MEDNET NEWS

June 9, 2008

HIE: Health ID Exchange? Ohio is a Test Bed for Identity Management

by John Moore — published on June 9, 2008

Columbus-based eHealth Ohio launched a test project two years ago and continues to explore what is still an emerging field. The health information exchange's interest in identity management comes as the health care industry grapples with ways to securely share clinical and research data among numerous parties. The problem is especially acute for HIEs because the organizations try to link numerous hospitals, clinics, payers and physicians in a given region.

Richard Moore, president of eHealth Ohio, cited identity management as the weakest link in information exchange. "Until we really have a very standardized and very easy way to administer identity management, it will be very difficult for us to identify all the parties that are needed to participate in a health care transaction," he said.

The task of verifying the identities of those parties, known as authentication, was a key early focus for eHealth Ohio. The identity management project also involves single sign-on technology and role-based access control. Although work continues, the organization's guiding principles emphasize adherence to standards and the use of open-source software.

Richard Mackey, vice president of consulting at System Experts, a security and compliance consulting firm, said the Health Insurance Portability and Accountability Act (HIPAA) contributes to the need for stronger identity management.

"The underlying principle is people should only have access to information that they absolutely need for a business purpose," he said.

Getting started
In 2006, eHealth Ohio was among a handful of sites participating in an authentication pilot project launched by the General Services Administration and the Healthcare Information and Management Systems Society (HIMSS). The project sought to determine whether the security and identity management infrastructure used in the federal government's E-Authentication initiative could work in the HIE environment.

"The first phase of our project was to see if we could use the GSA model for authentication and use [public-key infrastructure] to determine who the individual is coming into the network," Moore said.

The project tapped the federal government's PKI system, which uses encryption to protect transactions. Similarly, pilot sites used GSA's E-Authentication Service Component rather than build their own authentication infrastructure.

John Fraser, Chief Executive Officer of MEDNETWorld.com, said the project demonstrated that the "community was ready to use PKI security technologies for clinical information exchange." He added that GSA's involvement raised the participants' comfort level.

Federated single sign-on
In 2007, eHealth Ohio moved to the second phase of its identity management program. It focused on federated single sign-on, an approach that lets an individual use one authentication method to access resources in multiple places. Specifically, the HIE turned to Shibboleth, an open-source software package for single sign-on within or across organizations.

Federated single sign-on addresses one of the primary challenges of identity management in health care: the need to obtain information from multiple systems.

Physicians and emergency medical professionals, for example, "need to access different systems…to get their work completed," Fraser said. "Today, they have multiple user names and passwords or carry RSA [Security] fobs or use a combination thereof and have to log in and out of all the different systems during the day."

Fraser said eHealth Ohio began working with MEDNETWorld.com in Phase 2 of the pilot project. The company, which provides a federated ID management service, built a backbone system that spanned several locations in two states. The sites included MEDNETWorld.com in Minnesota's Twin Cities area; the Community Health Information Collaborative in Duluth, Minn.; and eHealth Ohio in Columbus.

The organizations used the network to test a physician referral system. Authorized employees could access the system regardless of their location and view summary patient information, Fraser said.

The system consisted of identity and service providers linked via the Internet, with PKI technology securing the communications. In a federated environment, an identity provider maintains user information and authenticates users for one or more information providers.

MEDNETWorld.com served as an identity provider, using Shibboleth technology. The Community Health Information Collaborative and eHealth Ohio acted as service providers, also using Shibboleth software. When an identity provider authenticated a user, the authentication data traveled to the other network participants who then used that information to grant access to applications and data. That way, one authentication method satisfied multiple service providers.

"We created a multistate health information exchange using this advanced PKI security and privacy technology," Fraser said. "It demonstrated how easy it is to exchange health information across state lines."

Role-based access control
Once users have been authenticated to enter a network, they need to be authorized to access particular resources. Accordingly, eHealth Ohio began exploring role-based access control last year. That security mechanism allows organizations to define roles based on job functions and assign access rights to those roles.

Moore said eHealth Ohio officials had hoped the Healthcare Information Technology Standards Panel would offer more guidance than it has.

"They didn't clearly define which roles they wanted to focus on, so we just began looking, for our own purposes, for what specifically we needed," he said.

The organization needed a set of health care roles that would work with its single sign-on project. However, most Shibboleth deployments to date have been used for university library systems.

"We took that model and said, 'OK, we've got a tool that has been built to get to specialized collections, so how can we take that idea and transfer it over into health care where we have just myriad different roles?'" Moore said.

That's not a simple task, John Fraser said, because the basic technologies of federated identity management are fairly mature, but role-based access is not.

Officials began looking at various models in the health care industry that could be used to define roles and uncovered commonly used codes that define different types of health care providers. The next step was to compare those codes to the HIPAA provider taxonomy codes, which describe provider categories ranging from emergency medical services to endocrinology.

Officials concluded that HIPAA coding was the best starting point for developing an initial list of roles, Moore said.

As work continues, he added, the benefits of open-source, standards-based solutions will become clearer.

"If we build our own system…we will eventually end up creating something that is not going to be able to be broadly used," Moore said. "I think the solutions that we have been exploring offer some great prototypes for how we can accomplish identity management."