Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ACA Health Exchange Contractors Have History of Security Failures

Unknown Lamer posted about 10 months ago | from the inflated-insurance-rates-now-with-identity-theft dept.

Privacy 144

Lucas123 writes "Two of the contractors involved in developing online health insurance exchanges under the Affordable Care Act, which have been plagued by technical problems since launching this month, have had serious data security issues in the past. Quality Software Services developed the software for the Affordable Care Act's data services hub and oversaw development of tools to connect the hub to the databases of other federal agencies. Last June, an audit report by the Health and Human Services Inspector General found QSS failed to adhere to federal security standards (PDF) in delivering IT testing services for the Centers for Medicare & Medicaid Services. Additionally, services firm Serco suffered a major security breach in 2012. Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges. Serco's breach exposed sensitive data of more than 123,000 members of the Thrift Savings Plan, a $313 billion retirement plan run by the U.S. Federal Retirement Thrift Investment Board. The exposed data included full names, addresses, Social Security Numbers, financial account information, and bank routing information."

cancel ×

144 comments

Sorry! There are no comments related to the filter you selected.

SURPRISE! (3, Insightful)

Jhon (241832) | about 10 months ago | (#45213283)

It's bad enough we have private industry in charge of much of our private information. At least THEY can be held accountable and sued or fined out of existence or at least suffer PR so bad that their business fails.

When the Government is in charge, what are you going to do? Sue them? Great. You win money from every tax payer and the problem wont get fixed -- it will just be more expensive to run -- for every tax payer.

Re:SURPRISE! (-1)

Anonymous Coward | about 10 months ago | (#45214463)

Obummercare will go down as the biggest mistake of any US president in history. Fuck the liberals who voted this fucker into office twice.

Re:SURPRISE! (0, Flamebait)

Anonymous Coward | about 10 months ago | (#45214921)

Obummercare will go down as the biggest mistake of any US president in history. Fuck the liberals who voted this fucker into office twice.

Yeah he's the worst President we've had since 2008 when that Bush Jr guy who invaded the wrong country finally left office (Jan/2009).

Re:SURPRISE! (0)

Anonymous Coward | about 10 months ago | (#45215301)

Where in my post did I say Retard W. Bush was a good president? God to see the libs are no using the "But Buuuuush!!" Line after complaining for years about Repuglicans using the "But Clinton!!" excuse for anything wrong Bush did. Nice hypocrisy, brah.

Re:SURPRISE! (0)

Anonymous Coward | about 10 months ago | (#45216009)

It's hypocrisy if he was actually one of the ones who said "but Clinton!", which he probably wasn't. It would be just as dishonest for me to claim you're a bible-thumper like so many other conservatives.

Re:SURPRISE! (0)

Anonymous Coward | about 10 months ago | (#45215025)

And the "experts" that were hired to implement this were not experts at producing multi-tier cross-platform eCommerce systems, they were experts at winning government contracts. The people that know how to implement such systems already have well-paying jobs in the real world.

Re:SURPRISE! (0)

Anonymous Coward | about 10 months ago | (#45215897)

It's bad enough we have private industry in charge of much of our private information. At least THEY can be held accountable and sued or fined out of existence or at least suffer PR so bad that their business fails.

When the Government is in charge, what are you going to do? Sue them? Great. You win money from every tax payer and the problem wont get fixed -- it will just be more expensive to run -- for every tax payer.

If only!
http://en.wikipedia.org/wiki/Sovereign_immunity#Federal_sovereign_immunity

Isn't this universal? (4, Insightful)

JDG1980 (2438906) | about 10 months ago | (#45213299)

Are there any contractors that don't have a history of security failures?

The problem isn't with this company, it's with the federal procurement process, which favors large corporations that can handle ridiculous amounts of paperwork over companies that might actually be able to get the job done.

Frankly, I'm amazed the PPACA website came out as well as it did. Most large IT contract jobs, whether public or private sector, are much, much worse. The typical outcome for a multi-million-dollar IT contract project is massive delays, substantial budget overruns, and poor/missing functionality.

Re:Isn't this universal? (2)

avandesande (143899) | about 10 months ago | (#45213399)

At least they could have given a US company an opportunity to screw this up....

Re:Isn't this universal? (0)

Anonymous Coward | about 10 months ago | (#45213683)

Haven't you looked at the huge contractor list that worked on the project? IBM and Northrop are just two of the big US firms included on it.

Re:Isn't this universal? (3, Informative)

LurkerXXX (667952) | about 10 months ago | (#45213901)

By US company, do you mean companies like IBM, Northrop Grumman, Verizon, Rand Corporation? They did.

http://reporting.sunlightfoundation.com/2013/aca-contractors/ [sunlightfoundation.com]

A few problems with that list... (1)

cirby (2599) | about 10 months ago | (#45214121)

While you see a lot of US companies there, they were either providing support services (like surveying people about possible use of the system) advertising and publicity services, or secondary systems.

Most of the rest were "consulting" jobs, with only a few real hardware/software production contracts in the mix.

Once you get past the obvious $93 million for CGI, the next one of any size is Maximus Federal Services, which has a certain track record for handling this sort of thing - they were obviously hired to do the connections between the ACA site and things like CHIP and Medicaid. Makes you wonder why they're a secondary contractor, though, instead of the primary.

The big thing to remember is that even CGI isn't the effective primary contractor. That job effectively fell to HHS government bureaucrats, who had a stranglehold on the management of the whole mess, even though they definitely had no experience or training in such matters.

Re:A few problems with that list... (5, Insightful)

bzipitidoo (647217) | about 10 months ago | (#45214771)

I've done some work as a government contractor. It's messy. They demand that you account for every hour. If you are working on 3 different projects, you have to fill out a timesheet in which you detail which hours of every day you spent on each of those 3 projects. This sort of thing misses the point that it's results that count, not hours.

They are keenly aware of the public perception of them as bungling bureaucrats. Consequently, they can be extremely pushy and demanding. Often they bear down so hard that it is counterproductive.

They're also paranoid control freaks. They want contractors to work on computer systems that are under their control. Instead of working on your own equipment in your own offices, they'll insist you use their facilities. Then they provide antiquated, slow computers with ancient versions of Windows, and take weeks to getting around to details like installing a phone line. There are also a ton of rules. They'll want you to pay for a cell phone, but they don't want your cell phone to have any privacy. You basically need permission to sneeze, and more permission to wipe your nose. Want to encrypt a hard drive? Maybe just keep a few encrypted files on a hard drive? Can't do that without authorization.

It takes a good contractor to stop them from hamstringing a project with red tape. You have to trample upon all sorts of rules to get anything done, and you need a smooth management team to keep the bureaucrats from worrying about violations. They will overlook all kinds of petty violations as long as there are good results. Let a project falter though, and the piranhas come out.

Re:Isn't this universal? Yes (0)

Anonymous Coward | about 10 months ago | (#45213425)

Seriously, every company has a history of security failures including the Company (CIA).

Nobody is perfect and a conglomeration of people is even more likely to have
been not-perfect. It's as if submitter is a Republitard

Re:Isn't this universal? Yes (0)

Anonymous Coward | about 10 months ago | (#45213807)

So we should just accept things and move on? Business as usual?

Typical "rabid" political crap. If something has nothing to do with a political party make it about the other side and blame them.

You sir are the retard.

Re:Isn't this universal? (0)

Anonymous Coward | about 10 months ago | (#45213431)

The problem isn't with this company, it's with the federal procurement process, which favors large corporations that can handle ridiculous amounts of paperwork over companies that might actually be able to get the job done.

More than paperwork. Playing the game.

True story: years ago a friend of mine started his own software contracting service. He gave his wife 51% of the stock. His company was now "Minority Owned" and was eligible for a slightly easier bidding process. Of course, I think we all heard of the companies who put African-Americans in charge so that they can get that angle.

Then again, NOTHING beats the Good Ole Boy network - see Haliburton.

So, I'd like to know who these people know to get the jobs.

tl;dr - As is always the case; it's who you know.

Re:Isn't this universal? (1)

h3st (945000) | about 10 months ago | (#45213461)

So which level of the Capability Immaturity Model [wikipedia.org] would you expect them to be at? The description seems to predict a CIMM rating of -1.

Re:Isn't this universal? (0)

Anonymous Coward | about 10 months ago | (#45213741)

Hadn't heard of this before, but it sure sounds a lot like Congress.

Re:Isn't this universal? (0)

Anonymous Coward | about 10 months ago | (#45213879)

Are there any contractors that don't have a history of security failures?

Right up until they suffer a security breach. But it is afterwards where it gets critical: Did they draw the right lessons? Any lessons? Learn anything at all? Did anything, in fact, improve?

Maybe we should have some sort of requirement about investigating and releasing full reports with what happened, how it could happen, what they did about it, what they think they should've done, what they've done to "fix things", and how implementing that went. In that sense, treat it like the aviators treat crashes, accidents, even near-accidents: Take it as an opportunity for everyone to learn.

Though even there they're maybe a bit too happy on the paperwork. Though governments like paperwork more than is good for us, just grabbing more data and sitting on it indefinitely isn't going to remain tenable much longer, no matter how cheap storage becomes. It'll stifle the industry like nothing else can, and that'd be a pity. But it's what'll happen if we keep on lacking good approaches to improve information security. We lack a solid foundation, and laws and paperwork requirements won't fix that.

For some reason, just like how computerisation drove up paper use, government keeps on growing and leaning ever heavier on ever bigger contracting companies, when in theory you could have a small-ish administration office run an entire country--might have been able to since the advent of telephone, fax at the latest, even. Something is definitely off here.

Re:Isn't this universal? (1)

mcgrew (92797) | about 10 months ago | (#45213945)

I think if your firm is big enough to build an online data system big enough to accommodate this kind of traffic, you're big enough to handle the paperwork.

Re:Isn't this universal? (0)

Anonymous Coward | about 10 months ago | (#45214001)

With my experience with software projects, it's amazing the had a partially working website on time.

Re:Isn't this universal? (1)

Jane Q. Public (1010737) | about 10 months ago | (#45214003)

"Frankly, I'm amazed the PPACA website came out as well as it did."

Have you looked at the code behind it? I have. You probably have no idea just how bad "as well as it did" is.

It's completely ridiculous. No joke. Full of mistakes a first-day javascript programmer would not make... more than once.

Re:Isn't this universal? (2)

cold fjord (826450) | about 10 months ago | (#45214107)

Frankly, I'm amazed the PPACA website came out as well as it did. Most large IT contract jobs, whether public or private sector, are much, much worse. The typical outcome for a multi-million-dollar IT contract project is massive delays, substantial budget overruns, and poor/missing functionality

The Obamacare website is a typical, or worse. The portion of the site for Spanish speaking people has never worked at all, and Spanish speaking Americans are one of the key groups of the uninsured. The rest of the site is plagued by errors in the data provided to insurers causing all sorts of problems including multiple enrollments and cancellations, incorrect family relationships, and plenty of other problems.... when it works at all. It will be at least months late in working, and that work won't be done for free, so that is late and almost certainly over budget. There are technologists that have looked at the problems and some of them are recommending that it be scraped and start over. The Obamacare site was designed with less capacity than the site for Medicare Part D. It is a debacle of epic proportions. That is before you get to the policies some people are getting, or other repercussions of the law.

You Can Keep Your Current Health Insurance.Or Not [foxbusiness.com]

President Obama has promised people who liked their current doctor and health-care plan would be able to keep it as the Affordable Care continues to get implemented, but that’s proving not to be the case for many Americans.

Insurance companies have sent out hundreds of thousands of letters to consumers in recent months cancelling their health-care plans.

Kaiser Health News reports the cancelled policies “fall short” of the essential health benefits the ACA requires all plans include beginning Jan. 1, and are therefore not eligible for sale on the state and federally-run exchanges.

The law requires plans to include coverage for maternity care, ambulatory services, prescription medications and more, additions that critics say will drive up premium costs for policyholders who may never use them.

Among the insurance companies terminating policies are Kaiser Permanente in California, which sent notices to 160,000 policy holders; Highmark Pittsburgh, which dropped 20% of its individual market customers; and Independence Blue Cross, a major insurer in Philadelphia, eliminating 45% of its individual policies, Kaiser reports. The biggest hit comes in Florida, where insurer Florida Blue has dropped 300,000 policies.

In some cases, policies for those with pre-existing conditions were terminated while other customers faced price increases since the rollout of the new insurance exchanges, according to Kaiser. Beginning in mid-September, for example, Blue Shield of California sent nearly 119,000 cancellation notices to individuals, and nearly two-thirds of this group were notified of rate increases, the nonprofit news service reports.

Re:Isn't this universal? (5, Insightful)

smooth wombat (796938) | about 10 months ago | (#45214511)

and Spanish speaking Americans are one of the key groups of the uninsured.

Then maybe they should learn to speak English instead of expecting the entire country to bend over backwards for them. The same goes the various Asian folks as well.

It's all well and good to speak two languages, but you shouldn't expect people to accommodate you because you're too lazy. If I emigrated to Vietnam, should I expect them to bend over backwards for me because I didn't learn their language? They'd laugh at me day and night if I told them they need to go out of their way to post everything in English.

But I guess it's easier to find a technical solution to a human problem than it is to fix the human problem.

Re:Isn't this universal? (1)

kc8apf (89233) | about 10 months ago | (#45214941)

The US has no official national language. By your logic, everyone in the US should learn and the government should only conduct business in the various Native American languages.

Re:Isn't this universal? (2)

Talderas (1212466) | about 10 months ago | (#45215771)

All nations have a de facto national language. Whatever language is used for writing the documents that establish the government/nation is essentially de facto.

Re:Isn't this universal? (1)

blueg3 (192743) | about 10 months ago | (#45216055)

But I guess it's easier to find a technical solution to a human problem than it is to fix the human problem.

You mean it's easier to produce translations of Web sites than to force a very large group of people to learn a new language?

Yes, yes it is.

Re:Isn't this universal? (1)

BoRegardless (721219) | about 10 months ago | (#45214203)

Then there are massive gov't software projects that are supposed to "reform" or "modernize" ancient softwere systems that never get finished and are just dropped after tens of millions of dollars. Just Google "failed government software".

Question (2)

Conspiracy_Of_Doves (236787) | about 10 months ago | (#45213305)

The government department that contracted this company for the site, are they allowed to use any criteria other than the contract bid amount to decide who to go with? Are they required to go with the lowest bidder, or are they allowed to look at the company history when deciding who to hire?

Re:Question (1)

phantomfive (622387) | about 10 months ago | (#45213481)

In my experience with government contracts, it's actually rare that lowest bid is the only criteria

Re:Question (1)

Mr D from 63 (3395377) | about 10 months ago | (#45213943)

Size matters. When in doubt, you select the company with the biggest donor.

Re:Question (1)

bobbied (2522392) | about 10 months ago | (#45213593)

The government department that contracted this company for the site, are they allowed to use any criteria other than the contract bid amount to decide who to go with? Are they required to go with the lowest bidder, or are they allowed to look at the company history when deciding who to hire?

As I understand this specific contract... It was a sole sorce (not issued by lowest bid) contract.

Re:Question (1)

Conspiracy_Of_Doves (236787) | about 10 months ago | (#45213713)

Oh hell, that's even worse.

Re:Question (1)

bobbied (2522392) | about 10 months ago | (#45213803)

Here's hoping it was not a "Cost Plus" contract but "Firm Fixed Price" but I have a *really* bad feeling that was not the case.

Re:Question (0)

Anonymous Coward | about 10 months ago | (#45214599)

Firm fixed price contracts are great when you know exactly what your end product will be. Anything that has a design process usually ends up getting a time and materials, or cost plus award fee contract structure. This gives the government the flexibility to more freely alter and manage the design and implementation process. Building a system like this has too many unknowns. No company is going to chain themselves to a fixed price in those circumstances.

Don't forget, that cost plus contracts still have a ceiling amount, and there are penalties for failing to meet cost and schedule objectives.

Re:Question (0)

Anonymous Coward | about 10 months ago | (#45214179)

other criteria include "best value"
allowing for choices which are not the lowest bid.

Re:Question (1)

Conspiracy_Of_Doves (236787) | about 10 months ago | (#45214345)

I think they might have borked on that one.

Re:Question (0)

Anonymous Coward | about 10 months ago | (#45215001)

Depends - usually they do, but often it is just going over the proposal to make sure it meets the listed requirements. Often there is a "technical evaluation panel (TEP)" who has the job of going over the proposal. On some, they aren't allowed to go over past projects, but ONLY go over the (written) proposal and how it meets up with the stated requirements. I've been part of both (not the high points of my career).

The reason why companies that have a history of failure still get contracts can be boiled down to one basic thing: They know how to play the acquisitions game. Federal contracts are a mess of rules, regulations, special set-asides, etc. that companies have to devote a lot of time towards. You can tell first time contractors versus those that know the game by simply reading the proposals: One tries to be like a resume, one simply restates the requirements as a statement of work.

is there anyone here.... (4, Insightful)

phantomfive (622387) | about 10 months ago | (#45213309)

Is there anyone here who had any doubt that the health exchange system would have serious security problems, given how many problems it's had, and security bugs being harder to avoid than many other types of bugs?

The worst part is, since this system integrates with the department of homeland security and the IRS, you don't even necessarily need to use the system for a security vulnerability to affect you.......

We need to start throwing people in jail. (-1)

Anonymous Coward | about 10 months ago | (#45213343)

The ACA has been such a failure and promises to bankrupt the country. Perhaps if we cannot have it thrown out by the Supreme Court and we don't have the balls to continue a government shutdown, the answer is to start throwing anyone associated with it in jail.

Re:We need to start throwing people in jail. (1)

Sir Holo (531007) | about 10 months ago | (#45213421)

[citation needed]

Re:We need to start throwing people in jail. (2)

Bodhammer (559311) | about 10 months ago | (#45213569)

http://www.amazon.com/Extortion-Peter-Schweizer/dp/0544103343 [amazon.com]
There ya go, 600 footnotes included.

Re:We need to start throwing people in jail. (1)

Cornwallis (1188489) | about 10 months ago | (#45215759)

Great book! I'm halfway through it and it has got me riled up enough to ...Hey! Shiny ponies!

Outsourced Lowest Bidder syndrome (4, Insightful)

Isca (550291) | about 10 months ago | (#45213347)

This is what happens when you don't hire people in the agencies with technical abilities to even be able to oversee the implementation of complex systems.

Privatization is good as long as you actually have competent people with technological expertise to oversee the development. Outsourcing all of this to the lowest bidder, then that company outsourcing components to the lowest bidder (and so on, and so forth) always causes these type of issues. We need technologist inside the government that can actually manage these projects.

Re:Outsourced Lowest Bidder syndrome (0)

Anonymous Coward | about 10 months ago | (#45213819)

to the lowest bidder

People keep writing that; "to the lowest bidder." It would be nice if the selection rationale had been at least that objective. It wasn't; it was cronyism. The fix was in and the contract went to political favorites through a rigged process [washingtonexaminer.com] .

The whole premise that the contractor is incompetent is questionable in any case; CGI has implemented state run exchanges that have had successful launches. Speculation about the cause of the Federal system problems range from HHS insisting on "very strong security" to overly complex design that attempts to mask plan costs with subsidies.

Re:Outsourced Lowest Bidder syndrome (1)

GodfatherofSoul (174979) | about 10 months ago | (#45213841)

I think the whole "lowest bidder" thing is very exaggerated. The government is still looking to see who they believe can bring the project to completion by the deadline. Hell, I would've taken the contract for $10 million, but no one called me.

Think of example of the competition between the YF-22 and YF-23 back in the early 90s. Even though the -23 was slightly better, Boeing (?) got the contract for the -22 because they took a risk and started building facilities ahead of time, then used their head start as a selling point.

Re:Outsourced Lowest Bidder syndrome (0)

Anonymous Coward | about 10 months ago | (#45214299)

I am sick of hearing about "lowest bidder". When a company submits a bit, especially for large contracts, they also have to show that they have the technical capabilities, staff and a history of completing similar work. The bids are scored, with the dollar value being one factor in the award process. This is not unlike how most households bid out major work to their home.

How is this possible? (0)

Anonymous Coward | about 10 months ago | (#45213349)

So how do firms with a history like this, get these contracts? I'll give benefit of the doubt that not a single firm is 100% bulletproof when it comes to security, but this screams incompetence and malfeasance, since that breach was last year. And 'financial account information and bank routing information'? REALLY? I'd not go so far as to say this was collusion, because this can obviously be explained by stupidity and incompetence, but I'd leave that to the prosecution to argue.

That said, where do they go from here? It would appear the system for the ACA was 'doomed' before it even was developed.

Re:How is this possible? (3, Informative)

Isca (550291) | about 10 months ago | (#45213381)

A large part of it is who you know to get your foot in the door. Once you've done government projects it's easier to land more contracts. I suspect in this company's case that the breach happened after they had already signed contracts to work on this project (at least with Serco)

Re:How is this possible? (1)

phantomfive (622387) | about 10 months ago | (#45213525)

The question is, what contractor do you know who would be do it right? Really, IBM? Would you prefer Oracle did this, do you think that would give it better security?

Re:How is this possible? (1)

Archangel Michael (180766) | about 10 months ago | (#45215617)

Google. They manage huge amounts of data, know how to do it, have had relatively few (if any) data breaches, etc.

But then again, they got out of the Health Care business when they realized what a cluster fuck it really was. My guess, Obama, Reid and Pelosi have no idea what the hell they were doing, crafted legislation as if they were experts, and have left us holding the bag of an unworkable system which was designed to get us to a single payer system, which each one of them said they preferred.

This is the problem with politics, nobody cares what people say they are doing, only want they appear to be doing. In this case they appear to be "giving health care insurance to everyone (they aren't but that is besides the point) while saying they want a single payer system. It was Broken by Design. It should be repealed and those people should NEVER be allow anywhere near health care system ever again. However, they will get a pass for "trying" (noisy way of doing nothing) to fix health care system that they think is broken. Unfortunately for us, they have to break it some more before they can try to "fix" it with single payer.

Re:How is this possible? (1)

phantomfive (622387) | about 10 months ago | (#45215793)

Google just had a data-breach not long ago where IM messages were getting sent to the wrong person.

My guess, Obama, Reid and Pelosi have no idea what the hell they were doing, crafted legislation as if they were experts, and have left us holding the bag of an unworkable system

That's a real possibility.

ok enough already.. (1)

Connie_Lingus (317691) | about 10 months ago | (#45213409)

...im just gonna send images of all my hard drives and net logs to the NSA and be done with this nonsense already.

fuck...how many ways are we being spied on and our information leaked until sensible people just throw up their hands and say "enough already!"???

Re:ok enough already.. (1)

phantomfive (622387) | about 10 months ago | (#45213543)

Leaked information is like backups......everyone knows it's important, but no one cares until it affects them personally (their computer crashes or their ID is stolen).

Yeah, so what? (2)

mark_reh (2015546) | about 10 months ago | (#45213447)

It's been obvious for months to even the most internet-ignorant that there is no such thing as security on-line. The main concern with regard to health records security is that health insurance companies would deny coverage to people with preexisting conditions based on evidence in medical records. That's been fixed, at least in theory, by obamacare, if they ever manage to get it up and running.

