Presented at StrataRX 2012: http://strataconf.com/rx2012/public/schedule/detail/25953
While the entire healthcare community, for decades, has been clamoring for, cajoling, and demanding integration of its IT systems, we’re actually in a pretty elementary stage when it comes to useful, practical, health IT systems integration beyond on-premise and in-building hospital software. Our problem in the industry is not that engineers don’t know how to create the right technology solutions or that somehow we have a big governance problem; while those are certainly issues in certain settings, the real cross-industry issue is much bigger – our approach to integration is decades old, opaque, and rewards closed systems.
For decades, starting in the 50’s through the mid 90’s before the web / Internet came along, systems integration meant that every system had to know about each other in advance, decide on what data they would share, engage in governance meetings, have memoranda of understanding or contracts in place, etc. After the web came along, most of that was thrown out the window because the approach changed to one that said the owner of the data provides whatever they decide (e.g. through a web server) and whoever wants it will be provided secure access and they can come get it (e.g. through a browser or HTTP client). This kind of revolutionary approach in systems integration is what the health IT and medical device sectors are sorely lacking and something that ONC can help promote.
Specifically, the following things are holding us back when it comes to poor integration in healthcare and what future EHRs can do about it:
• We don’t support shared identities, single sign on (SSO), and industry-neutral authentication and authorization. Most health IT systems create their own custom logins and identities for its users including roles, permissions, access controls, etc. stored in an opaque part of their own proprietary database. ONC should mandate that all future EHRs use industry-neutral and well supported identity management technologies so that each system has a least the ability to share identities. Without identity sharing and exchange there can be no easy and secure application integration capabilities no matter how good the formats are. I’m continually surprised how little attention is paid to this cornerstone of application integration. There are very nice open identity exchange protocols, such as SAML, OpenID, and oAuth as well as open roles and permissions management protocols such as XACML that make identity and permission sharing possible. Free open source tools such as OpenAM, Apache Directory, OpenLDAP, Shibboleth, and many commercial vendors have drop-in tools to make it almost trivial to do identity sharing, SSO, and RBAC.