TriCipher to the Rescue
With the TriCipher system, users can choose a password that contains any number of characters, doesnt require special characters and never needs to be changed. When users enter their ID and password, an algorithm generates a coded hash of the password. That hash, not the password, is sent encrypted via an SSL (Secure Sockets Layer) connection to a secure appliance, where the second half of the key is waiting. The password is never stored. It just launches a chain of events. "It allowed us to use a system that looks like a standard user ID and password to the user, but it uses PKI in the backgroundwhich eliminates the need to actually store passwords on our central server," Bryan said.Instead of using a database, said Bryan, the TriCipher appliance would send a users authentication information one at a time via SAML (Security Assertion Markup Language) at the moment of log-on. When a participating health care provider or vendor receives a users validated credentials, it then chooses how much access it wants to grant to its particular site. The No. 1 problem in building out the system was finding the right people to register, said Barry Gordon, senior project director at GroupHealth Cooperatives Health Informatics division, in Seattle. At each contracted organization, there needs to be a coordination point. Finding that person wasnt easy, and it was always changing. "Some providers balked," said Gordon as he retold an example of such an interaction: "Youre not the first guy whos come to me about Web sites. And I dont want to have to manage eight accounts for this billing person in my office. We want one." After nine months of plugging away with a very manual registration process, Health Informatics was only able to set up about 700 accounts. Conversely, OHP has a delegated administrator model that allows an in-house person to set up accounts locally, allowing users to choose either online or offline registration. OHP had far greater success signing up users. Within just 18 months of its July 2003 launch, OHP signed up nearly 12,000 users. After the launch, Health Informatics slowly transitioned all its users to OHP and turned off its security infrastructure, opting to stand solely behind the OHP shell. Premera Blue Cross and Regence BlueShield, two of the largest health plans in the Northwest, were the first two to join. Group Health Cooperative joined two months later, and, as a result, their business reportedly tripled in just two weeks. "It was almost as if we drafted right behind Regence and Premera, and we benefited from all of the work that they did in setting up accounts," said Gordon. "Because the [OHP] application has that value proposition to a provider, that when a provider gets set up based on Premera targeting them, not only do they get to use Premera, they get to use all these other sites. All of those positive externalities that result from just getting an account, we saw immediately." OHPs Merk was stunned as well. "Who would guess that focusing on security, a fairly benign area that most people dont really like to deal with, would become such a great thing for a community." Bryan said he believed it was the elimination of the central database that helped the community feel more comfortable about participating. "Its one thing if youre just an enterprise, because you can maintain all the control, but when you have to extend it out to a large community consisting of multiple entities, it was nice to get rid of that central risk point," said Bryan. David Spark is a freelance writer in San Francisco. He can be reached at firstname.lastname@example.org. Check out eWEEK.coms for the latest news, views and analysis of technologys impact on health care.
In an effort to quickly deploy the system, reduce management and minimize security concerns, OHP didnt require every participant to maintain a database of users, said Merk.