1
21
Article Mainza Kangombe · 13 hr ago 4m read
Open Exchange

The Hardest Part Isn't the Technology

#InterSystems IRIS for Health

Healthcare is a system that pays claims first and asks questions later.

It's called "pay and chase." You write the check. Then you hire people to chase the fraud.

Chase works about 3% of the time.

We decided to build something that doesn't chase. Something that stops the payment before it leaves the door.

That was the easy part.

The Intercept

InterSystems IRIS for Health processes FHIR claims in real time. Every hospital, every clinic, every transaction passes through it.

We built a hook. A piece of software that doesn't block the claim — but reads it. Analyzes it. Decides if it should wait.

The three tiers ask different questions:

Does the clinical note match the billed code? (NLP similarity.)

Does this billing pattern look like an anomaly? (PyTorch autoencoder.)

Does this provider have suspicious connections? (NetworkX graph analysis.)

Three questions. One answer: hold or pass.

The AI runs inside the database. No data leaves. No PHI touches a cloud API. Privacy is not an afterthought — it's the architecture.

What We Got Wrong

First version worked. But "works" and "production" are different languages.

We stored passwords with HMAC-SHA256. Fine for a demo. Not fine for a system handling real healthcare transactions. The vulnerability wasn't theoretical. It was architectural.

We had an event loop that crashed under concurrent load. The code worked until it had to work all the time. Then it broke.

We had an unbounded cache. It grew until the container ran out of memory. You don't notice until 3 AM.

The queue had no locks. Two workers could grab the same claim. Both would adjudicate it. One would overwrite the other. Data corruption in a healthcare database is not a "rollback and retry" — it's a compliance incident waiting to happen.

We shipped v1. Then we fixed v1.

The Hardening

This release (v2.3.0) is not about new features. It's about grown-up software:

PBKDF2 for passwords. 100,000 iterations. Random salt. Legacy hashes upgrade themselves on first login. The user doesn't notice. The attacker does.

UnknownUser no longer has superuser privileges. Every role is explicit. Every SQL schema is locked down. The principle of least privilege is not a suggestion.

The queue uses atomic transactions and node-level locks. Two workers cannot touch the same claim. The database stays consistent.

The cache is bounded. 500 entries. LRU eviction. No memory leaks at 3 AM.

The event loop uses asyncio.run(). Clean. Simple. Works under load.

108 tests. Every single one passes. 18 frontend tests. 11 end-to-end stages. All green.

What This Means

Healthcare fraud costs the US $68 billion per year.

That's not a typo.

Pre-payment audit catches fraud before the payment is made. You don't chase. You prevent.

This system runs on a $0-license community edition database. It doesn't require Kubernetes. It doesn't require a fleet of microservices. It runs inside the same process that handles the FHIR transaction.

One container. Three AI engines. Real-time interception.

The barrier to entry for payment integrity has been cost. The licensing. The infrastructure. The team of data scientists needed to build and maintain the models.

We removed those barriers.

A Note on Persistence (Personal)

I started building ClaimAuditAI because healthcare billing is broken. The incentives are wrong. The system assumes trust and then hires auditors to deal with the outliers.

That's backwards.

But building inside a database is hard. Not the code — the ecosystem. InterSystems IRIS is powerful. It's also different. The learning curve is vertical. The documentation assumes you already know what you're doing. The community is small.

Many times I hit a wall. A compile error that made no sense. A FHIR extension that validated in one environment but not another. An IRIS process that crashed and gave me nothing but a stack trace in a language I was still learning.

I kept going because healthcare needs this. Not my software specifically — the approach. Real-time, pre-payment, privacy-preserving AI audit that runs inside the transaction loop.

Not bolted on. Baked in.

The Next Step

The system is ready. Not for a VC pitch — for a hospital system. For a payer. For anyone who processes claims and wants to stop paying fraudulent ones.

The code is open. The documentation is published. The tests pass.

The next step is adoption.

Payment integrity should happen before the check is written, not after.

Check the related application on InterSystems Open Exchange
Discussion (0)0
Log in or sign up to continue