Obamacare exchange contractors had past security lapses

Hackers exposed data on 123,000 people at one, another put personal data of 6 million Medicare beneficiaries at risk

Two of the contractors involved in developing the Affordable Care Act healthcare exchanges have had fairly serious data security issues, a Computerworld review of publicly available information has found.

The incidents involving Quality Software Services (QSS) and Serco are not related to the ongoing glitches in Healthcare.gov, the ACA's troubled website.

Even so, the information is relevant in light of the ongoing scrutiny of the companies involved with the problem-plagued exchange.

Since going live on October 1, Obamacare's Healthcare.gov site has been bedeviled by problems that are keeping people from shopping for and enrolling in ACA health insurance plans. So far, none of the problems appear security related.

However, critics say the exchanges and the underlying data hub connecting health insurers to federal eligibility verification systems could face security problems, given the complexity and the sheer volume of highly sensitive personal information flowing through the systems.

Systems integrator Quality Software Services developed the software code for the ACA data services hub and oversaw development of tools to connect the hub to databases at the Internal Revenue Service, the Social Security Administration and other federal agencies.

The company is also charged with helping the Centers for Medicare and Medicaid Services (CMS) maintain and administer the data hub.

The company in June was the subject of an audit report by the U.S. Department of Health and Human Services Inspector General for failing to adhere to federal government security standards in delivering, what appears to be unrelated, IT testing services for the CMS.

The 16-page report noted that the systems QSS used for testing purposes at CMS did not include controls for protecting against misuse of USB ports and devices as required by the CMS.

Specifically, QSS failed to disable USB ports or put other measures in place for preventing unauthorized use of USB devices and ports, the report said. The company had also not listed essential system services or ports in its security plan, it said.

"As a result of QSS's insufficient controls over USB ports and devices, the [Personally Identifiable Information] of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate use, access or theft," the report warned.

QSS officials did not respond to a request for comment on the report.

However, in a response to the Inspector General's findings, the company said it revised corporate network access control polices to put restrictions on the use of USB ports and devices. It also said it planned to implement "Read Only" restrictions for USB ports in all laptops along with controls to prevent USB devices from automatically executing code.

Testifying before the U.S. House Committee on Energy and Commerce Subcommittee on Health in September, a QSS executive said the design and development of the ACA Data Services Hub complies with federal security standards.

Services firm Serco in July won a five-year $1.3 billion contract to process and verify paper applications submitted by individuals seeking health insurance via the online exchanges.

A Serco executive told lawmakers earlier this year that the company has taken many steps to ensure that the data it handles meets CMS and Federal Information Security Act security requirements.

Serco had made the news in 2012 whn it disclosed a data breach that exposed sensitive data of more than 123,000 members of the Thrift Savings Plan (TSP), a $313 billion retirement plan, run by the U.S. Federal Retirement Thrift Investment Board.

The exposed data included full names, addresses, Social Security Numbers, financial account information and bank routing information.

The compromise resulted from an intrusion into a single desktop computer used by a Serco employee to support the TSP.

Though the breach occurred in July 2011, Serco did not discover it until April 2012 after being notified about it by the FBI. The incident, and Serco's subsequent handling of the breach notification process, prompted some lawmakers to demand a clear timeline from the company on the initial intrusion, its subsequent discovery and the steps taken to prevent another breach.

In a lengthy e-mail to Computerworld Tuesday, Serco spokesman Alan Hill downplayed the significance of the breach and maintained that the company has since thoroughly reviewed its security program and infrastructure protection mechanisms. For instance, the company redesigned its network and data management infrastructure and revised security risk management policies, controls and procedures, Hill said.

Serco executives are working with the CMS to ensure that information security controls are built into the ACA paper application processing system, the spokesman said.

"We are committed to applying and enforcing a strong information security program and strict controls across all of our contracts and operations," Hill said. "Protecting the privacy of consumers through the paper application process is top priority for Serco and CMS."

Richard Stiennon, principal at security consultant IT-Harvest, predicts a lot of finger pointing at the contractors if there's a breach into ACA systems.

"That said, often having made mistakes in the past will lead to improved coding and security practices in the future. Here's hoping that is the case," he said.

However, bringing in a slew of experts to fix the system "will probably lead to short cuts, which usually lead to bad security hygiene," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingcmssecuritysercohealthcare ITInternal Revenue Service

More about ACACMSDepartment of HealthFBIInternal Revenue ServiceTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts