Tuesday, April 24, 2012

Managing Distributed Authentication

As the nation begins its pilots of pioneer Accountable Care Organizations and shares more data for care coordination and population management, IT departments will be asked to make clinical records available to increasing numbers of loosely affiliated clinicians and staff.

The challenge will be managing the authentication and authorization of a diverse population of legitimate users.

BIDMC stakeholders met this week to discuss best practices for managing distributed authentication while protecting privacy.   We suggested three approaches:

1.  Use well defined rules to approve new accounts for external organizations in addition to implementing robust audit systems for monitoring account use

As clinical relationships become increasingly complex, it is no longer sufficient to use staff/credentialing privileges as the gating factor for creating accounts with clinical access rights.   Organizational legal relationships (agreements signed between entire organizations), chain of command sponsorship (MD leadership at an organization requests access for appropriate clinicians), and patient referral patterns (coordination of care requires specific team member access) are all valid reasons for authorizing users.    Since management of  accounts across organizations is challenging, it is important to review audit trails via automated and manual methods, enforcing minimal need to know and appropriate clinical data use policies.   We already use a variation of this approach for those external clinicians caring for BIDMC patients who need access to our read-only web-based provider portal.

2.  Federated authentication

Although one organization can issue credentials to employees of affiliates, it is challenging to monitor changes in the status of users at outside organizations.   What if a clinician's role changes or they leave?   If one organization trusts the credentials of another organization,  a federated approach can provide more timely oversight of access rights.    At Beth Israel Deaconess, we've created a technology that enables EHRs at outside organizations to access records of patients shared in common with BIDMC - the "magic button".     A trusted associated organization manages clinical access to its own systems, and then grants those authorized users rights to BIDMC records for only those patients registered at the local site and BIDMC.  Although comprehensive legal agreements to enable this approach take time to create, the benefit is better account oversight when roles change at outside organizations.

3.  State HIE trust fabric

Approaches 1+2 work well for clinician access to provider portals.   For State HIE approaches that involve pushing data between organizations, another approach is possible - using certificates to create a trust fabric for the entire community.   As part of the Massachusetts HIE infrastructure, we're creating directories and security certificates that enable any provider to securely transmit content to any other provider with patient consent.    Processes are created to issue certificates to trusted organizations which sign Data Use and Reciprocal Support Agreements (DURSA).  Once the security infrastructure and agreements are in place, any clinician can leverage the community trust fabric, using their existing EHRs and organizational credentials, to send data to another clinician.

Accountable Care Organizations and integrated delivery networks have the challenge of sharing more data at the same time that the regulatory/compliance environment requires greater security.    These three approaches are all useful tactics for the authentication and authorization management improvements we will all have to make in the months ahead.

1 comment:

Anonymous said...

Dr. Arnon Rosenthal at MITRE (arnie@mitre.org) is currently leading an internally funded open source research project to investigate methods to create a nationwide authentication mechanism. His plan is to provide a way to work with credential aggregators and others to accumulate evidence that a given data requestor really is a valid clinician.