HHS Panics About Security Glitches, Offers Sole-Source Contract to Tech Firm
8:54 AM, Dec 9, 2013 • By JERYL BIER
Concerns have increased over the security of personal information collected by the Department of Health and Human Services (HHS) as the volume of personal data has multiplied dramatically with the implementation of Obamacare. Security experts have testified before Congress about flaws they have uncovered at Healthcare.gov, and various press reports have related other potential problems with the website or with information flowing to the Federal Services Data Hub that could be exploited by hackers and identify thieves. An HHS document dated December 5 describing a more than 500 percent increase in the monitoring of cyber threat indicators since April 2013 may only increase those concerns.
The document states that the agency's Computer Security Incidents Response Center (CSIRC) has experienced more than a five-fold increase in the number of "indicators" monitored by the center in just the last eight months alone. To cope with the potential threats from this vast increase in data, HHS intends to negotiate a sole-source contract to Cyber Squared, an Arlington, Virginia, cyber security firm after allowing less than four days (including a weekend) for responses from other interested firms, and even explicitly states that HHS is not soliciting competitive quotations. HHS describes the apparently urgent need for upgraded threat monitoring as follows:
Some of the terminology used in this document raises questions about the scope of the monitoring. For instance, although the document references the "Healthcare Threat Operations Center (HTOC)", the federal government's 2013 Information Sharing Services annual report to Congress makes no mention of the HTOC among the five Federal Cybersecurity Centers, nor is there any other reference to a "Healthcare Threat Operations Center" on the HHS website or any other government website. References to each of the other potential data sources can be found on various government websites and documents.
The notice regarding ThreatConnect was posted by HHS at 3:42 PM on Thursday, December 5, and stated that responses would be needed by 8:00 a.m., Monday, December 9. The documentation accompanying the notice does not explicitly mention the Affordable Care Act or Healthcare.gov, but emails sent Thursday to the listed contracting officer and the HHS press office requesting clarification have not been returned.
Recent Blog Posts