With the issues surrounding HealthCare.gov and the various contractors who played a role in the development, one question that comes to mind is: How many of the over 50 companies contracted had an SSAE 16 (SOC 1) audit performed over the services they were providing?
This is important to know and could be part of the reasons why the development efforts appear to have fallen short of best practices.
The standard change management / development process should flow accordingly:
- Define scope of the project or individual change / fix planned for development
- Review of the request and development plan by a committee to validate the appropriateness, priority, and potential conflicts that could arise.
- If approved, determine a high level development plan including dependencies and interfaces, create test procedures to validate the change, and roll back procedures.
- Complete the development / coding required.
- Development and end users perform robust testing / QA based on the test procedures and their standard use of the application.
- Project manager or appropriate Management personnel perform a final review and approve for promotion into production or main branch of the application (if multiple concurrent changes being made).
- Validate functionality of application post-implementation to further ensure no issues exist.
From the information currently available it appears that in the rush to meet Organizational goals and tight deadlines, steps 5-7 were performed hastily leading to unexpected issues once the system went live. It was even mentioned that basic Alpha testing of the entire exchange ecosystem was barely completed before the roll out. This experience proves more than ever that having a properly controlled change management process with a priority placed on testing is key when performing development activities impacting the core functionality of an application. The complexity of this project just serves to further highlight these basic, but often overlooked, steps.
Chances are that if the various contractors used to develop the Health Exchange were audited regularly, these controls would have had a higher priority placed on them within their respective Organizations and performed accordingly at the risk of failing their next SSAE 16 audit and creating the mess we are in today.
These miscues serve as a perfect example of knowing and being comfortable with the controls in place at a contracted 3rd party service provider. This assurance is what an SSAE 16 audit is intended to provide and why they are so important in today’s business environment.