Investigating HealthCare.gov: What Went Wrong?

by

The media has been a firestorm of ‘glitchy’ reporting since the botched launch of the Obama Administration’s healthcare exchange marketplace, mainly because no one’s quite sure what did or didn’t happened.

If you missed it, the exchange’s Oct. 1st launch was mired with complaints, outages, and glitches. Many pundits and talking heads claimed that this was simply because of the enormous amount of Americans who were all trying to log into the brand new system. But we dived into the code to figure out what was actually going on, and what we found was much more nefarious.

This is only the tip of the iceberg because the source code of the backend is not accessible, but the lack of optimization in the front end shows the overall low code quality.

The first step of the sign-up process is not optimized and it is one reason of the server workload: https://www.healthcare.gov/marketplace/global/en_US/registration#signUpStepOne

CAST-healthcare-java-registration-page

On this page, dozens of JavaScript files are loaded. Some of them are heavy-weights, and not optimized properly. These files are generally loaded in parallel with each other as the webpage loads, so instead of doing one request, it will perform 50+ requests per user and overwhelm the server, crashing the site.

A big part of the problem is that nobody was monitoring the technical and structural health of this software as it was being built. That is absolutely essential in a complex, time-constrained project. Now the cost is just going to multiply (and as we know it’s already beyond $170m).

This is a perfect example of what can go wrong when you hire a private contractor and have no way of verifying the quality of the release.

There were also some additional issues reported in the media: duplicate users, data not loading for the security questions, error messages, etc. A lot of these glitches could be easily associated with a backend architecture that is not very robust.

There was also a handful of other errors that we uncovered:

Many pages were slow to load because they required the browser to fetch large custom font and typeface files.

1-Font-Js-LargeWeight

In some instances, when the JavaScript failed, the labels on the page wouldn’t update correctly and presented users with a very weird looking page.

2-Wrong Text Injection

Lastly, many users were seeing blank site pages or pages that weren’t loading correctly.

4-Id Proofing Not available

It was only when you turned on your browser’s developer tools that you could see the error.

5- Random crash

Ask any politician what’s the one thing that’ll win you an election, and they’ll tell you a sturdy base of voters to support you. The same holds true for application development -- if you ignore the underlying architecture it doesn’t matter what you put over top of it, eventually everyone will see the rusty and broken machinery lying underneath.

If you want to hear more about the problems plaguing HealthCare.gov and some ways it can be fixed, you can watch us break down the issues for CBS Evening News, PBS NewsHour, Democracy Now!, and Varney & Co on FOX Business.

Filed in: Software Analysis
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Damien Choizit Managing Director, CTO
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|