Modernized Web Portal for Healthcare (PBM)

Overview

Designed and led delivery of a modern, self-service web portal for PBM customers, built on a serverless, highly available AWS architecture. The portal supports PBM hierarchy-based data access control and enforces granular permissions at two layers: (1) feature-level controls in the frontend UI and (2) route-level authorization for every API call.

A key requirement was modularity: individual features had to be developed and deployed as plug-and-play modules that could be enabled or disabled per customer without rebuilding the platform. We implemented a microfrontend strategy using Single SPA, allowing independent module bundles (React + Material UI) to be composed at runtime by a shell application, based on tenant configuration.

The platform also exposes a secure API surface for machine-to-machine (M2M) integrations so client systems can connect directly with PBM capabilities. Authentication is handled with Amazon Cognito for both users and M2M app clients, while a reusable API Gateway custom authorizer enforces permissions using PBM hierarchy rules stored in MongoDB. Observability was implemented via Datadog RUM for real-user monitoring in the browser, and CloudWatch-backed telemetry for serverless services.

The end result is a scalable, maintainable portal that enables rapid feature rollout, customer-specific enablement, and consistent security controls aligned with HIPAA expectations.

What Was Delivered

  • Single SPA shell + microfrontends (React + Material UI) for feature isolation and independent deployments
  • Module-specific serverless APIs (Lambda) behind API Gateway with consistent route authorization
  • Generic API Gateway Custom Authorizer supporting both user JWTs and M2M tokens
  • Tenant-based module enablement (feature flags) and PBM hierarchy-aware access control model
  • Async patterns using SQS and event streaming via Kafka where required
  • CI/CD pipelines using GitHub Actions and AWS CodeBuild
  • Monitoring: Datadog RUM for frontend, CloudWatch logs/metrics for backend

Key Challenges & Solutions

  • Pluggable base architecture:

Implemented microfrontends with Single SPA and module-specific Lambda APIs. Each module can be deployed independently and enabled per tenant via configuration.

  • Unified authorization for users + M2M integrations:

Built a reusable API Gateway custom authorizer that validates JWTs, loads permissions/hierarchy from MongoDB, generates an IAM policy, and caches results per token for performance.

  • Granular access control aligned to PBM hierarchy:

Designed a permissions model that gates UI routes/components and independently authorizes backend endpoints, preventing privilege escalation even if UI checks are bypassed.

Architecture & Technology

  • Frontend: React, Material UI, Single SPA (microfrontends)
  • Backend: AWS Lambda (serverless) + Node.js
  • API Layer: API Gateway + Custom Authorizer
  • Auth: Amazon Cognito (users + app clients for M2M)
  • Hosting: S3 + CloudFront
  • Messaging/Events: SQS, Kafka
  • CI/CD: GitHub Actions, AWS CodeBuild
  • Observability: Datadog RUM, CloudWatch

Security & Compliance

Designed with HIPAA-aligned controls in mind: strong identity boundaries (Cognito), least-privilege access patterns via IAM policies produced by the custom authorizer, encrypted transport, and audit-friendly logging/telemetry.

Outcomes

Delivered a fully functional PBM customer portal with granular permissions, self-service capability, customer-specific module enablement, and a secure M2M integration layer.

Skills

  • AWS Lambda
  • Amazon API Gateway
  • Amazon Cognito
  • Serverless Architecture
  • React
  • Single SPA
  • Microfrontends
  • Node.js
  • Material UI
  • S3
  • CloudFront
  • Custom Authorizers
  • IAM
  • SQS
  • Kafka
  • CI/CD
  • Datadog RUM
  • HIPAA