Access Engineering Application Audit
Delivering a comprehensive 8-week audit of 88 Ruby/Rails microservices processing 600–700K daily prior authorizations, producing a prioritized reliability, performance, and HIPAA compliance remediation roadmap.
Fully mapped and dependency-analyzed across three platform domains
Peak volume processed by the audited platform
Architecture, reliability, security, and compliance delivered
PHI exposure, race conditions, and reliability gaps surfaced
Project Overview
Industry
Healthcare
Region
USA
Project Size
Enterprise Platform Audit — 88-Service Architecture
Time Frame
8-Week Assessment Engagement
Technology Stack
The Challenge
Auditing a Mission-Critical Healthcare Authorization Platform
A leading healthcare technology platform — 88 Ruby/Rails microservices processing 600–700K prior authorizations daily at peak — had never undergone a formal comprehensive architecture audit. Operating across three primary domains (Portal, Payer Integrations, Pharmacy Services), the platform carried undocumented reliability risks, no end-to-end distributed tracing, inconsistent monitoring standards across 13 engineering teams, no production-like test environment, and active HIPAA/PHI compliance exposure. With a planned migration to Azure and Kubernetes on the horizon, leadership needed a complete evidence-based assessment before any transformation began.
Transformational Results
First Comprehensive Platform Assessment
We delivered the first-ever end-to-end architectural assessment of all 88 microservices in 8 weeks — covering reliability, performance, HIPAA compliance, and security. The engagement produced a full PA lifecycle map (19/20 steps code-confirmed), surfaced an active PHI exposure in production event payloads, identified critical reliability gaps in high-volume processing paths, and delivered a prioritized remediation roadmap giving engineering and leadership an evidence-based foundation for the upcoming Azure and Kubernetes migration.
Audit Delivery
Completed end-to-end assessment of all 88 microservices across 8 focus areas in 8 weeks
Delivered a prioritized remediation roadmap covering reliability, performance, security, and HIPAA compliance
Produced full architectural documentation including end-to-end PA lifecycle map with 19/20 steps code-confirmed
Critical Risk Identification
Identified active PHI exposure in retrospective_pa_created event payload travelling Azure Service Bus to 4 subscribers — flagged RED for immediate remediation
Surfaced ePAmotron retry logic gap and circuit breaker absence on RxService → Claims path as critical reliability risks
Documented CMM2 multi-writer race condition across 5+ services with no transactional coordination
Challenges & Solutions
Mapping 88 Services Without Existing Documentation
Problem
No comprehensive architectural documentation existed for the 88-service platform — understanding dependencies, data flows, and failure modes required reconstructing the full architecture from code, APIs, and engineering interviews.
Solution
Systematically analyzed each service's inputs, outputs, database interactions, and cross-service dependencies through code review, Confluence documentation, and structured workshops with 13 engineering teams.
Impact
First-ever documented architecture map of the complete Access Engineering platform
Identifying PHI Compliance Exposure Across Distributed Services
Problem
PHI data flows across 88 services with no centralised compliance documentation, making it impossible to assess regulatory exposure without systematic service-by-service analysis of all event payloads and data paths.
Solution
Conducted systematic PHI data flow tracing across all services, identifying an active exposure in the retrospective_pa_created event payload carrying patient DOB, name, and prescriber NPI across Azure Service Bus to 4 subscribers.
Impact
Active HIPAA risk (RSK-PHI-01) surfaced with specific code evidence and immediate remediation guidance
Reliability Risks in 600–700K Daily Volume Processing
Problem
The platform processes 600–700K prior authorizations at peak daily — unhandled retry logic gaps and absent circuit breakers represented critical reliability risks at this volume that had never been formally documented.
Solution
Identified ePAmotron silent failure on dead-strategy PAs and RxService → Claims path reliability gap through systematic code review, producing specific engineering recommendations with file and line-level evidence.
Impact
Critical reliability risks surfaced and prioritized in the remediation roadmap before Azure migration begins
Portal-Services Behavioral Contradictions
Problem
Inconsistencies between portal-facing behavior and backend service logic created unpredictable outcomes for prior authorization requests — but had never been formally documented or communicated across engineering teams.
Solution
Produced a dedicated Portal-Services contradiction memo identifying specific behavioral mismatches with root cause analysis, code evidence, and recommended resolution approach for each inconsistency found.
Impact
Contradictions formally documented and incorporated into the engineering remediation roadmap
Ready to Audit Your Healthcare Platform?
Contact our engineering assessment team to discover how a structured audit can surface compliance risks, reliability gaps, and architectural issues before they become production incidents.
Get Started Today