Wearable Tech: 5 Healthcare Wins

Tired of being a punching bag, Oracle Corp. is hitting back at the State of Oregon over claims that the software company and the contractors it provided were responsible for the failure of the state's health insurance exchange to produce a functioning self-service website.

According to the lawsuit filed Friday, the state has been using a smear campaign to deflect attention from its own project management failures -- particularly constantly changing, never-finalized requirements that sabotaged the software development process. In addition to suing for unpaid consulting and licensing fees, Oracle used the filing to defend its reputation. "When the press reported that the exchange was not accessible for consumer self-service on October 1, 2013, public officials chose not to give a measured, fully informed response," the filing says. "Cover Oregon and public officials could have done two things in the face of those press reports: (a) own up to the management and technical challenges they had encountered and commit to a plan for resolving them; or (b) blame someone else. They chose the latter, and they fixed their sights on Oracle."

Independent investigations have cited the state's excessive reliance on Oracle as the turnkey provider of software and consulting services for the insurance exchange as one of the underlying causes of project failure. The software infrastructure for the project included Oracle Policy Automation, Siebel CRM, as customized and combined through the Oracle Enterprise Architecture. However, the project's auditors also put a large share of blame on the state for the way it managed the project. One of the main points Oracle hammers home is that it never had either the authority or the responsibility to act as the system integrator on the project. Though Oracle was a major player in the project, it was not the only contractor or technology provider, and the accepted best practice would have been for all of them to report to an integrator that could have acted as the general contractor.

Figure 1:

The state elected not to hire a system integrator, instead choosing to assign that responsibility to its own personnel -- whom Oracle says were not up to the challenge. Project oversight responsibilities were actually split among several state organizations -- and shifted partway through the project from the Oregon Health Authority to the Cover Oregon organization created to run the exchange -- adding further confusion.

[Long-distance healthcare: A cure for many ills? Read Telehealth Gains Momentum In Obamacare Era.]

"Without a fixed scope for the project -- the equivalent of architectural blueprints -- no contractor could reasonably be expected to agree to work on a fixed-fee basis," Oracle states. Only the state organizations "could resolve the uncertainties regarding the overall scope and structure of the massive project, and because only Cover Oregon and the state agencies could demand changes in the project, those entities properly bore the inherent risks associated with failing to resolve them in a timely way."

Oregon Gov. John A. Kitzhaber, MD, has called for the state to sue Oracle, alleging that sloppy work by its contractors was a major cause of the insurance exchange's downfall. However, an analysis of the legal issues by The Oregonian newspaper concluded that Oregon would face an uphill battle to make the charges stick in court. Oracle also notes that the state has yet to file a lawsuit, suggesting that Kitzhaber's bluster is mostly about politics and public relations.

An enthusiastic backer of the expansion of access to health insurance under the Affordable Care Act, Kitzhaber made Oregon one of the first states to commit to creating its own online health insurance exchange and set ambitious goals for the project. Yet even though several other states that built their own insurance websites also failed to live up to expectations, Oregon alone failed to process a single self-service application online (instead funneling all applications through intermediaries). The federal HealthCare.gov exchange also failed to perform adequately for months after open enrollment began in October 2013, but it recovered in early 2014 after an intensive rescue by a SWAT team of developers.

Oregon now plans to abandon the online system created by Oracle and rely primarily on HealthCare.gov to provide the health insurance exchange services for its residents when open enrollment resumes in November.

Oracle claims that it didn't have to be that way. "By February 2014, a health insurance exchange website existed that included the citizen self-service functionality," Oracle's filing claims. "Cover Oregon did not disclose that information to the public and did not open the working self-service portal for individuals, for unexplained reasons of its own." State officials have said the software was still too buggy for public release and never rose to an acceptable level of quality.

The real bone of contention is over the cause of the bugs and the general dysfunction surrounding the project. Oracle leans heavily on reports filed while the project was under way by Maximus Inc., a contractor that the state retained specifically to monitor the project and the risks associated with it. Maximus kept reporting that the project faced a high risk of failure, and that state officials were not coordinating their oversight effectively.

