Skip the navigation

Obamacare exchange contractors had past security lapses

Hackers exposed data on 123,000 people at one, another put personal data of 6 million Medicare beneficiaries at risk

October 23, 2013 06:17 AM ET

Computerworld - Two of the contractors involved in developing the Affordable Care Act healthcare exchanges have had fairly serious data security issues, a Computerworld review of publicly available information has found.

The incidents involving Quality Software Services (QSSI) and Serco are not related to the ongoing glitches in Healthcare.gov, the ACA's troubled website.

Even so, the information is relevant in light of the ongoing scrutiny of the companies involved with the problem-plagued exchange.

Since going live on October 1, Obamacare's Healthcare.gov site has been bedeviled by problems that are keeping people from shopping for and enrolling in ACA health insurance plans. So far, none of the problems appear security related.

However, critics say the exchanges and the underlying data hub connecting health insurers to federal eligibility verification systems could face security problems, given the complexity and the sheer volume of highly sensitive personal information flowing through the systems.

Systems integrator Quality Software Services developed the software code for the ACA data services hub and oversaw development of tools to connect the hub to databases at the Internal Revenue Service, the Social Security Administration and other federal agencies.

The company is also charged with helping the Centers for Medicare and Medicaid Services (CMS) maintain and administer the data hub.

The company in June was the subject of an audit report by the U.S. Department of Health and Human Services Inspector General for failing to adhere to federal government security standards in delivering, what appears to be unrelated, IT testing services for the CMS.

The 16-page report noted that the systems QSSI used for testing purposes at CMS did not include controls for protecting against misuse of USB ports and devices as required by the CMS.

Specifically, QSSI failed to disable USB ports or put other measures in place for preventing unauthorized use of USB devices and ports, the report said. The company had also not listed essential system services or ports in its security plan, it said.

"As a result of QSSI's insufficient controls over USB ports and devices, the [Personally Identifiable Information] of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate use, access or theft," the report warned.

A QSSI spokesman Wednesday said the company is committed to the highest standards of security. "We implemented all of the enhancements recommended by the OIG prior to the publication of the final report, and informed CMS of our actions," the spokesman said in an email ti Computerworld.

However, in a response to the Inspector General's findings, the company said it revised corporate network access control polices to put restrictions on the use of USB ports and devices. It also said it planned to implement "Read Only" restrictions for USB ports in all laptops along with controls to prevent USB devices from automatically executing code.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!