Webinar: Two-factor authentication locks down HIE

It’s one thing to talk about a framework of trust in a health information exchange (HIE), but the hard reality of building that framework is “you have to protect every point of entry,” said Bill Beighe, CIO of the Santa Cruz HIE  (SCHIE), during a recent webinar.

The presentation, sponsored by Anakam, included Beighe's case study on SCHIE’s implementation of a two-factor authentication system.

The HIE’s medical trading area, California’s Santa Cruz County, encompasses 270,000 patients—more than 95 percent of whom are in the HIE’s patient index, and more than 100,000 clinical information exchanges occur each month among hospitals, more than 400 physicians and 700 users, said Beighe, who also is CIO of the Physicians Medical Group of Santa Cruz. Users access the HIE through a web portal or an EHR interface, where data is delivered.

The SCHIE's 14 years of operation and high rate of patient inclusion are enviable, but make it that much more difficult to product patient data. “It’s very important to protect [the] assurance that we know who’s accessing data in the system,” said Beighe. “We believe a single factor or password just isn’t good enough anymore, and an HIE by its nature is a very diverse uer base.”

When SCHIE began investigating two-factor authentication systems, it encountered ease-of-use issues and potentially high costs, considering “all of the different systems a provider needs to access in the course of a day,” he said. “If everybody goes off and does their own [security], we’re going to end up with people expected to carry a pocketful of hard factors.

“When you add to that the e-prescribing of controlled substances, you could have an even more nightmare scenario where an institution uses one form of two-factor authentication for access to their site, and an application that’s doing the e-prescribing of controlled substances is using another, different factor. So even within the same institution, we could really be adding a burden and a cost.”

The HIE eventually settled on a two-factor system from Anakam that leverages IBM’s infrastructure and the HIE’s Axolotl application software. The two factors are a “something you know—your username and password—and something you have, which is your cellphone,” he said.

An SMS message sends a code to a provider’s cellphone. “When a user encounters the SCHIE login screen and they put their user name and password in, they get challenged with [the] authentication challenge screen, which lets them put in their passcode.” The user then enters their passcode.

Once physicians put in their ID and password, Axolotl and Anakam servers send the passcode to the physician’s cell phone, and the physician enters the code to access the system.

Physician adoption has been smooth and the impact on physician workflow has been manageable, said Beighe, “but we did run into some issues—some of the facilities including the hospitals had dead spots of cellphone coverage—that’s where the hard token will come in handy in the future,” he said. “We also ran into some clinics that did not allow their users to use their cellphones during the day.”

The organization is now working to get more sites and more stakeholders involved to roll out two-factor authentication across the entire community, and has been working with vendors to implement the Anakam system in their e-prescribing systems, he said.

For e-prescription authentication, “we’re doing login and password authentication for users that are a part of our [two-factor] pilot project, he said. “The [National Institute of Standards and Technology Level 3] requirements for e-prescribing don’t kick in until that is available in the application. You can’t use e-prescribing of controlled substances unless you have two-factor authentication built in.”