Health Care Pros Find Rx for Secure Portal

By David Spark  |  Posted 2005-08-15

Health Care Pros Find Rx for Secure Portal

Sue Merk keeps an Excel spreadsheet of compliments. As they come in, she appends them to the file. "I absolutely LOVE the fact that we never have to change our password!! Thank you!!" reads one compliment.

If she likes a compliment, shell move it up on the Microsoft Corp. application and highlight it in yellow. "I rely on it daily and save a lot of time since I dont have to sit on hold with insurance companies for basic questions. I love it!" reads another compliment.

These quotes come from users of OneHealthPort, the Seattle-based one-stop online security portal that facilitates medical professionals access to a network of more than 6,500 health care organizations in the Pacific Northwest. Merk is OHPs vice president of product management and business development.

Before OHP launched three years ago, Merk said, some health care service providers were going through the costly experience of building and promoting a portal. Others just looked on and asked, "Wouldnt it be nice if we didnt all have to do this?"

Some clinical trials are putting portals to use as well. Click here to read more.

So in an effort to tackle a security project collectively and noncompetitively, a group called the Washington Healthcare Forum, comprising CEOs from many of Washington states health plans and large health systems, established OHP with the goal of creating a single portal for health care professionals.

OHP wanted one place where doctors, nurses, insurance providers and vendors could get secure access to claims submissions, clinical information, prescriptions and other health care services that traditionally required phone calls and faxes for accreditation.

"If we do it together, we share the costs and create something the community only has to use once," Merk said.

"Use once" turned into a recurring theme for OHP. The Forum wanted to construct a security portal that requires one registration, one agreement to sign and one log-on that gives users access to all participating sites. That objective raised questions. Could OHP do this? Does something like this already exist? Will it work with every organizations varying policies and restrictions?

Not knowing the answers, Merk said, OHP put out an RFI (request for information) to see what might be possible.

Building security

Betrusted Inc., of Columbia, Md., answered the RFI and won the bid to build out OHPs infrastructure and maintain its system on an outsourced basis. (In November 2004, Betrusted joined with other security organizations to form Cybertrust Inc., of Herndon, Va.)

Bob Bryan, head of identity and access management services for Cybertrust, had built a similar security portal, Transact Washington, the official state government Web site. Bryan knew what it was like to build security in a heterogeneous environment.

"Were dealing with developing a piece of security infrastructure that had to play with multiple systems that were being independently developed by the other players in the community," Bryan said.

Unlike Bryans government effort, OHP was a commercial project and required a balance among security, ease of use and fast deployment. Merk said OHP wanted a solution that was loosely coupled, allowing participants to keep their existing architecture while still being able to grow with it.

Security also had to have room to develop, Merk said. At launch, single-factor password log-ons would be sufficient, but in the future, participants wanted the option to layer on additional factors such as smart cards and USB tokens. But to get the project off the ground, OHP wanted to launch with a security offering that could be delivered with zero footprint on the desktop, meaning access could be had without having to install any software or hardware on each workstation. Merk said Betrusted delivered on all the demands, with the zero footprint being the one factor that really won the project for the integrator.

Hybrid security

OHP had to be designed so that health care professionals wanted to use it. An overly complicated registration and security procedure, for example, might limit participation. While OHP leaned toward a user ID/password system, it was wary of using strong passwords that required special characters and had to be changed every 90 days.

"What [strong passwords] really do is, they drive people to write them down and post them on the front of their machine or some place you can find them. So they destroyed the security by making it too difficult to use," said Merk.

The other log-in option was to create a full-blown PKI (public-key infrastructure)-based digital certificate system, but that would have required installing software and possibly hardware on the desktop. Either need was eliminated when Betrusted found a hybrid solution from TriCipher Inc., of San Mateo, Calif.

Next page: TriCipher to the rescue.

TriCipher to the Rescue

With the TriCipher system, users can choose a password that contains any number of characters, doesnt require special characters and never needs to be changed. When users enter their ID and password, an algorithm generates a coded hash of the password. That hash, not the password, is sent encrypted via an SSL (Secure Sockets Layer) connection to a secure appliance, where the second half of the key is waiting. The password is never stored. It just launches a chain of events.

"It allowed us to use a system that looks like a standard user ID and password to the user, but it uses PKI in the background—which eliminates the need to actually store passwords on our central server," Bryan said.

In an effort to quickly deploy the system, reduce management and minimize security concerns, OHP didnt require every participant to maintain a database of users, said Merk.

Instead of using a database, said Bryan, the TriCipher appliance would send a users authentication information one at a time via SAML (Security Assertion Markup Language) at the moment of log-on. When a participating health care provider or vendor receives a users validated credentials, it then chooses how much access it wants to grant to its particular site.

The No. 1 problem in building out the system was finding the right people to register, said Barry Gordon, senior project director at GroupHealth Cooperatives Health Informatics division, in Seattle. At each contracted organization, there needs to be a coordination point. Finding that person wasnt easy, and it was always changing.

"Some providers balked," said Gordon as he retold an example of such an interaction: "Youre not the first guy whos come to me about Web sites. And I dont want to have to manage eight accounts for this billing person in my office. We want one."

After nine months of plugging away with a very manual registration process, Health Informatics was only able to set up about 700 accounts. Conversely, OHP has a delegated administrator model that allows an in-house person to set up accounts locally, allowing users to choose either online or offline registration.

OHP had far greater success signing up users. Within just 18 months of its July 2003 launch, OHP signed up nearly 12,000 users. After the launch, Health Informatics slowly transitioned all its users to OHP and turned off its security infrastructure, opting to stand solely behind the OHP shell.

Premera Blue Cross and Regence BlueShield, two of the largest health plans in the Northwest, were the first two to join. Group Health Cooperative joined two months later, and, as a result, their business reportedly tripled in just two weeks.

"It was almost as if we drafted right behind Regence and Premera, and we benefited from all of the work that they did in setting up accounts," said Gordon. "Because the [OHP] application has that value proposition to a provider, that when a provider gets set up based on Premera targeting them, not only do they get to use Premera, they get to use all these other sites. All of those positive externalities that result from just getting an account, we saw immediately."

OHPs Merk was stunned as well. "Who would guess that focusing on security, a fairly benign area that most people dont really like to deal with, would become such a great thing for a community."

Bryan said he believed it was the elimination of the central database that helped the community feel more comfortable about participating.

"Its one thing if youre just an enterprise, because you can maintain all the control, but when you have to extend it out to a large community consisting of multiple entities, it was nice to get rid of that central risk point," said Bryan.

David Spark is a freelance writer in San Francisco. He can be reached at

Check out eWEEK.coms for the latest news, views and analysis of technologys impact on health care.

Rocket Fuel