Obamacare Exchange Contractors had Past Security Lapses
Two of the contractors involved in developing the Affordable Care Act healthcare exchanges have had fairly serious data security issues, a Computerworld review of publicly available information has found.
Wed, October 23, 2013
Computerworld — Two of the contractors involved in developing the Affordable Care Act healthcare exchanges have had fairly serious data security issues, a Computerworld review of publicly available information has found.
The incidents involving Quality Software Services (QSS) and Serco are not related to the ongoing glitches in Healthcare.gov, the ACA's troubled website.
Even so, the information is relevant in light of the ongoing scrutiny of the companies involved with the problem-plagued exchange.
Since going live on October 1, Obamacare's Healthcare.gov site has been bedeviled by problems that are keeping people from shopping for and enrolling in ACA health insurance plans. So far, none of the problems appear security related.
However, critics say the exchanges and the underlying data hub connecting health insurers to federal eligibility verification systems could face security problems, given the complexity and the sheer volume of highly sensitive personal information flowing through the systems.
Systems integrator Quality Software Services developed the software code for the ACA data services hub and oversaw development of tools to connect the hub to databases at the Internal Revenue Service, the Social Security Administration and other federal agencies.
The company is also charged with helping the Centers for Medicare and Medicaid Services (CMS) maintain and administer the data hub.
The company in June was the subject of an audit report by the U.S. Department of Health and Human Services Inspector General for failing to adhere to federal government security standards in delivering, what appears to be unrelated, IT testing services for the CMS.
The 16-page report noted that the systems QSS used for testing purposes at CMS did not include controls for protecting against misuse of USB ports and devices as required by the CMS.
Specifically, QSS failed to disable USB ports or put other measures in place for preventing unauthorized use of USB devices and ports, the report said. The company had also not listed essential system services or ports in its security plan, it said.
"As a result of QSS's insufficient controls over USB ports and devices, the [Personally Identifiable Information] of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate use, access or theft," the report warned.
QSS officials did not respond to a request for comment on the report.
However, in a response to the Inspector General's findings, the company said it revised corporate network access control polices to put restrictions on the use of USB ports and devices. It also said it planned to implement "Read Only" restrictions for USB ports in all laptops along with controls to prevent USB devices from automatically executing code.