The pre-eminent medical education and research organizations in the U.S. combine forces to help find cures to the most complex medical mysteries - with medical identity secured by Auth0.
“Getting identity management out of the way was, surprisingly, a really big deal, both to these proud institutions, and to the federal government. Ever since this project started, we’ve become the NIH’s shining example of how to share data among disparate institutions.”
— David Bernick, Director of Technology, Harvard Medical School Department of Bioinformatics
What if you, or someone in your family had a disease so rare that it completely baffles medical specialists? You’re suffering from symptoms but without a diagnosis, and seeing doctor after doctor in different disciplines, unable to solve your medical mystery. Patients with extremely rare disorders have new reasons for hope: rapid advances in genome sequencing are starting to solve these mysteries. And these patients in turn offer medical science a unique window into understanding the genetic and biological underpinnings of medicine. But bringing together patients, clinical specialists, laboratory researchers, genomic databases, and big data analytics to try solving these diagnostic mysteries is itself a huge challenge, and authentication plays a central role in enabling the solution.
To realize this vision, the U.S. National Institutes of Health has established the Undiagnosed Diseases Network (UDN) with a $9 million grant from the NIH Common Fund to the Harvard Medical School. The school’s Department of Biomedical Informatics acts as the coordinating center for the UDN. After only a year of concentrated effort, the network went live on September 16, 2015 with 7 clinical sites, 6 additional laboratory and computational centers across the U.S., and a growing roster of grateful patients.
Central to the success of the UDN project was an authentication system that could handle everything from self-registered patients to single sign-on (SSO) authenticated doctors and scientists, to administrators logging into privileged accounts with multi-factor authentication. The whole system had to comply with stringent U.S. government FISMA Moderate certification, and treat self-reported patient data with privacy equivalent to HIPAA compliance requirements.
Auth0 delivered that authentication clearinghouse. Auth0 handles all of the messy details of social identity such as Facebook or Yahoo, enterprise identity through SAML or ADFS, and even multi-factor authentication using smart phones for privileged access, hiding complexity behind a simple API. With Auth0, the Biomedical Informatics staff could focus on the important task of uniting doctors and scientists to tackle some of the hardest problems in medicine, while safeguarding patient data and unpublished research.
“I’m a big proponent of letting experts do what they do best. If you get identity management wrong, it falls apart horribly, and you get put on the front page of the newspaper as having exposed a large number of people to really bad things. I didn’t want to rely on building it ourselves.”
— David Bernick, Harvard Medical School
When David Bernick and the UDN team set out to build the system, they knew they had to solve some tricky identity management challenges. The new system would break new ground, accommodating a very diverse set of roles in accessing a cloud-based repository of patient medical data, while staying compliant with stringent security and patient privacy requirements, and gaining the trust of participating independent institutions.
Among the challenges:
Given past experience and the academic and research culture, the team naturally gravitated towards self-hosted open source solutions. But Bernick and the team knew there would be a lot of work involved in setting up the software, fine-tuning it to handle the broad set of identity providers to be supported by UDN, and maintaining this custom implementation. Authentication was critical to success, but the team didn’t want to devote precious resources to building non-core infrastructure, with so many fundamental challenges to solve in implementing the UDN. In the face of a fast-moving industry, evolving and complex requirements driven by ambitious, cross-organizational goals, and the ever-present threat of security breaches, Bernick and team decided to evaluate SaaS solutions. “We were able to make a decision on authentication very early, by finding Auth0. It was the ease of development and documentation that really sold us,” said Bernick.
A Google search for Python and SAML integrations led Bernick to Auth0. Auth0’s developer-friendly tutorials, documentation, and plentiful sample code allowed him to build a simple proof of concept web application in record time. In just one day, authentication was up and running, and in less than a week he demonstrated that Auth0 could handle the wide range of SAML, LDAP, and ADFS identity providers across the educational and medical institutions collaborating on UDN. And with just a few additional configuration options, Bernick had his proof of concept authenticating to social providers including Facebook, Google, and Yahoo.
“Auth0 was the only SaaS platform we looked at because it was clear that it was outstanding. Honestly.”
— David Bernick, Harvard Medical School
The UDN team needed an authentication “clearinghouse”: a SaaS identity management service with a single, simple API that could authenticate all the users of the network coming in from different institutions and social providers, while hiding that complexity. Using the example code and tutorials that Auth0 provides to jumpstart developers and building on the proof of concept, Bernick and team implemented the complete medical identity framework for UDN in only a matter of weeks.
