Missing standards created integration struggles with HealthCare.gov

Missing integration standards were a major problem some insurers faced in connecting their software to the federal government's online health insurance marketplace, which has been plagued by technical glitches, an expert said.

How much the non-standard communications between computer systems contributed to the performance struggles associated with HealthCare.gov is not clear. However, one technology vendor said it had to break standards used in its identity management software deployed at several insurance companies.

"We actually had to make code changes to the software to accommodate the totally non-standard things that they were attempting to do," John Bradley, senior technical architect for Ping Identity, said Monday.

"Whether or not those non-standard things ultimately introduce security vulnerabilities, we'll have to have a good look at that once this settles down."

For reasons unknown, the government did not follow an open standard data format, called SAML, for exchanging authentication and authorization data related to people signing up for health insurance through the federal website, according to Ping. Available since 2001, SAML, or Security Assertion Markup Language, is a key technology for authenticating people across computer systems.

Insurers told The New York Times that they have had problems receiving correct information on enrollees. In other cases, enrollment data is repeated, cancelled or lost.

Enrollment information is critical to the process, because it is what the Treasury Department will use to determine how much insurers are due in subsidies, according to The Times.

Quality Software Services Inc. (QSSI) built the identity management system HealthCare.gov uses to retrieve information on enrollees from government databases. The system has been a problem since the exchange opened Oct. 1, according to The Times.

Ping found that there was not enough time for discussions between technology pros in and outside the government. This exacerbated the problem of not having set standards to follow, since they would have provided some guidelines, Bradley said.

On its own, Ping had to make major changes to its software in order to communicate with the government systems.

"We had to actually make standards and break the SAML protocol in our code to actually make it interoperate. It wasn't just configuration changes." Bradley said.

Following the custom work, Ping had only about a week to test the integration.

The complexity of the project is reflected in the fact that the government exchange involved a half million lines of code, which is five times more than what is in the typical computer system of a large bank, The Times said.

Given the size of the project and the fact that the government has many databases and applications built before SAML was introduced, it's not surprising that the standard was not followed, Pan Kamal, vice president for marketing and product management at AlertEnterprise, said. In such cases, custom software, called adapters or connectors, has to be developed to arrange data in formats that can be read by legacy systems.

"It's almost unrealistic to assume that everybody will follow standards," Kamal said.

Nevertheless, not making additional time and resources available when standards cannot be followed is almost certain to lead to problems.

"In any type of a project this large, it can be an issue and it can be exacerbated to a certain degree if you introduce a lot of customized coding, as opposed to following something that's more standards based," Paul Trulove, vice president of product marketing for SailPoint, said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Inc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place