Oscar Health – A new Kind of Health Insurance Company, Powered by AWS

As part of a trip to New York last month, I paid a visit to the headquarters of Oscar Health to learn more about what they do and how they use AWS. I sat down with Brent Langston (Site Reliability Engineer) and Mackenzie Kosut (Head of Technical Operations) to learn more.

All About Oscar
Oscar Health is the first new, for-profit insurance company founded in New York in the last 15 years. They are in a unique position as an insurance company that is driven by technology, data, and design.

Oscar aspires to revolutionize a $3 trillion industry by changing the paradigm typically associated with the standard health insurance experience.  Organized in the summer of 2013 and targeting January 1st 2014 as the go-live date for the website and the backend systems Oscar was able to leverage AWS to have their site live in October and insurance services available for enrollment in January 1st, 2014.

Empowered and inspired by the Affordable Care Act, the founders of Oscar Health took a different tack. Oscar Health is focused on individual member engagement, with incentives for being healthy, being active, and taking preventive measures to maintain and improve health. Although the services are completely personalized for each member, they are driven by data and information available at the intersection of members and providers.

Members can search for symptoms on the site’s home page and seek treatment with a couple of simple and intuitive clicks:

The goal is to inform and empower Oscar members so that they make better health care related decisions in as timely a manner as required. These insightful tools allow members to achieve better outcomes with the aim of reducing the associated cost of health care. Members can also choose from an array of doctors and other providers; making data-driven decisions based on large data sets aggregated across providers and care data:

The platform provides the member personalized charts and health care data to allow for higher quality care decisions. Oscar currently supports members in New York state and New Jersey, with plans to expand to other states.

AWS in Action
Our conversation then shifted to a discussion of the AWS infrastructure that allows them to do all of this. They currently make use of the following services:

• Amazon Elastic Compute Cloud (Amazon EC2)
• Amazon Route 53
• Amazon Simple Storage Service (Amazon S3)
• Amazon Virtual Private Cloud (Amazon VPC)
• Amazon Redshift
• Amazon Relational Database Service (RDS)
• Amazon ElastiCache
• Amazon CloudFront

Their EC2 instances run CentOS. A process automatically maintains their main AMI image with common services and libraries. There’s a single AMI that self-configures on startup with Ansible, driven by tags on the instance which define primary role, secondary role, pool, environment, and other attributes. This step takes about 60 seconds; after it completes the server uses service discovery (powered by Consul) to announce itself into the appropriate cluster. They only use newer instances types that support AES instruction set for encryption. To help contain sensitive data, each mount point on the instance is remounted through LVM including common write locations such as /var/log.

Brent and Mackenzie use Route 53’s latency-based routing to route traffic to EC2 instances in multiple regions. This allows them to keep the site responsive during traffic surges due to annual enrollment.

They shared a great AWS Trusted Advisor success story with me. After using it for one hour, they were able to tune their CPU and Provisioned IOPS usage and to effect a 20% savings.

They asked me to encourage our development teams to support more than 10 tags per instance, and to continue to qualify additional parts of AWS for use in HIPAA-compliant environments. They are also interested in ways to implement IPSEC encryption between instances in turnkey fashion.

ChatOps
I learned that they practice an operational model that has come to be known as ChatOps (this has been described as DevOps meets IM or conversation-driven development). Oscar uses HipChat as their communication tool, with separate channels for each change, break, fix, and issue. A bot named Grouchy listens for commands; he knows how to handle credential management, VPN provisioning, and code deployment, all built around various AWS APIs.

Credential Management
We wrapped up by chatting about a unique credential management tool that they had built (and were thinking about open sourcing). They built a distributed, encrypted, key/value store that they use to store secrets, complete with an AWS-like APIs and access control model. The system pushes a token to production servers; the token allows the server to request credentials, which are then atomically injected in to either a running process or stored in a local file, as appropriate.

I wrapped up my chat, bundled up (it was below freezing in New York), called for a ride, and headed back to the airport.

— Jeff;

PS – If you’re interested in learning more about how Oscar Health is humanizing healthcare, be on the look out for upcoming Oscar/AWS presentations in NYC!