Missing standards created integration struggles with HealthCare.gov

Missing integration standards were a major problem some insurers faced in connecting their software to the federal government’s online health insurance marketplace, which has been plagued by technical glitches, an expert said.

[Health care breach victims plummet]

How much the non-standard communications between computer systems contributed to the performance struggles associated with HealthCare.gov is not clear. However, one technology vendor said it had to break standards used in its identity management software deployed at several insurance companies.

“We actually had to make code changes to the software to accommodate the totally non-standard things that they were attempting to do,” John Bradley, senior technical architect for Ping Identity, said Monday.

“Whether or not those non-standard things ultimately introduce security vulnerabilities, we’ll have to have a good look at that once this settles down.”

For reasons unknown, the government did not follow an open standard data format, called SAML, for exchanging authentication and authorization data related to people signing up for health insurance through the federal website, according to Ping. Available since 2001, SAML, or Security Assertion Markup Language, is a key technology for authenticating people across computer systems.

Insurers told The New York Times that they have had problems receiving correct information on enrollees. In other cases, enrollment data is repeated, cancelled or lost.

Enrollment information is critical to the process, because it is what the Treasury Department will use to determine how much insurers are due in subsidies, according to The Times.

Quality Software Services Inc. (QSSI) built the identity management system HealthCare.gov uses to retrieve information on enrollees from government databases. The system has been a problem since the exchange opened Oct. 1, according to The Times.

Ping found that there was not enough time for discussions between technology pros in and outside the government. This exacerbated the problem of not having set standards to follow, since they would have provided some guidelines, Bradley said.

On its own, Ping had to make major changes to its software in order to communicate with the government systems.

“We had to actually make standards and break the SAML protocol in our code to actually make it interoperate. It wasn’t just configuration changes.” Bradley said.

Following the custom work, Ping had only about a week to test the integration.

The complexity of the project is reflected in the fact that the government exchange involved a half million lines of code, which is five times more than what is in the typical computer system of a large bank, The Times said.

Given the size of the project and the fact that the government has many databases and applications built before SAML was introduced, it’s not surprising that the standard was not followed, Pan Kamal, vice president for marketing and product management at AlertEnterprise, said. In such cases, custom software, called adapters or connectors, has to be developed to arrange data in formats that can be read by legacy systems.

[Wireless tech makes health care security a ‘major concern’]

“It’s almost unrealistic to assume that everybody will follow standards,” Kamal said.

Nevertheless, not making additional time and resources available when standards cannot be followed is almost certain to lead to problems.

“In any type of a project this large, it can be an issue and it can be exacerbated to a certain degree if you introduce a lot of customized coding, as opposed to following something that’s more standards based,” Paul Trulove, vice president of product marketing for SailPoint, said.