Thursday, 31 October 2013

Everything That's Wrong with HealthCare.gov

Everything That's Wrong with HealthCare.gov
Everything That's Wrong with HealthCare.gov, The HealthCare.gov launch did not go so well. Some people paid the website a visit only to be greeted by a blank screen. Others found error messages or talked to misleading call center reps or had their personal information compromised. The whole thing is borked, and everybody knows it.

It's been less than a month now since the much anticipated home for the Obama administration's healthcare exchange went online, and it's going to be at least another month before it actually works. The problems are by no means minor.

Reuters reports that hundreds of thousands of Americans could lose access to low-cost health insurance as a result of the botched launch. At this point, everybody's playing the blame game pretty hard. Health and Human Services Secretary Kathleen Sebelius blames the (too many) contractors who built the site. Obama blames himself. Americans, for some reason, seem to want to blame the girl in the stock photo on HealthCare.gov. But quite frankly we might never be able to find a single culprit.

So, as Bloomberg Businessweek commemorates the epic fail that was the Healthcare.gov launch with a wonderfully glitchy Obama cover, it's worth having a look how that fail actually happened.

Site Overload

It was bad from the beginning. On day one, people trying to access HealthCare.gov immediately hit a wall. Instead of displaying the many affordable care options available under Obamacare, the site read, sadly:

We have a lot of visitors on the site right now. Please stay on this page. We're working to make the experience better, and we don't want you to lose your place in line. We'll send you to the login page as soon as we can. Thanks for your patience!
Just keep staring at that blinking cursor, America!

Unfortunately, the contractors who built the site saw this coming... but didn't say anything. Just days before the launch, site tests showed that HealthCare.gov would crash after just a few hundred visitors. The nearly 10 million that showed up on launch date never had a chance.

Site Suicide

After the nightmarish bottleneck in the site's first days, Reuters asked a bunch of security experts what could be causing all the problems. The experts agreed that it wasn't just the traffic. The site's very architecture was to blame, specifically the fact that the site made users download an unruly amount of data just to log in. One expert counted 92 separate files and plugins—including 56 JavaScript files—that users had to download when they hit the "apply" button on HealthCare.gov. Another said that the amount of data passed back and forth was so intense, it made it appear "as if the system was attacking itself." So you know about distributed denial of service attacks? HealthCare.gov was effectively launching one against itself.

Glitchy Sign Up Process

If you were lucky enough to actually load HealthCare.gov in those first few days, you probably didn't make it very far. Glitches plagued the sign-up process. Some people reported that the site wouldn't recognize their log in or passwords—more on that in a second—while others happened upon error messages and "page not found" screens. At the very least, plenty of people complained that the site ran slowly. Meanwhile, the insurance companies that were receiving information from the exchange complained that they were receiving incomplete and duplicate applications. That all adds up to a lot of unhappy Americans.

Bad Customer Service

Whenever you muster up the courage to actually call a customer service hotline and endure the bad hold music, the last thing you want is to be told the wrong thing. Well, that's exactly what HealthCare.gov reps did. As early as October 8, the site's call center was telling people to reset their passwords to help alleviate the site's log in problems. But, whoops, that's not even true because call center reps were given the wrong script. Meanwhile, other people were being told to re-register completely, albeit with a new username since their old one was stuck in limbo somewhere. Sound convenient?

Data Center Outages

Last weekend, a data center powering HealthCare.gov experienced a failure and lost connectivity. The outage affected not only all of the Americans trying to sign up for coverage through the federal exchange but also people in the 14 states and District of Columbia who had set up their own exchanges. This one is arguably not the government's fault, though. Verizon's Terremark operates the data center and said the outage happened during planned maintenance. But surely, HealthCare.gov's crappy architecture didn't help.

Privacy Violations

So on top of all that nonsense, we've recently learned that HealthCare.gov is violating its own privacy policy. Security researcher Ben Simo spotted some trouble when trying to recover his username and password. For some reason, HealthCare.gov was sending his personal data to third party companies, including analytics services like DoubleClick and Google Analytics. Those companies have since said that they have no interest in this kind of data, but the very fact that HealthCare.gov sends it to them appears to be a violation of HealthCare.gov's own privacy policy: It promises that "no personally identifiable information is collected by these tools."

Security Risks

File this one under "avoidable errors." A memo dated four days before HealthCare.gov went live reveals that the government knew that the site had "inherent security risks," but it moved forward anyway. The memo also said that the site hadn't been tested enough, "exposing a level of uncertainty that can be deemed high risk." Personal data that people surrender to HealthCare.gov include birthdate, Social Security number and estimated income range; however, security researchers revealed how the gaps could reveal users' email address and allow hackers to take over entire accounts. Nevertheless, Secretary Kathleen Sebelius told a House committee this week that they went ahead with the launch because they had a "mitigation plan" in place. A little late for that now, Kathleen.

No comments:

Post a Comment