition here.
For those who seek perfection there can be no rest on this side of the grave.
Get ready for the torrent of people who've never dealt with gov't contracting who are just so sure they could do it better. Dunning-Krueger in the house, like usual on /.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
The worse thing about a centralized system like healthcare.gov, is that it represents a tremendously juicy target for criminals of all kinds - from ID thieves to phishers that want some personal info to run a scam. Never mind this company, I'm not sure I trust ANYONE to develop a system that is secure against the number and complexity of attacks that will be made.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Use in-house employees instead. Hire well-qualified experienced employees, paid well (considering the costs of living in DC if they are not working from remote).
now we need to go OSS in diesel cars
List all the companies who can, in under a year, put together a $50-400M (take you pick at the number) software system to service, conservatively, 30 million people in a day and interface with legacy systems from multiple governmental agencies.
Cross off everyone on the list who isn't set up to do government contracting
Cross off everyone on the list who can't meet HIPAA standards
Cross off everyone who hasn't rolled out at least three systems of similar size and complexity in the past 5 years
Cross off everyone who is headed by a foreign national
You're list is going to be very, very short. I'd have had you cross out those with past roll-out failures or problems, but that would have given you a blank piece of paper to start with.
Is it just my observation, or are there way too many stupid people in the world?
Why is this racist crap modded up. I work with H1Bs and most of them went to better colleges than I did and have better degrees than I do. Were talking about people with 10, 15 years of experiance. Now some outsourcing outfits hire people directly out of college. Quality can be low with these teams because there is alot of turnover and poor communication with an offsite team. But those people tend to work in India for a few years. The compitition for visas is high and people with no experiance don't normally get them.
I've done some work as a government contractor. It's messy. They demand that you account for every hour. If you are working on 3 different projects, you have to fill out a timesheet in which you detail which hours of every day you spent on each of those 3 projects. This sort of thing misses the point that it's results that count, not hours.
They are keenly aware of the public perception of them as bungling bureaucrats. Consequently, they can be extremely pushy and demanding. Often they bear down so hard that it is counterproductive.
They're also paranoid control freaks. They want contractors to work on computer systems that are under their control. Instead of working on your own equipment in your own offices, they'll insist you use their facilities. Then they provide antiquated, slow computers with ancient versions of Windows, and take weeks to getting around to details like installing a phone line. There are also a ton of rules. They'll want you to pay for a cell phone, but they don't want your cell phone to have any privacy. You basically need permission to sneeze, and more permission to wipe your nose. Want to encrypt a hard drive? Maybe just keep a few encrypted files on a hard drive? Can't do that without authorization.
It takes a good contractor to stop them from hamstringing a project with red tape. You have to trample upon all sorts of rules to get anything done, and you need a smooth management team to keep the bureaucrats from worrying about violations. They will overlook all kinds of petty violations as long as there are good results. Let a project falter though, and the piranhas come out.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
I think it goes to show that there's nothing extraordinary difficult about this web site. I suspect cronyism on the part of the federal government. How else can you explain that they paid ~ $600M for a web site that doesn't work. I think they could have handed that money to most anyone who posted to this discussion and gotten a better result.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
I'm all in favor of the ACA. In fact, on the state level, they've done just fine (it's notable that the only reason the federal system is even necessary is because a number of states refused to do it).
On the other hand, how the fuck did we end up with this crap? You cannot roll out a project to millions of users this quickly and without adequate load testing. Also, why the hell aren't the contractors American? All this lip service the Democrats pay every election year to eliminating tax breaks for outsourcing and they can't bother to use American companies that will guarantee the work won't be subcontracted to some other company outside the US?
We actually have competent IT contracting firms in the US. They tend to be expensive, but they have enough experience that they can predict how long and how much it will cost to deliver working software. Ultimately, it ends up costing less in the long run to pay more up front, because the software actually does what you want it to do.
(Of course, this might not be a matter of corruption rather than cost, but my points still apply.)