Of course, the real fix would have been to get the insurance companies out of the health insurance business altogether with a single payer system, but we are too stupid to vote for something like that. Even if we did, the insurance lobby's votes mean much more than votes of citizens going to the polls, so even if the majority came to their senses and demanded a single-payer system, it would not happen.

OK, so we'll get more targeted spam about incontinence products, birth control, flatulence control, boner pills, etc. That will just make spam filters work a little harder.

Re:Yeah, so what? (2)

phantomfive (622387) | about 10 months ago | (#45213555)

The main concern with regard to health records security is that health insurance companies would deny coverage to people with preexisting conditions based on evidence in medical records.

The main concern is someone applying for a credit card with your name, or otherwise borrowing your identity.

Re:Yeah, so what? (1)

mark_reh (2015546) | about 10 months ago | (#45214221)

That sounds like a SS number problem to me.

Re:Yeah, so what? (1)

phantomfive (622387) | about 10 months ago | (#45214869)

Yes, yes it is. If people are able to hack Healthcare.gov (which is still hypothetical at this point), they could steal your SS number. This is true even if you haven't signed up, because the system is hooked up to the IRS, among other systems.

Re:Yeah, so what? (2, Insightful)

mcgrew (92797) | about 10 months ago | (#45214015)

The main concern with regard to health records security is that health insurance companies would deny coverage to people with preexisting conditions based on evidence in medical records. That's been fixed, at least in theory, by obamacare, if they ever manage to get it up and running.

The ACA was passed and signed and gone through the courts; it's the law. Obamacare is in fact up and running, what's not is the federal web site.

Your state's isn't in place? That isn't the Feds' fault, it's your state government's. Illinois' is in place, and we have the most dysfunctional government in the US. Why isn't yours?

Of course, the real fix would have been to get the insurance companies out of the health insurance business altogether with a single payer system

I'd mod you up if I had points. The reason the US has such expensive health care is the insurance companies. They're simply parasitic middlemen who do nothing but add cost.

Re:Yeah, so what? (1)

mark_reh (2015546) | about 10 months ago | (#45214201)

"They're simply parasitic middlemen who do nothing but add cost."

Duh! Thank god we don't have single payer healthcare! I'd much rather have someone who profits by not delivering healthcare, like an insurance person, standing between me and my doctor than some bureaucrat tasked with ensuring that money spent actually goes to healthcare. THAT would be BIG GOVERNMENT. Ugh!

Re:Yeah, so what? (0)

Anonymous Coward | about 10 months ago | (#45214453)

can I quote this? that's the best, most insightful, accurate, and funniest phrasing I've seen yet...

Re:Yeah, so what? (1)

MouseTheLuckyDog (2752443) | about 10 months ago | (#45215035)

The ACA was passed and signed and gone through the courts; it's the law.

This was brought up a long time and debunked. No law is ever judged 100% constitutional only the aspects brought before the court are adjudicated. The mandate as a mandate was actually judged unconstitutional. The mandate as a tax is constitutional. However there are still many court cases about it which can be overturned. I know of at least two cases making their way up the courts, one being that the tax was not properly passed as a tax has to originate in the house. The second is the tax subsidies to people in states that do not have exchanges.

Obamacare is in fact up and running, what's not is the federal web site.

Your state's isn't in place? That isn't the Feds' fault, it's your state government's. Illinois' is in place, and we have the most dysfunctional government in the US. Why isn't yours?

States are not required to provide exchanges, the federal government is. Many states opted out. Seems they should have been following Illinois example. Because of course you should always follow the lead of the most corrupt state in the country, where in the last 50 years 50% of it's governors went to jail, and is vying for California most insolvent.

Of course the big question is if a state as pathetic as Illinois could do it, why couldn't the Obama administration?

Re:Yeah, so what? (2)

rsborg (111459) | about 10 months ago | (#45215087)

I'd mod you up if I had points. The reason the US has such expensive health care is the insurance companies. They're simply parasitic middlemen who do nothing but add cost.

Please don't forget about two other major reasons "healthcare" is so expensive here in the states: 1) Medical device companies that charge an arm and a leg for basic supplies and 2) Big Pharma, that for some reason (well, billion$ of reasons, actually) lobby to prevent organizations like Medicare from negotiating perscription drug costs.

Insurance companies are evil, but with ACA, their evil has been toned down considerably (no recission from pre-existing conditions + medical loss ratio + fallback of state exchanges) and if things with Obamacare progress, we might get more single-payer down the road.

I see ACA/Obamacare like hybrid gas-engine cars (ie, Prius) - by straddling the private and public insurance options, the road is eased such that a more moderate progression happens. Whether you feel this progressive approach is wise or not is another matter.

Re:Yeah, so what? (0)

Anonymous Coward | about 10 months ago | (#45215249)

The reason the US has such expensive health care is the insurance companies. They're simply parasitic middlemen who do nothing but add cost.

Yes, this makes insurance companies the polar opposite of government agencies, doesn't it?

If at first you don't succeed (0, Funny)

Anonymous Coward | about 10 months ago | (#45213469)

It's good to see our government supporting do-overs. How are these contractors ever going to get better if we don't give them dump trucks full of money and let them try again and again until they get it right?

Re:If at first you don't succeed (1)

Skapare (16644) | about 10 months ago | (#45213913)

They will never get it right. That's how they keep the dump trucks coming in.

Could Be Worse (0)

Anonymous Coward | about 10 months ago | (#45213483)

QSS failed to adhere to federal security standards

So no known stolen information from contractor 1 (yet).

Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges.

And contractor 2 is only handling the processing of paper applications.

It doesn't appear that these contractors will have a significant effect on the majority of ACA applications. Now, the other contractors...

