Red-hot federated and user-centric ID management schemes promise to authenticate people and paperwork in health care’s increasingly fragmented business world
There’s only one thing people guard more closely than information about their money: information about their health. That’s why in health care, as in the financial world, identity management is the Holy Grail of health care administration.
Identity management is the ability to authenticate links between people and their records, and it typically involves simple chores such as password management. Most identity management products provide features such as single sign-on, which grants access to multiple applications with one password. The alternative would be to assign users numerous passwords that they might forget or hide under their mouse pads.
But industry executives say password management and single sign-on are only initial forays in identity management. The next step is federated identity management, which promises to build on the benefits of identity management. A hospital, for example, could use federation to extend the benefits of single sign-on to its business partners, such as physicians groups, insurance companies and pharmacies.
The path to federation But federation has even broader implications for health care. Federated identity management provides the means to unify fragmented entities — and few markets are more fragmented than the U.S. health care sector. In addition, federated identification intersects with the country’s push toward electronic health records.
“Federated ID will be crucial in deploying this idea of having an electronic record for every patient that can be accessed from anywhere at any time by an authorized person,” said Dr. Christina Stephan, co-chairwoman of the Liberty Alliance’s eHealth Special Interest Group and a National Library of Medicine Health Informatics fellow. “No other technology out there can provide that.”
Federated identity management has not yet taken the health care sector by storm. Most of the inroads so far have taken place on the payer side. But health care providers and regional health information organizations (RHIOs) are showing interest, too. At the federal level, the E-Authentication initiative, an e-government identity management program, is expanding in the health care field.
Federated identity management lets a user have the same ID and password to access resources in different security domains. Until recently, federation involved the creation of custom-built links from one partner to another. But security was rarely a priority in those custom integrations, said Matthew Gardiner, senior manager of identity and access management products at CA.
In that style of federation, user IDs and passwords may move from organization to organization embedded in URL strings, making them vulnerable to network sniffers, Gardiner said. Federation protocols emerged to address this issue by providing secure, encrypted handling of identity data. But protocols were many, and interoperability concerns hindered the adoption of federated ID.
“Federation is a great thing, but you and your partner have to agree on the same protocol,” said Mike Donaldson, vice president of marketing at Ping Identity, which markets federated ID products. “If there are too many choices, it makes it difficult to have a common choice.” He said adopters would choose from seven different options at one point.
That situation has changed in the past two years. In 2005, several distinct standards-making groups coalesced around Security Assertion Markup Language Version 2.0. The Organization for the Advancement of Structured Information Standards (OASIS) and the Liberty Alliance back SAML 2.0. The Liberty Alliance, an organization whose members include Hewlett-Packard, Oracle and EMC’s RSA Security unit, pursue standards-based specifications for federated identity management.
The IBM- and Microsoft-supported WS-Federation is the other major specification in the federa
ion field. Microsoft has delivered technology to back the specificati
n, by introducing Active Directory Federation Services as part of Windows Server 2003 Release 2.
The emergence of two approaches makes for easier choices, inspiring more organizations to embrace federated identity management, industry executives say. And the availability of federation technology from Microsoft adds fuel to the fire. “Ubiquity makes the technology more accessible to more and more organizations,” Gardiner said.
In health care, the availability of federation technology converges with a pressing need for integration. “The industry is so decentralized and distributed, yet different organizations have to work together to solve common problems,” Donaldson said. The challenges, he said, range from preparing for an avian influenza outbreak to devising a treatment plan for a patient with a complex diagnosis.
RHIOs and federation RHIOs provide one market in which federation may take root. Those organizations aim to exchange patient data among hospitals to improve patient care. “I think there is a lot of discussion at the RHIO levels,” Stephan said.
Stephan, who volunteers on Minnesota’s Privacy and Security Project, said Minnesota is leaning toward federated identity management as it plans several health information exchanges.
The vision calls for RHIOs to use federation to give physicians an aggregated view of a patient’s records, which may exist in a number of different provider organizations and databases.
The National Health Information Network, an
ber-RHIO that aims to provide a secure and standards-based health information exchange, also has a federation angle. In 2005, a consortium of health and IT organizations endorsed a common framework for NHIN and cited federation as a key design principle.
Some RHIOs, however, look to more localized federation as opposed to regional or national plans. Melanie Allison, CalRHIO’s chief technology officer, said identity management and access control can be taxing even within a single organization.
“Often then, you will have a challenge matching patients with their records inside of a single organization,” Allison said. “From our perspective, identity needs to be managed and controlled as close to the source of the medical record information as possible,” she said.
Allison described this approach as federated identity resolution. Identity resolution determines which records apply to an identity and creates an integrated view of those records. Resolving a patient’s ID as close to the data source as possible makes matching records organizationwide much easier, she said.
CalRHIO issued a request for proposals in December for a Web services-based framework that will provide the basic components for health information exchange. CalRHIO seeks services including identity resolution, identity management, access control, application integration and data integration.
CalRHIO’s objective, Allison said, is to provide health information exchange services to stakeholders throughout California, whether to a single organization or a community of organizations.
Other government efforts touching on federation include E-Authentication, which seeks to provide a uniform approach to identity management throughout the federal government.
The Department of Health and Human Services’ National Select Agency Registry and the Labor Department’s Mine Accident Injury and Reporting System are among the health care-related participants in the E-Authentication Federation. Greater maturity Organizations looking to adopt federated ID have growing market maturity on their side. CA, Ping Identity, Microsoft, Oracle and IBM are among the vendors offering federated identity management products.
The availability of commercial products has made federated ID more technically and financially feasible. Moreover, commercial standards-based products have reduced the cost of pursuing the technology.
“That’s why you are seeing growth,” Gardiner said.
Government Health IT presents Rick Friedman, director of the division of state systems for the Center for Medicaid and State Operations with the U.S. Department of Health and Human Services, in this recent eSeminar regarding how the federal Centers of Medicare and Medicaid Services is partnering with state Medicaid and health and human services officials to bring Medicaid into the digital age. Paul McCloskey, Government Health IT editor, moderates.
