09:57 AM
Is One Password a Reality?
In today's information age, data security is often priority No. 1, and mandates such as HIPPA only have increased the emphasis on information security. For insurance carriers offering customers information over the Web, the use of passwords is a neccessity. But a growing reliance on multiple passwords to access several providers' Web sites may be hindering the very purpose of providing information over the Web. "With so many [passwords] to remember, they become a barrier to usage and result in underutilization of Web infrastructure, which was designed to make information more accessible," says Ross Gosnell, vice president of information systems and technology, Delta Dental Plan of Illinois (Lisle, Ill.).
"Employers want their employees to go into their companies' intranets, sign in once, and have the ability to be transmitted to the [employers'] various vendors and partners," adds Dr. Robert Dennison, CEO of Delta Dental of Illinois and head of the national technology committee for Delta Dental. "Whether it be medical, dental, vision or life insurance plans, employees don't want to have to log out and log back on to each insurer's particular Web site to get benefit information, eligibility information or plan-status information."
The use of single passwords - known as single sign-on (SSO) - for secure Web-based information retrieval and transactions across multiple sites faces challenges, however. "The solution requires things like legal agreements between partners and carriers that could be in competition, as well as the adoption of a standard security language and collaboration on a Web service that manages this," explains Gosnell. To provide easy-to-use Web services, insurers, HR outsourcing firms and employers will have to scale layers of agreements, authentication, protocols, secure languages and communication links, he adds.
One solution is to implement "a new wave of technology that is hitting the space called federated identity that allows an SSO to span organizational boundaries," according to Phil Schacter, vice president and research director of the Directory and Security Structures Service at Burton Group (Midvale, Utah), an IT research and advisory firm. Federated identity is the term for the technology of the Identity Federation Framework developed by Liberty Alliance, a group of more than 150 companies, non-profit and government organizations from around the globe, that can link user accounts to cooperating sites. The technology is based on Security Assertion Markup Language, or SAML, an XML-based framework created by the Organization for the Advancement of Structured Information Standards (OASIS; Billerica, Mass.).
Delta Dental is vetting the federated identity technology, using SAML to develop a security assertion token that would provide added security capabilities with a lifespan of about 30 seconds. "An employer or HR Web site would send a token to Delta Dental asking for verification, and a Web service sitting on the Delta Dental site would validate the member," Gosnell relates. The entire process would be transparent to the user, he says. While Delta Dental already has an SSO system in place with benefits manager Hewitt (Lincolnshire, Ill.), the solution is proprietary and was developed by Hewitt. "With the variety of carriers today, we can't afford to handle each as a proprietary solution and need to develop something with standards," Gosnell asserts.
"Hewitt has let us know that at least one other large national account of ours wants to do the same thing," adds Delta Dental's Dennison. "So representatives from Delta plans all over the country are working on a white paper to present to employers that we currently cover as well as those that we are hoping to get." Delta Dental can use its exisitng national Web portal as a home base for SSO customers, according to Dennison.
The biggest challenge for Delta and other carriers looking to provide SSO capabilities will be guaranteeing data integrity. "Insurers must develop strong contract agreements requiring trusted identity systems," recommends Burton Group's Schacter. "You're aggregating more risk in one basic credential," he explains, so insurers need to be sure of that credential.