You need to add to your seat of the pants concept how the government is going to control the payment of subsidies to prevent fraud. Those result in direct payments from Federal fisc to insurance companies....
Right now the Federal system is doing that for everybody, Healthcare.gov and all the state exchanges (single point of failure as Verizon's goof demonstrated). In theory insurance companies will get access, but it's said to be a very low priority.
Then there's, oh, the straight out fraud problem, i.e. you sign up, pay your first payment, then come January you or one of your fellow enrolees find out when you try to get services or prescriptions, the insurer you thought you signed up with has never heard of you. That pretty much requires starting at a blessed government site, I don't think your stopping at a government booking site would work since that could be spoofed, right? So could close the loop snail mail confirmations from insurers.
That's why each plan has a GUID. This GUID would be authenticated when you go to healthcare.gov. They would not let you purchase a plan that does not authenticate. They are the ultimate authority and filter. They'd also handle details such as subsidies, etc.
In addition to that the transaction from healthcare.gov would, of course, ultimately reach the actual insurer who would have to further authenticate it, communicate with you and possibly also send some kind of an ACK to healthcare.gov.
The process could be full circle with many layers of confirmation and verification. This does not need to be overly complicated.
The idea is that the free market would handle the implementation of the massive first layer of a national system such as this one. Get government involved only where and when absolutely necessary.
How will people reliably get to healthcare.gov from a friendly scammer's web site...? The system has to be built for ordinary people who seldom if ever look at URLs unless entering them.
For your second point, I posit a scammer simulating all of that, right down to sending out authentic looking enrollment snail mail. Or just disappearing after getting your first, up front payment.
My point here is that we need something like what you describe in your last paragraph, with people like you putting on white hats to design the system and people like me putting on black hats to break it in principle. And of course trading hats as we see fit, etc. This most damning article yet, from the Washington Post, points out how unopen, often the point of secrecy, the process was, even to the point of suppressing release of architecture diagrams to the state exchanges: http://www.washingtonpost.com/politics/challenges-have-dogge...
Yes, yes, I agree. This isn't difficult. Right. I mean, here are two guys talking it out. Imagine if you put together a dozen real experts, took them to a nice resort for a week and tasked the with coming out with a complete definition covering architecture, operations and penetration/scam testing. It isn't like we are trying to build a Star Trek transporter. There is nothing about this that we don't have a pretty good handle on. And that's kind of my point. The government is and was the worst possible project leader for something like this. It isn't that complicated.
As I said in my opening to the prior post. I know it's full of holes. At the same time, I know it would be a million times better than what we have now and it would probably cost $595 million dollars less.
Works great until that group includes, even if by proxy, someone from IRS IT.
Have you ever dealt with any of them? I suspect not, for it's in my experience unforgettable, and unique compared to every other governmental IT person I've ever dealt with.
See this diagram drawn from the first set of hearings:
I have no idea what HHS's computer systems role in this is ... well, tracking, I suppose. Healthcare.gov is for managing enrollment in plans; does it's remit even include knowing who has what at the moment?
"SSN" is I assume the Social Security Administration, and I also assume is to verify citizenship.
IRS in theory has all the relevant income data and is the non-criminal enforcer.
Equifax is also used for income verification, suggesting IRS isn't up to delivering all that's needed, or not reliable enough. Not part of the government, fortunately!
Right now the Federal system is doing that for everybody, Healthcare.gov and all the state exchanges (single point of failure as Verizon's goof demonstrated). In theory insurance companies will get access, but it's said to be a very low priority.
Then there's, oh, the straight out fraud problem, i.e. you sign up, pay your first payment, then come January you or one of your fellow enrolees find out when you try to get services or prescriptions, the insurer you thought you signed up with has never heard of you. That pretty much requires starting at a blessed government site, I don't think your stopping at a government booking site would work since that could be spoofed, right? So could close the loop snail mail confirmations from insurers.