Obamacare exchange contractors had past security lapses

Hackers exposed data on 123,000 people at one, another put personal data of 6 million Medicare beneficiaries at risk

Two of the contractors involved in developing the Affordable Care Act healthcare exchanges have had fairly serious data security issues, a Computerworld review of publicly available information has found.

The incidents involving Quality Software Services (QSSI) and Serco are not related to the ongoing glitches in Healthcare.gov, the ACA's troubled website.

Even so, the information is relevant in light of the ongoing scrutiny of the companies involved with the problem-plagued exchange.

Since going live on October 1, Obamacare's Healthcare.gov site has been bedeviled by problems that are keeping people from shopping for and enrolling in ACA health insurance plans. So far, none of the problems appear security related.

However, critics say the exchanges and the underlying data hub connecting health insurers to federal eligibility verification systems could face security problems, given the complexity and the sheer volume of highly sensitive personal information flowing through the systems.

Systems integrator Quality Software Services developed the software code for the ACA data services hub and oversaw development of tools to connect the hub to databases at the Internal Revenue Service, the Social Security Administration and other federal agencies.

The company is also charged with helping the Centers for Medicare and Medicaid Services (CMS) maintain and administer the data hub.

The company in June was the subject of an audit report by the U.S. Department of Health and Human Services Inspector General for failing to adhere to federal government security standards in delivering, what appears to be unrelated, IT testing services for the CMS.

The 16-page report noted that the systems QSSI used for testing purposes at CMS did not include controls for protecting against misuse of USB ports and devices as required by the CMS.

Specifically, QSSI failed to disable USB ports or put other measures in place for preventing unauthorized use of USB devices and ports, the report said. The company had also not listed essential system services or ports in its security plan, it said.

"As a result of QSSI's insufficient controls over USB ports and devices, the [Personally Identifiable Information] of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate use, access or theft," the report warned.

A QSSI spokesman Wednesday said the company is committed to the highest standards of security. "We implemented all of the enhancements recommended by the OIG prior to the publication of the final report, and informed CMS of our actions," the spokesman said in an email ti Computerworld.

However, in a response to the Inspector General's findings, the company said it revised corporate network access control polices to put restrictions on the use of USB ports and devices. It also said it planned to implement "Read Only" restrictions for USB ports in all laptops along with controls to prevent USB devices from automatically executing code.

Testifying before the U.S. House Committee on Energy and Commerce Subcommittee on Health in September, a QSSI executive said the design and development of the ACA Data Services Hub complies with federal security standards.

Services firm Serco in July won a five-year $1.3 billion contract to process and verify paper applications submitted by individuals seeking health insurance via the online exchanges.

A Serco executive told lawmakers earlier this year that the company has taken many steps to ensure that the data it handles meets CMS and Federal Information Security Act security requirements.

Serco had made the news in 2012 whn it disclosed a data breach that exposed sensitive data of more than 123,000 members of the Thrift Savings Plan (TSP), a $313 billion retirement plan, run by the U.S. Federal Retirement Thrift Investment Board.

The exposed data included full names, addresses, Social Security Numbers, financial account information and bank routing information.

The compromise resulted from an intrusion into a single desktop computer used by a Serco employee to support the TSP.

Though the breach occurred in July 2011, Serco did not discover it until April 2012 after being notified about it by the FBI. The incident, and Serco's subsequent handling of the breach notification process, prompted some lawmakers to demand a clear timeline from the company on the initial intrusion, its subsequent discovery and the steps taken to prevent another breach.

In a lengthy e-mail to Computerworld Tuesday, Serco spokesman Alan Hill downplayed the significance of the breach and maintained that the company has since thoroughly reviewed its security program and infrastructure protection mechanisms. For instance, the company redesigned its network and data management infrastructure and revised security risk management policies, controls and procedures, Hill said.

Serco executives are working with the CMS to ensure that information security controls are built into the ACA paper application processing system, the spokesman said.

"We are committed to applying and enforcing a strong information security program and strict controls across all of our contracts and operations," Hill said. "Protecting the privacy of consumers through the paper application process is top priority for Serco and CMS."

Richard Stiennon, principal at security consultant IT-Harvest, predicts a lot of finger pointing at the contractors if there's a breach into ACA systems.

"That said, often having made mistakes in the past will lead to improved coding and security practices in the future. Here's hoping that is the case," he said.

However, bringing in a slew of experts to fix the system "will probably lead to short cuts, which usually lead to bad security hygiene," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies