Report: HIX Vendors Have Security Issues
The incidents, according to the review by Computerworld, are not related to the Web site’s current performance problems, the publication emphasizes. “Even so, the information is relevant in light of the ongoing scrutiny of the companies involved with the problem-plagued exchange,” it adds.
For instance, Columbia, Md.-based QSSI, an integration firm, developed the software code for the data hub that connects insurers to federal eligibility verification systems, the IRS, Social Security Administration and other agencies, Computerworld notes. But a June audit report from the Department of Health and Human Services’ Office of Inspector General contended QSSI did not adhere to government security standards when testing another system for the Centers for Medicare and Medicaid Services.
“QSSI had not sufficiently implemented federal requirements for information system security controls over USB ports and devices,” according to the OIG. “Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the protected identifiable information of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access or theft.”
Asked for comment on the OIG assertions, a QSSI spokesperson told Health Data Management, “QSSI is dedicated to the highest standards of information security in our work. We implemented all of the enhancements recommended by the OIG prior to the publication of the final report, and informed CMS of our actions.”
Computerworld further reports that contractor Serco, which is processing and verifying paper health insurance applications, had a breach affecting 123,000 members of the federal Thrift Savings Plan, a $313 billion retirement plan. Compromised data included full names, addresses, Social Security numbers, financial account information and bank routing information.
The breach was caused by an intrusion into a single desktop computer of a Serco employee in July 2011, but was not discovered until April 2012 after the FBI notified the company, according to Computerworld. A Serco spokesperson responding to the publication downplayed the significance of the breach and said the company has reviewed and improved its security program and infrastructure protections.