GetInsured is the leading Health Insurance Exchange (HIX) Platform in service today. The mission of GetInsured is to improve the way people shop for Health Insurance. GetInsured offers a SaaS-based full service Exchange that powers the best health insurance e-commerce experience for consumers, employers and insurers. GetInsured solutions for employers, benefits consultants, and health insurers deliver a brilliant consumer experience, deepen engagement with end-users, and help to better control their healthcare costs. Their streamlined User Interfaces and innovative tools make Health Insurance shopping and enrollment very simple to implement for their partners, and effortlessly intuitive for consumers.
GetInsured’s consumers are able to personalize their shopping experience based on their specific health needs. Each year, millions of Americans use GetInsured’s tools to enroll in their choice of health insurance plans.
The applications on the GetInsured platform provide multiple e-commerce Health Insurance services to its subscribers and partners over the connected web. These applications provide enrollment and management services for Medicare and ACA related Plans, which are available in partnership with Insurance Exchange entities, across several geographies in the United States.
The GetInsured Platform must comply with Minimum Acceptable Risk Standards for Exchanges (MARS-E) Version 2.0 standard for its application services platform to meet the Security and Privacy standards for Exchanges. In addition, more Exchanges are demanding compliance with Federal Risk and Authorization Management Program (FedRAMP) standards while hosting the application in the cloud. GetInsured currently hosts these applications with a third-party co-location vendor, who was unable to provide a compliant hosting platform that met this standard. This resulted in increasing the process and cost overhead, resulting in increased Total Cost of Operations (TCO) burden for the business.
The critical business requirement was, therefore to host this platform on a compliant cloud, using a design template that would automate the deployment in the applications across multiple environments. It was deemed imperative that GetInsured applications leverage the native host services to meet the audit requirements of the MARS-E version 2.0 and the FedRAMP Standards.
The next important requirement was to have the ability to expand the scale of individual elements of the platform, based on the resource utilization triggers. This was needed so that the upfront cost to onboard was lowered when compared to the co-location platform’s upfront capital costs. In addition, the costs associated with running the platform were asked to be optimized as per the seasonally changing user demand.
The final business requirement was to have the environment migrated within a stipulated timeframe to be ready for the Open Enrollment season in the fall. This migration was to be accomplished with minimal downtime and meet a Recovery Time Objective (RTO) of 2 Hours while always being ACA and MARS-E compliant.
GetInsured and their partner team at Xoriant, evaluated multiple cloud providers to find the right compliance, security and performance providers for the platform. Keeping the regulatory requirements in mind, the available options were evaluated based on the following categories:
- Compliance, Security and Management of Risk
- Ease of migration and management of performance
- The Total Cost of Ownership, including the costs to maintain the service performance standards
AWS suite of services immediately stood out for the relative simplicity of use and comprehensive compliance standards that they conform to. Specifically, it made sense to use AWS API Gateway (APIG) to create front ends for the various applications that interface with a dynamic supplier and provider application landscape. Using the fully managed service made it easy to create, publish, maintain, monitor, and secure APIs at any scale, as needed.
When used in conjunction with the AWS-ELB service, the incoming application traffic is automatically distributed across multiple targets which may be on different EC2 instances. This service monitors all instances registered with it, and only routes to healthy targets.
AWS Lambda services are attractive economically since the platform does not incur a charge when the code is not running. Additionally, the service also performs header authorization before accessing applications thus alleviating the need to change or redevelop application code to perform necessary security authorization. However, to minimize the risk of migration, and to ensure that the migration is completed in the very tight timeframe, it was decided to use the Lambda services in the second phase, after the migration was done.
The backend Relational Database Service was provisioned on AWS-RDS to automatically scale with changing requirements.
Finally, the biggest advantage was the fact that AWS offered a version of its cloud in the form of GovCloud, which natively provided auditable compatibility with all of the required regulatory standards.
GetInsured chose to work with their strategic long-term partners at Xoriant to solution this migration and to implement it in the rigid timeline that the business needed.
Xoriant has been a technology partner of GetInsured since 2005. Xoriant’s teams have worked closely with GetInsured in developing, supporting, enhancing and testing the Health Insurance Exchange Platform. This platform is a services-based, loosely coupled system, designed with modern architectural principles and in accordance with the guidelines listed in the Affordable Care Act.
To achieve target efficiencies in regulatory compliance, security and performance, GetInsured and the Xoriant design teams made the decision to migrate the GetInsured Platform, from its co-located hardware infrastructure to AWS GovCloud.
The migration strategy was to use hybrid architecture during the process, so that the Database could be replicated to the cloud and set up in read-only mode. The system would then be switched to read-write mode when cutover to production. This way the cutover downtime could be completed within a 2-hour window, as mandated by the business.
The Xoriant team evaluated the Security Controls that were in place and updated them to conform to the new environment in AWS. The Xoriant team then put together a solution document, with the design stipulation that all components be updated to be deployed to AWS, to achieve compliance with the regulatory standards.
The technical design elements included the following:
- An authorizer using header information to validate the application gateway which is negotiating with the backend.
- An API-Key usage plan configured to ensure that it is validated by application.
- A Resource Usage policy at APIG level, that only permits a specific set of whitelisted IP addresses to communicate with the APIG over TLS 1.2 and TLS 1.1 ciphers. TLS 1.2 is the sole standard in use by APIG, when communicating with the Backend.
- A default-deny communication policy, such that all unauthorized communications are rejected, unless originating from IPs in the whitelist.
- Data encryption at rest for RDS instances.
Xoriant also created the necessary AWS CLI Scripts, which leveraged the native AWS to automate environment provisioning.
The new environment was designed using the native AWS component services, as follows:
Automation of deployment was implemented using IaaC (Infrastructure-as-a-Code) methodology such that the environment could be redeployed, with consistency, reliability, and efficiency.
The migration was first completed for the Dev environment, which was then followed by the completion of QA environment migration. The Production environment migration was the last one to be completed. All of the application services were successfully tested, before the cutover for each of the stages.
The subsequent stages of migration made use of the automation framework, set up during the Dev Environment migration. The Security standards were validated as per requirements through a proper audit exercise.
Business Outcome and Benefits
Besides meeting all of the business requirements for the hosted platform, the move to AWS achieved the following suite of additional benefits:
- Reduced TCO
The teams put together a deployment and scaling model leveraging the AWS primitives that lowered the upfront cost when compared to a co-location option. It also reduced the overall cost of ownership, by adjusting the scaleout according to seasonally changing service demands.
- Dynamic adoption and Ease of Scaling
Using the APIG allowed for the service applications to work with changing Service Provider and Health Insurer landscape. Using Utilization Triggers, the platform could now be dynamically scaled to meet requirements.
- Ease of Migration
The design template could now be used as a standard to provision or scale additional environments, like Dev, QA or Production.
About the Partner
Xoriant is an AWS, Advanced Technology Partner and a Technology Solutions provider. Xoriant operates in advanced technical solutions areas such as DevSecOps, DevOps, AI and Managed Infrastructure and Information Security services on all AWS platforms. Xoriant is based in Silicon Valley.
Ready to Get Started?