Forget security problems.... (-1)

Anonymous Coward | about 10 months ago | (#45213573)

It's got legal problems.

http://www.dailymail.co.uk/news/article-2471978/Bombshell-Federal-judge-suddenly-green-lights-lawsuit-stop-Obamacare-tracks.html?ICO=most_read_module

"Bombshell: Federal judge suddenly green-lights lawsuit that could stop Obamacare in its tracks

        Small-business plaintiffs say the government is treating all 50 states the same even though Congress allowed them to opt out – and 36 did
        The IRS is granting insurance subsidies to taxpayers in the 'refusenik' states, even though the text of the Obamacare law doesn't allow it
        A federal judge denied the government's motion to dismiss the case on Tuesday
        He also refused, however, to issue an injunction barring the Obama administration from implementing the law while the case moves forward"

Here's what's sIt's got legal problems.

http://www.dailymail.co.uk/news/article-2471978/Bombshell-Federal-judge-suddenly-green-lights-lawsuit-stop-Obamacare-tracks.html?ICO=most_read_module

"Bombshell: Federal judge suddenly green-lights lawsuit that could stop Obamacare in its tracks

        Small-business plaintiffs say the government is treating all 50 states the same even though Congress allowed them to opt out – and 36 did
        The IRS is granting insurance subsidies to taxpayers in the 'refusenik' states, even though the text of the Obamacare law doesn't allow it
        A federal judge denied the government's motion to dismiss the case on Tuesday
        He also refused, however, to issue an injunction barring the Obama administration from implementing the law while the case moves forward"

Here's what's so frustrating to me: they purposely left out the severability clause (or whatever it's called) so that SCOYUS couldn't reject the individual mandate without rejecting the entire law. But now that "it's the law of the land!!" Obama and Sebelius are exempting people left and right, and delaying parts they feel like delaying. I know there's no legality to a charge of "not fair, you guys", but it seems to violate the idea of no severability, right?

You see drones? Anything that a statist wants to do is good and laws are not relevant. Anything that a conservative wants to do is bad and must be stopped.

How can you idiots support such logic? How can you be against a government limited by laws equally applied, no matter who you are?

Fucking Obama dick sucking drones.o frustrating to me: they purposely left out the severability clause (or whatever it's called) so that SCOYUS couldn't reject the individual mandate without rejecting the entire law. But now that "it's the law of the land!!" Obama and Sebelius are exempting people left and right, and delaying parts they feel like delaying. I know there's no legality to a charge of "not fair, you guys", but it seems to violate the idea of no severability, right?

You see drones? Anything that a statist wants to do is good and laws are not relevant. Anything that a conservative wants to do is bad and must be stopped.

How can you idiots support such logic? How can you be against a government limited by laws equally applied, no matter who you are?

Fucking Obama dick sucking drones.

Problem of selection (2)

satsuke (263225) | about 10 months ago | (#45213661)

The larger problem isn't the actual contractor, it's in the selection process.

At least, the companies that get these huge jobs are the ones that can successfully navigate the bidding process, as well as those that have a track record of complying with that process.

It's a matter of the metrics used not matching the result desired.

ACA/Obamacare health exchanges have had a lot of screwups, but I don't know if it'd work any other way initially (based on the fact that there are hundreds of agencies and different systems to interact with,. any end to end testing would have to be on "friendly" / fake results.

Re:Problem of selection (1)

TheRealMindChild (743925) | about 10 months ago | (#45214021)

Follow the money trail and I'm certain you will find some congressperson's pockets getting lined with money by the company that got the contract

Quality Software Services ? (1)

fahrbot-bot (874524) | about 10 months ago | (#45213685)

Just my $.02, but if you actually *provide* quality work, you don't need to have that in your company's name. Only time will tell if this also applies to the word "affordable" ... :-)

Re:Quality Software Services ? (1)

Bob the Super Hamste (1152367) | about 10 months ago | (#45215045)

I find that logic applies to just about everything. If you have to have a good adjective as part of a name, the product or company probably sucks.

Move over, Jimmy Carter (-1)

Anonymous Coward | about 10 months ago | (#45213709)

All you fools who called Bush II "the worst President ever" are now seeing the true worst President ever in action.

Jimmy Carter - previous holder of that title - is ecstatic.

Don't think 0bama is the worst ever? 0bama's taken a minor civil war in Syria and managed to turn it into a true fiasco - getting schooled by Putin, and alienating everyone so badly they're cutting diplomatic ties to the US. [dailymail.co.uk]

Re:Move over, Jimmy Carter (-1, Flamebait)

Dunbal (464142) | about 10 months ago | (#45213785)

And at least Carter has tried to make up for it, often acting as an envoy, or making sure that elections aren't rigged in third world countries. Obama probably won't even be able to travel abroad once he's successfully tried for his war crimes. Certainly I don't see him getting a Venezuelan or Bolivian visa. Probably not welcome in China (because of the NASA scientist fiasco) and Russia (Snowden) either.

Re:Move over, Jimmy Carter (1)

Virtucon (127420) | about 10 months ago | (#45214055)

And at least Carter has tried to make up for it, often acting as an envoy, or making sure that elections aren't rigged in third world countries.

He needs to check out elections in most US states and organizations that are helping to allow people to undermine the system.

http://dailycaller.com/2012/10/10/new-okeefe-video-obama-campaign-staffer-caught-helping-activist-vote-twice/ [dailycaller.com]
http://www.washingtontimes.com/news/2013/feb/19/ohio-poll-worker-who-admits-voting-twice-obama-may/ [washingtontimes.com]
http://articles.baltimoresun.com/2012-09-14/news/bs-md-wendy-rosen-withdraws-20120910_1_wendy-rosen-maryland-democratic-party-general-election [baltimoresun.com]

And it's funny how the DOJ goes after states that try to enact voter ID laws because it will somehow disenfranchise voters. It's one person, one vote.

Re:Move over, Jimmy Carter (1)

Archangel Michael (180766) | about 10 months ago | (#45215653)

Or Saudi Arabia. So much for being the Messiah and bringing the world together in a Kum By Ya moment.

