"The healthcare industry is the largest mom-and-pop sector on the planet," said David Harrington, chief technology officer at The MedicAlert Foundation. One of the primary reasons, he said, is security—the difficulty of ensuring the security of electronic medical records.
"The need for security and privacy goes way beyond physical security," he said. "It's mostly in the realm of authorized release of information. It is potentially life-threatening if someone tampers with a record in transmission, or a repository, and incorrect information is communicated."
At the same time, getting access to patient information during an emergency situation can be life-saving.
To meet the dual demands of security and accessibility, MedicAlert has built a service-oriented architecture that allows the 50-year-old nonprofit organization to be what Harrington describes as "a trusted custodian of electronic medical information for our members. With SOA, we now have a platform to fulfill that strategy."
Last August, Turlock, Calif.-based MedicAlert launched the MedicAlert E-HealthKey, a USB-enabled device that stores medical records and history, allowing members to carry their complete personal health record on a keychain and upload or download their information from MedicAlert's repository.
MedicAlert, known to many as the "bracelet" company because of member bracelets that alert emergency responders to critical health issues such as allergies, began its SOA journey in 2004. The organization was developing a strategy to extend its repository of member information to healthcare providers, payers, pharmacies, etc. Around the same time, the Bush administration stated its intention for every American to have an electronic health record within the next 10 years, Harrington said.
MedicAlert partnered with Newtown, Pa.-based CapMed, which had developed the Personal HealthKey, a USB-based standalone personal health record. "If we could add connectivity to the key and make it transmit information to a repository, we'd really have something to offer members," said Harrington. "The only way to do that was with Web services. CapMed added connectivity on their key side and we built the infrastructure and Web services interfaces, the WSDL, and put in place the security, services management and business process integration on our side to bring information in securely without opening ourselves up to probing attacks, etc."
Building the infrastructure, particularly the security aspects, was difficult, Harrington said. "Most Web services applications and SOA features are used in internal applications and hadn't dealt with security. We didn't know what we didn't know. We couldn't just have transmission using some sort of asynchronous protocol or even http. We had to have an industrial-strength mechanism for getting information if we were going to open up our repository to receive information from outside the enterprise."
Harrington said they initially planned to develop their own security mechanisms and spent some time working with encryption algorithms and identity platforms, but quickly decided it was not their core competence. They chose the XWall firewall and Sentry SOA Gateway from Forum Systems Inc., based in Salt Lake City.
"Because of the hardware/software combination that Forum provides to us [the products] can be easily integrated into what was an evolving network architecture," Harrington said.
In addition to Forum, MedicAlert's SOA infrastructure includes Microsoft BizTalk server and Web services management software from AmberPoint Inc., Oakland, Calif. The organization does not yet employ a UDDI registry, but that is on the roadmap, Harrington said.
For the E-HealthKEY, MedicAlert wrote a series of .NET Web services that allow members to upload information from their key into their record or download information to their key. For example, there are Web services for authorizing and authenticating members and Web services that allow members to input information to a broad number of categories, such as medications, immunizations, allergies, etc. Members can also go online to make changes to their record. The next time they activate their key they can update it, so there is a Web service to synchronize that.
The Forum Sentry SOA Gateway enforces access control on transactions, confidentiality through the XML Encryption standard and security interoperability using Security Assertion Markup Language and WS-Security.
Harrington said MedicAlert can now reuse its SOA foundation for new applications. For instance, he said, MedicAlert – in a partnership with Siemens, Intel and Dell – is piloting the use of smart cards with a built-in RFID circuit and building kiosks with embedded antennas that detect the RFID information on the member card. "By waving the card within 12 to 18 inches of the kiosk, it will detect the member, perform a query using a Web service we built for the E-HealthKey and it will come back with an emergency medical summary that can be printed out," Harrington explained.
"That's where we get the mileage," he said. "We made this investment in an SOA foundation – all future connectivity rests on this foundation. We will get incredible ROI over time."