In one section of its legal complaint, Oracle particularly points to infighting between the Oregon Health Authority (OHA) and Cover Oregon (CO):

For example, at one point, the OHA's chief information officer complained to Oracle personnel that Cover Oregon's efforts were "becoming highly disruptive to the Modernization effort," and that her team felt "they are being run over" by Cover Oregon. As a result, one organization would make decisions without taking account of implications of that decision for the work being performed for the other organization; the result was

Next Page

often duplication of effort and rework. That dysfunction endured throughout the project. As late as mid-September 2013 -- just two weeks before the start of the federally mandated open-enrollment period -- Maximus issued a report in which it observed that the overall "business transformation/integration between OHA and CO is not being tracked like a formal project. Typically a project of this size would have specific governance reporting, charter, scope, tasks, milestones, deliverables, and deadlines for the interagency work that is to be accomplished both operationally and technically." The risk Maximus identified that flowed from this was that Cover Oregon could not be sure that the project would be implemented in the expected timeframe.

State officials also seemed incapable of defining requirements for the project and sticking to them, or even understanding that it had taken on that responsibility, according to Oracle. In May 2013, Cover Oregon's then-executive director, Rodney King, acknowledged the need for better definition of requirements -- and asked Oracle to nail them down, according to the filing. "This request was an extraordinary one: Cover Oregon was the owner of the project and therefore responsible for making decisions about what the exchange would and would not do. The parties' contracts made it abundantly clear that Oracle had no role in establishing the functional requirements for the exchange, and Cover Oregon should have finalized them long before May 2013."

Yet Oracle says that, in mid-July, a little more than two months before the planned launch of the Oregon exchange, it made a presentation to the state saying that the continued lack of complete requirements was preventing it from performing end-to-end testing on the system. Further change requirements were still creeping into the project as little as two weeks before the planned launch, Oracle says.

In addition to changing requirements, Oracle says the project was subverted by a lack of project discipline in changes to the actual code. "Oracle software developers found themselves asked to perform on-the-spot code changes to meet ad hoc requests from Cover Oregon employees (a phenomenon Cover Oregon's chief technology officer himself acknowledged was 'short-circuiting our processes'), and at least one Cover Oregon employee attempted to implement his own changes to otherwise final code," according to the filing. Actually, Oracle points a finger at Cover Oregon CTO Reynolds Garrett himself, quoting from an email exchange between him and Oracle's chief corporate architect, Edward Screven.

"Oracle employees on site in Durham report that in a meeting today you stated that you now have Siebel Administrator privilege, and you have used that privilege to directly make environment and application changes to the production environment," Screven wrote. "Is this correct?" He went on to emphasize the need to follow an agreed-upon change management procedure, emphasizing the degree of expertise required to reconfigure the system and the danger that even experts can make mistakes.

Garrett testily replied: "I thought Cover Oregon paid for and owned the system...."

Oracle said that exchange was typical of the working relationship with state officials.

Yet Oracle seemed to take the side of state officials in another section of the filing, saying that they had also been unfairly scapegoated by the governor in his search for someone to blame. "The failure to deliver a working citizen self-service portal on October 1, 2013 was a political embarrassment for Governor Kitzhaber, who immediately looked for places to lay the blame. Among those who have lost their jobs at OHA or Cover Oregon over this project are Carolyn Lawson, OHA's chief information officer; Rocky King, Cover Oregon's executive director; Bruce Goldberg, Cover Oregon's iInterim executive director; Aaron Karjala, Cover Oregon's chief technology officer; and Triz delaRosa, Cover Oregon's chief operating officer. Carolyn Lawson was the first to go, and after destroying her professional reputation, the Governor quickly turned his sights on Oracle, and he set out systematically to vilify the company in the media."

Noting that Lawson "refused to accept her scapegoating quietly," Oracle quotes from a section of her own legal filing against the state in which she claims she was pressured into resigning by state officials who warned, "Somebody has to be held to blame for this -- it's going to be Rocky [King], or it's going to be Oracle, or it's going to be you. We want it to be Oracle, but it can be you if you want" (emphasis added by Oracle's lawyers).

In a statement to The Oregonian, Kitzhaber spokeswoman Melissa Navas said Oracle's action came as no surprise. "The State fully expected to end up in litigation over Oracle's failure to deliver. The Attorney General's Office will review the complaint filed by Oracle and continue to pursue legal remedies on behalf of the State," she said. Lawsons's lawyer didn't immediately respond to an InformationWeek request for comment.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today (free registration required).