Modernizing Authentication — What It Takes to Transform Secure Access
Health care providers are facing massive IT challenges these days, many driven by the changing legal landscape. The most pressing is the Health Insurance Portability and Accountability Act (HIPAA), which lays out strict rules for protecting the privacy of patient data. Congress is also wrangling over consumer rights legislation, such as a patient bill of rights that will likely affect not only how health care organizations treat patients, but also how those organizations treat patient data.
There are essentially two ways health care organizations can react to these realities: grudgingly make the minimum IT updates required to meet the new laws, or use it as an opportunity to drive real change and gain a competitive edge.
Presbyterian Healthcare Services (PHS) has unequivocally decided on the second tack. Founded in 1908, it is the largest nonprofit health care provider in New Mexico and the state's largest health care plan, with more than 330,000 members. PHS's 7,000 employees operate eight hospitals plus various outpatient centers, ambulance services and other programs.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i"We're a traditional company that is attempting to go e-business and e-commerce, with better membership and patient management and care," says Chuck Klein, e-business enterprise integration analyst for PHS's Information Services department.
Klein is part of a now-centralized IS team attempting to bring together information that resides on the company's divergent IT systems, which include two IBM mainframes, a handful of HP 3000s and 9000s, about 70 Unix machines and 65 Windows NT servers.
The PHS e-health strategy has numerous components, from a human resources enterprise resource planning (ERP) system, a new patient clinical system, which includes medical records storage and delivery, and an enterprise application integration effort on tap for next year.
More immediately, the company is implementing an application authorization and single sign-on initiative driven by OpenNetwork Technologies' DirectorySmart product. DirectorySmart enables PHS to differentiate among its employees, business partners and health plan members, giving each access only to appropriate applications and resources.
The OpenNetwork product also provides for centralization of security for PHS Web-enabled applications. "We didn't want to have to maintain multiple directories and security arrangements," Klein says. Instead of each application having its own security and authorization mechanism, DirectorySmart handles that function on behalf of all Web applications. And rather than logging in to each application individually, users can log in once to DirectorySmart to gain access to all applications for which they are authorized.
PHS plans to go live in mid-August with its first DirectorySmart-enabled application, a broker quotation system developed in-house. DirectorySmart will be used to authorize outside insurance agents and brokers that sell PHS health plans, enabling them to submit requests for quotes on health insurance coverage. Most of these brokers are looking for group policies, so their queries can contain lots of detailed data regarding how many people are involved, age groups and risk categories. Once authorized, the queries will be submitted online to the PHS underwriting department, which will come up with the quote.
The existing paper-based process used to take weeks, Klein says. When the online version goes live, the turnaround time will be three days.
"Brokers will love it," he says. "Before everything dragged out a long time and we missed a lot of opportunities."
DirectorySmart will also be used by employees on PHS's intranet. Even non-computer users will be able to access the system using kiosks installed throughout the organization, authenticating themselves through a logon name and PIN.
"We want 90% of our 7,000 employees to access the intranet," Klein says.
DirectorySmart will be key to ensuring these employees comply with HIPAA requirements.
"The main thing about HIPAA is privacy, identifying who is accessing patient info and whether they should have access," Klein says. "Once you do that you're supposed to log it all, so it's all auditable. DirectorySmart will do all of that."
PHS is also exploring using DirectorySmart to support a digital signature initiative, which would require the implementation of public key infrastructure technology. Using predefined user roles, DirectorySmart could keep track of which documents each employee was allowed to digitally sign. The product would also maintain a log, enabling PHS to determine who signed what and when.
Digital signatures would enable PHS to automate certain paper-based processes. For example, a manager could send an electronic request to HR to see whether an employee's pay was commensurate with industry standards. The ability to digitally sign that request would enable HR to be sure it was coming from a manager and not from an employee. Similarly, digital signatures would enable doctors to securely fill out prescriptions or request medical charts online.
The final step in the DirectorySmart rollout will be to enable members, providers and employer groups affiliated with Presbyterian Health Plan, a PHS subsidiary, to conduct business online. That portion will be managed chiefly by TriZetto Group, an application service provider for the health care industry. Requests will come in via the Internet to PHS, which will use DirectorySmart to check authorization. Authorized requests will then be routed to TriZetto via a private T-1 line. TriZetto will actually process the request, feeding off a mirrored version of Presbyterian Health Plan's HBOC/McKesson AMISYS healthcare information platform.
The TriZetto effort will be rolled out in two phases. Phase 1, scheduled to begin in October, will give health care providers access to claim information, member eligibility data and the like. Phase 2, scheduled for January 2002, will add member access.
OpenNetwork Technologies, which has a history of working with health care organizations, will lead the integration to make the TriZetto partnership work, Klein says.
PHS was happy with the customer service it received from OpenNetwork, as well as the training and contract terms. A number of hours of training and support were included with the deal and OpenNetwork helped customize the product for PHS.
Among the other features that swayed PHS to choose DirectorySmart was its graphical user interface and the ability to delegate administrative duties. Security supervisors, for instance, can create roles for a given department using the GUI, then delegate detailed user administration so that one or more supervisors in that department can decide what type of access is appropriate for each departmental employee.
"It's a delegation of authority that makes the organization flatter, which is important," Klein says. "You don't have to have IS security handling every allocation of access."
About the only thing Klein regrets in the implementation is that he did not have DirectorySmart installed in a test environment at the time his team received training on the product, due to hardware procurement problems.
"When you get training, you need to be able to play with the product so you can feel it, smell it and own it," he says. OpenNetwork did help out by sending PHS an NT version of the product to kick around while the company waited for its new Unix machines to arrive.