“In an hour, I was able to prove this thing would work the way I wanted it to. That kind of productivity really sold me as well,” said Bernick. He continued, “I didn’t have to write difficult code for every IdP we needed to integrate with. It was just writing one thing, very simple, and that was it to implement secure authentication.”
Adding a hospital’s or university’s authentication system of record to the UDN is just a matter of adding the identity provider to Auth0, then turning it on for the UDN application – so simple that In practice, the biggest obstacle to adding these institutions wasn’t code, or configuration. It was finding the person at the institution responsible for their identity infrastructure and exchanging URLs and certificates so that Auth0 and the identity provider could securely communicate.
The team needed an attractive, easy to use and customizable login box as well. But with multiple ways to authenticate, and a requirement for mobile device compatibility, a satisfying user experience could have been costly. The team customized the Auth0 Lock widget’s look and feel, presenting required compliance information and logging in patients through name/password and social providers with a fully responsive design. When researchers and clinicians log in using the same login box, they’re immediately redirected to their institution’s SSO login page and then back to UDN.
Bernick elaborated: “One of the things our users really like: Auth0 knows how to send them to their institution’s IdP automatically based on email address. No pull-downs or anything else.”
Whatever the identity provider, Auth0’s Lock adapts and makes both enterprise logins and self-service registration, login, and password reset effortless. Even with such a data-intensive site, UDN sees nearly 20% of usage from mobile devices, and 50% of patient accounts leveraging social logins, making a responsive design essential.
UDN, as an NIH-funded initiative that handles personally identifiable patient information including sensitive medical records, must comply with a host of privacy regulations and security requirements for a U.S. government site. Chief among these requirements, UDN must comply with FISMA. the Federal Information Security Management Act of 2002. This law mandates that government agencies implement comprehensive information security controls on all of their systems. UDN is certified as a FISMA Moderate site, which requires written policies and procedures and an audit process to validate that the policies are effectively implemented, including authentication and access controls.
Because UDN’s patient data is primarily submitted by the patients themselves, and as part of their application they grant UDN permission to use their records, UDN is not technically required to be HIPAA-compliant. But the network treats their patient data with the same care as a HIPAA-compliant site, and at any rate FISMA Moderate security compliance is even more rigorous than HIPAA demands.
Bernick noted that: “People who really care about authentication, such as government entities or hospitals, get to manage the credentials their way, with their compliance, audit system, everything. If an employee is terminated at the hospital, they’re terminated in our system automatically. That saves us time and headache when it comes to compliance.”
UDN minimizes the medical identity data stored within the network itself, by federating authentication to the institutions where clinicians and researchers work, and by encouraging patients to use well-protected social identities. The simplest way to comply with regulations and privacy requirements is to avoid storing sensitive information at all. The institutions to which the UDN federates in authenticating clinicians and researchers must of course comply with regulations, but that responsibility belongs to the institutions, not to the UDN.
Single Sign-On isn’t just convenient for the UDN’s users. It is a critical element of privacy, security, and compliance. Auth0 is an essential component of this strategy, making federation as easy to implement as saving a name and password. For username/password authentication, patient identity data is protected by state of the art, SOC2-compliant hashing algorithms and strict password complexity policies.
The team leveraged Auth0’s support of multi-factor authentication including thorough sample code and documentation, to require specific, highly privileged users to provide an additional level of proof for their identity: use of Google Authenticator on their mobile devices. As Bernick explained: “We have a FISMA Moderate requirement to use Multi-factor Authentication for anyone accessing federal data. We use Google Authenticator to do so, via Auth0.”
The largest challenge for UDN is organizational, because institutional boundaries, the competitive nature of biomedical research, and privacy-protecting regulatory frameworks have bedeviled efforts to build collaboration between researchers. UDN breaks down these boundaries with a medical identity system from Auth0 that instills trust, through simplicity, flexibility and compatibility with a broad range of standards.
Institutions trust that through federation and SSO, they’ll retain full control of who has access to their research and data. Patients trust that their sensitive medical information will remain private, while allowing researchers to work together in diagnosing their medical mysteries. And the NIH trusts that all participants in the UDN are diligently following best practices to maintain airtight security and comply with critical regulations aimed at protecting the public.
“By providing a system that enables people to share this data, breakthroughs can happen. Being able to share this data to the very right people in an auditable, understandable fashion is paramount to diagnosing and treating these diseases.”
— David Bernick, Harvard Medical School
The UDN is already making a difference – marshaling the formidable research capacity of the foremost institutions in the U.S. to bear in diagnosing these otherwise undiagnosable diseases – bringing hope to patients who’ve otherwise lost hope, and pushing the frontiers of medical research forward.