Re:Move over, Jimmy Carter (1)

TheCarp (96830) | about 10 months ago | (#45214323)

> All you fools who called Bush II "the worst President ever" are now seeing the true worst President
> ever in action.

Obama had not been president during bush, so its not an either or, they can both be the worst president ever for their time in history, and I would submit, that is not only what happened, but its an unbroken tradition since at least Ike.

> Jimmy Carter - previous holder of that title - is ecstatic.

He was dethroned handidly by Reagan. Reagan who continued to push the drug war bringing us the highest murder rate since alcohol prohibition ended. We saw the draining of the SSI trust fund (which was supposed to be firewalled from the rest of the budget) under him. We saw a terrible arms race that helped to set up many of our current day wars...and the massive increase in national debt.

> Don't think 0bama is the worst ever?

Someone might not, but, hes at least on par with the rest of them.

But (0)

Dunbal (464142) | about 10 months ago | (#45213749)

I'm sure the company has connections to or is owned by some bigshot politician's spouse or cousin, so that makes it ok.

Government Contracting is a rats nest (5, Informative)

Sedated2000 (1716470) | about 10 months ago | (#45213761)

The processes and hoops you have to jump through in order to respond to their requests for proposal are ridiculously complicated. Way too often companies who are not qualified get the contract merely because they knew how to play the system.

The government has programs to support small businesses like 8a for disadvantaged, one for businesses owned by disabled Vets, one for women owned. This does help some, but more often than not those companies are just paid so that bigger companies can bid for work and use them as the vehicle to get it. In my experience as a government contractor for most of my career I've seen countless scenarios of companies bidding for 8 resources on a task but really only using 2. I've seen them work on contracts for over a decade, and despite horrible execution of the project they continue to win the re-compete because they'll purposely squirrel away anyone who can help a new contract winner. They'll eat the cost and give people useless jobs at their corporate offices just to attempt to make the new contracting company fail.

There is also a terrible history of nepotism involved. The entire system is abused. Officers have even set up companies and awarded contracts to themselves right before retirement. When they leave they have a ready made contracting company complete with an ongoing contract and perhaps one or two for their past performance record already. By the time they're caught, they are fined a million or so which at that point is small price to pay for them. They just had the world's best interest free business startup loan. Yes, I have first-hand knowledge of one such instance of this and I know it is definitely not an isolated incident.

Here is an example of waste: When I was on one of my last contracts I spent months doing nothing of real consequence. Through some weird situation I was left with no project manager and no tasks. I informed all of the management who would listen, and requested work. I began to worry I'd be cut, along with the worry that if I sat idle my hard-earned skills would dull. I found another job and quit. I received a call from the vice president of the company telling me she was hearing what a great job I was doing and that they wanted to offer me a substantial raise to stay. It was then I realized they didn't care what I did. They could bill for me. By showing up I was doing a "good job". I couldn't take it and left.

Re:Government Contracting is a rats nest (1)

Anonymous Coward | about 10 months ago | (#45214213)

"I received a call from the vice president of the company telling me she was hearing what a great job I was doing"

Brownie? Is that you?

Well.. (3, Insightful)

TechyImmigrant (175943) | about 10 months ago | (#45213765)

While it may be unsurprising that a government contractor can't get security right, expecting anyone to adhere to government security specifications is unreasonable. Take a look at them, they are a vast mess of poorly written hand waving. There are some with specifics (E.G. some of the crypto algorithm stuff), but the balance of it is 'framework' crap.

You can make an honest job of adhering to federal computer security specs, but it's always possible to dig up another spec somewhere that contradicts it.

Re:Well.. (0)

Anonymous Coward | about 10 months ago | (#45214623)

Example? I'm used to reading DISA's STIGs, which are clear and informative. Google them, they are hosted by DISA as well as private business.

And they hire the best H1B candidates they can too (2, Insightful)

Virtucon (127420) | about 10 months ago | (#45213821)

They're just a body shop living the H1B dream. [findthecompany.com]

I find it somewhat repugnant that a US Healthcare website is being done by a slipshod vendor who relies on H1B staff for delivery and can't follow FIPS 200 standards? That's a no-brainer for anybody dealing with any Federal agency.

https://oig.hhs.gov/oas/reports/region4/41205045.pdf [hhs.gov]

QSSI had not sufficiently implemented Federal requirements for information system security controls over USB ports and devices. Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft.

So Personally Identifiable Information for over 6 Million Medicare beneficiaries wasn't protected and they still are working and billing to provide shitty software. I wonder how much of this is now in the hands if identity thieves selling Fullz..

your government at work folks, what a wonderful sight to behold.

Re:And they hire the best H1B candidates they can (3, Insightful)

ZombieBraintrust (1685608) | about 10 months ago | (#45214421)

Why is this racist crap modded up. I work with H1Bs and most of them went to better colleges than I did and have better degrees than I do. Were talking about people with 10, 15 years of experiance. Now some outsourcing outfits hire people directly out of college. Quality can be low with these teams because there is alot of turnover and poor communication with an offsite team. But those people tend to work in India for a few years. The compitition for visas is high and people with no experiance don't normally get them.

