Quality Software Services, Inc. (QSSI) builder of the registration and hub systems for Healthcare.com was cited in June by Health and Human services for playing it fast and loose with American’s personal information. They were criticized for endangering the personal data of more than 6 million government beneficiaries through insufficient security controls. Compounding the problem is that same contractor was recently named to serve as “general contractor” on the repair effort at HealthCare.gov.
The report (embedded below) details the lax security:
QSSI had not sufficiently implemented Federal requirements for information system security controls over USB ports and devices. Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft.
In other words, anyone could just slip in a flash drive and steal the data. Holy Edward Snowden Batman!
Lax data safety at Quality Software Services, Inc. (QSSI) was deemed a “high” risk in a June probe by federal investigators that revealed the company had failed to stop its employees from connecting unauthorized USB devices to highly sensitive Medicare systems.
The June report by the Health and Human Services (HHS) inspector general revealed that QSSI’s inaction allowed workers to connect unsanctioned devices such as iPods to 29 out of the 30 workstations studied, all of which had access to millions of Medicare patients’ personal data.
The unhindered access to USB ports raised the possibility that workers could have introduced malware to Medicare’s systems or “inappropriately accessed” personally identifiable details, the report stated.
The information of more than 6 million Medicare beneficiaries was at “greater risk from malware, inappropriate access or theft” as a result, wrote HHS assistant inspector general Kay Daily.
QSSI was awarded the general contractor gig without a bidding process on an emergency basis. I am sure it had nothing to do with the fact that the company and it’s senior officers are credited with over $1 million in donations to President Obama.