Sue Merk keeps an Excel spreadsheet of compliments. As they come in, she appends them to the file. "I absolutely LOVE the fact that we never have to change our password!! Thank you!!" reads one compliment.
If she likes a compliment, shell move it up on the Microsoft Corp. application and highlight it in yellow. "I rely on it daily and save a lot of time since I dont have to sit on hold with insurance companies for basic questions. I love it!" reads another compliment.
These quotes come from users of OneHealthPort, the Seattle-based one-stop online security portal that facilitates medical professionals access to a network of more than 6,500 health care organizations in the Pacific Northwest. Merk is OHPs vice president of product management and business development.
Before OHP launched three years ago, Merk said, some health care service providers were going through the costly experience of building and promoting a portal. Others just looked on and asked, "Wouldnt it be nice if we didnt all have to do this?"
So in an effort to tackle a security project collectively and noncompetitively, a group called the Washington Healthcare Forum, comprising CEOs from many of Washington states health plans and large health systems, established OHP with the goal of creating a single portal for health care professionals.
OHP wanted one place where doctors, nurses, insurance providers and vendors could get secure access to claims submissions, clinical information, prescriptions and other health care services that traditionally required phone calls and faxes for accreditation.
"If we do it together, we share the costs and create something the community only has to use once," Merk said.
"Use once" turned into a recurring theme for OHP. The Forum wanted to construct a security portal that requires one registration, one agreement to sign and one log-on that gives users access to all participating sites. That objective raised questions. Could OHP do this? Does something like this already exist? Will it work with every organizations varying policies and restrictions?
Not knowing the answers, Merk said, OHP put out an RFI (request for information) to see what might be possible.
Betrusted Inc., of Columbia, Md., answered the RFI and won the bid to build out OHPs infrastructure and maintain its system on an outsourced basis. (In November 2004, Betrusted joined with other security organizations to form Cybertrust Inc., of Herndon, Va.)
Bob Bryan, head of identity and access management services for Cybertrust, had built a similar security portal, Transact Washington, the official state government Web site. Bryan knew what it was like to build security in a heterogeneous environment.
"Were dealing with developing a piece of security infrastructure that had to play with multiple systems that were being independently developed by the other players in the community," Bryan said.
Unlike Bryans government effort, OHP was a commercial project and required a balance among security, ease of use and fast deployment. Merk said OHP wanted a solution that was loosely coupled, allowing participants to keep their existing architecture while still being able to grow with it.
Security also had to have room to develop, Merk said. At launch, single-factor password log-ons would be sufficient, but in the future, participants wanted the option to layer on additional factors such as smart cards and USB tokens. But to get the project off the ground, OHP wanted to launch with a security offering that could be delivered with zero footprint on the desktop, meaning access could be had without having to install any software or hardware on each workstation. Merk said Betrusted delivered on all the demands, with the zero footprint being the one factor that really won the project for the integrator.
OHP had to be designed so that health care professionals wanted to use it. An overly complicated registration and security procedure, for example, might limit participation. While OHP leaned toward a user ID/password system, it was wary of using strong passwords that required special characters and had to be changed every 90 days.
"What [strong passwords] really do is, they drive people to write them down and post them on the front of their machine or some place you can find them. So they destroyed the security by making it too difficult to use," said Merk.
The other log-in option was to create a full-blown PKI (public-key infrastructure)-based digital certificate system, but that would have required installing software and possibly hardware on the desktop. Either need was eliminated when Betrusted found a hybrid solution from TriCipher Inc., of San Mateo, Calif.