Re:And they hire the best H1B candidates they can (1, Flamebait)

Virtucon (127420) | about 10 months ago | (#45215103)

H1B's exist to drive down labor rates in the US, screwing over folks who are already here [motherjones.com] and they're not necessarily getting the best talent either. [informationweek.com] If you're telling me that Quality Shit Software couldn't find qualified candidates in the beltway for this project, then you're full of crap. That's not racist by the way and I object to the use of the term, but since QShit was looking for Business Analysts and Engineers, I know that there are plenty of those in DC who could have done the job. There's lots of these outfits out there, WiPro, InfoSys, Tata and others who use the H1B and pay less than other companies for the same work and sell themselves as saving money for the companies they work for. These are Indian outsourcing firms and they get called out even in their own nation. [thehindu.com] If we're going to have H1B Visas in this nation, then we damn well better insist that 1) Companies who are sponsoring H1Bs have done their due diligence in trying to find a qualified candidate already here. That means verification with screening results not just Taleo bullshit disqualification. 2) That the wages the H1B employee are paid are at least above the 80% percentile for the work, in the area where they're working and only for the duration of that work. 3) Once the work is finished, if the H1B candidate doesn't have a Green Card or is not on the path to citizenship, they need to go back and not job hop. Did you also know that the top ten sponsors of H1B visas or offshore outsourcing companies? That's another gap that has to be fixed, specifically companies that are in the body shop business need to be excluded from sponsoring H1Bs. I'm for letting people work in this country but the playing field needs to be a bit more balanced and indexed on unemployment figures as well, if that's racist to you then fuck off.

Fifty-five contractors (5, Insightful)

Dachannien (617929) | about 10 months ago | (#45213871)

Just the fact that there were 55 different contractors working on healthcare.gov is reason enough to suspect that major security flaws crept in.

The fact that the website was opened before any appreciable amount of testing was done is reason enough to suspect that most of those flaws are still undiscovered and uncorrected.

The government's project managers didn't even come up with a full specification for the largest contractor until this past Spring, with the expectation that everything would be done and ready for business on 1 October. It's a total clusterfuck, the true scope of which likely won't be discovered for several months.

http://www.newyorker.com/online/blogs/elements/2013/10/why-the-healthcaregov-train-wreck-happened-in-slow-motion.html [newyorker.com]

Re:Fifty-five contractors (1)

Skapare (16644) | about 10 months ago | (#45214023)

I also blame the fact that these 55 contractors were businesses. They should be experienced developers. And 55 is too many even so. The web site could be done with 20.

what we need (2)

wbr1 (2538558) | about 10 months ago | (#45213911)

Is something like angieslist for government contracts and a mandate to force its use. Now, who do we contract to build it?

Re:what we need (1)

Virtucon (127420) | about 10 months ago | (#45214069)

AngiesList.com? [angieslist.com]

Oh great, cue the pompous chest-thumping (2)

daboochmeister (914039) | about 10 months ago | (#45213993)

Get ready for the torrent of people who've never dealt with gov't contracting who are just so sure they could do it better. Dunning-Krueger in the house, like usual on /.

The Grand Target (2)

SuperKendall (25149) | about 10 months ago | (#45214045)

The worse thing about a centralized system like healthcare.gov, is that it represents a tremendously juicy target for criminals of all kinds - from ID thieves to phishers that want some personal info to run a scam. Never mind this company, I'm not sure I trust ANYONE to develop a system that is secure against the number and complexity of attacks that will be made.

Stop using contractors (2)

Skapare (16644) | about 10 months ago | (#45214073)

Use in-house employees instead. Hire well-qualified experienced employees, paid well (considering the costs of living in DC if they are not working from remote).

Re:Stop using contractors (4, Interesting)

ZombieBraintrust (1685608) | about 10 months ago | (#45214487)

the biggest contractor, CGI Federal, was awarded its $94 million contract in December 2011. But the government was so slow in issuing specifications that the firm did not start writing software code until this spring. As late as the last week of September, officials were still changing features of the Web site.

If there is no specification then your going to get a crap product. If they started in Spring then there is no way they finished in time to do several months of testing, bug fixing, and regeressing testing.

You're surprised? (3, Insightful)

Overzeetop (214511) | about 10 months ago | (#45214127)

List all the companies who can, in under a year, put together a $50-400M (take you pick at the number) software system to service, conservatively, 30 million people in a day and interface with legacy systems from multiple governmental agencies.

Cross off everyone on the list who isn't set up to do government contracting
Cross off everyone on the list who can't meet HIPAA standards
Cross off everyone who hasn't rolled out at least three systems of similar size and complexity in the past 5 years
Cross off everyone who is headed by a foreign national

You're list is going to be very, very short. I'd have had you cross out those with past roll-out failures or problems, but that would have given you a blank piece of paper to start with.

Too many cooks (1)

kawabago (551139) | about 10 months ago | (#45214219)

burns the code.

ObamaCare (0)

Anonymous Coward | about 10 months ago | (#45214347)

It's interesting that as ObamaCare proves to be a huge disaster, the media outlets begin to call it "ACA" or "Affordable Care Act" in an effort to protect Obama's name.

I think I have heard the actual name of the Act more in the last week than in the last several years.

This (0)

Anonymous Coward | about 10 months ago | (#45214793)

is so going to end in tears.

My state exchange web site works fine. (3, Insightful)

rock_climbing_guy (630276) | about 10 months ago | (#45214907)

For what it's worth, I recently moved to Colorado and I've found that their state health insurance exchange web site works just fine. I was able to browse plans available within a few minutes.

I think it goes to show that there's nothing extraordinary difficult about this web site. I suspect cronyism on the part of the federal government. How else can you explain that they paid ~ $600M for a web site that doesn't work. I think they could have handed that money to most anyone who posted to this discussion and gotten a better result.

This is pathetic. (2)

Lendrick (314723) | about 10 months ago | (#45215889)

I'm all in favor of the ACA. In fact, on the state level, they've done just fine (it's notable that the only reason the federal system is even necessary is because a number of states refused to do it).

On the other hand, how the fuck did we end up with this crap? You cannot roll out a project to millions of users this quickly and without adequate load testing. Also, why the hell aren't the contractors American? All this lip service the Democrats pay every election year to eliminating tax breaks for outsourcing and they can't bother to use American companies that will guarantee the work won't be subcontracted to some other company outside the US?

We actually have competent IT contracting firms in the US. They tend to be expensive, but they have enough experience that they can predict how long and how much it will cost to deliver working software. Ultimately, it ends up costing less in the long run to pay more up front, because the software actually does what you want it to do.

(Of course, this might not be a matter of corruption rather than cost, but my points still apply.)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>