A secure SOA takes MedicAlert from bracelets to USB devices

By Colleen Frye, News Writer 21 Feb 2006 | SearchWebServices.com

News on SOA, EAI, Web services Digg This!     StumbleUpon     Del.icio.us

"The healthcare industry is the largest mom-and-pop sector on the planet," said David Harrington, chief technology officer at The MedicAlert Foundation. One of the primary reasons, he said, is security—the difficulty of ensuring the security of electronic medical records.

We had to have an industrial-strength mechanism for getting information if we were going to open up our repository to receive information from outside the enterprise. David Harrington Chief Technology Officer, The MedicAlert Foundation

"The need for security and privacy goes way beyond physical security," he said. "It's mostly in the realm of authorized release of information. It is potentially life-threatening if someone tampers with a record in transmission, or a repository, and incorrect information is communicated."

At the same time, getting access to patient information during an emergency situation can be life-saving.

To meet the dual demands of security and accessibility, MedicAlert has built a service-oriented architecture that allows the 50-year-old nonprofit organization to be what Harrington describes as "a trusted custodian of electronic medical information for our members. With SOA, we now have a platform to fulfill that strategy."

Last August, Turlock, Calif.-based MedicAlert launched the MedicAlert E-HealthKey, a USB-enabled device that stores medical records and history, allowing members to carry their complete personal health record on a keychain and upload or download their information from MedicAlert's repository.

MedicAlert, known to many as the "bracelet" company because of member bracelets that alert emergency responders to critical health issues such as allergies, began its SOA journey in 2004. The organization was developing a strategy to extend its repository of member information to healthcare providers, payers, pharmacies, etc. Around the same time, the Bush administration stated its intention for every American to have an electronic health record within the next 10 years, Harrington said.

MedicAlert partnered with Newtown, Pa.-based CapMed, which had developed the Personal HealthKey, a USB-based standalone personal health record. "If we could add connectivity to the key and make it transmit information to a repository, we'd really have something to offer members," said Harrington. "The only way to do that was with Web services. CapMed added connectivity on their key side and we built the infrastructure and Web services interfaces, the WSDL, and put in place the security, services management and business process integration on our side to bring information in securely without opening ourselves up to probing attacks, etc."

Building the infrastructure, particularly the security aspects, was difficult, Harrington said. "Most Web services applications and SOA features are used in internal applications and hadn't dealt with security. We didn't know what we didn't know. We couldn't just have transmission using some sort of asynchronous protocol or even http. We had to have an industrial-strength mechanism for getting information if we were going to open up our repository to receive information from outside the enterprise."

Harrington said they initially planned to develop their own security mechanisms and spent some time working with encryption algorithms and identity platforms, but quickly decided it was not their core competence. They chose the XWall firewall and Sentry SOA Gateway from Forum Systems Inc., based in Salt Lake City.

"Because of the hardware/software combination that Forum provides to us [the products] can be easily integrated into what was an evolving network architecture," Harrington said.

In addition to Forum, MedicAlert's SOA infrastructure includes Microsoft BizTalk server and Web services management software from AmberPoint Inc., Oakland, Calif. The organization does not yet employ a UDDI registry, but that is on the roadmap, Harrington said.

For the E-HealthKEY, MedicAlert wrote a series of .NET Web services that allow members to upload information from their key into their record or download information to their key. For example, there are Web services for authorizing and authenticating members and Web services that allow members to input information to a broad number of categories, such as medications, immunizations, allergies, etc. Members can also go online to make changes to their record. The next time they activate their key they can update it, so there is a Web service to synchronize that.

For more information Burton: Put Web services security on front burner XML acceleration, security stay hot in SOA

The Forum Sentry SOA Gateway enforces access control on transactions, confidentiality through the XML Encryption standard and security interoperability using Security Assertion Markup Language and WS-Security.

Harrington said MedicAlert can now reuse its SOA foundation for new applications. For instance, he said, MedicAlert – in a partnership with Siemens, Intel and Dell – is piloting the use of smart cards with a built-in RFID circuit and building kiosks with embedded antennas that detect the RFID information on the member card. "By waving the card within 12 to 18 inches of the kiosk, it will detect the member, perform a query using a Web service we built for the E-HealthKey and it will come back with an emergency medical summary that can be printed out," Harrington explained.

"That's where we get the mileage," he said. "We made this investment in an SOA foundation – all future connectivity rests on this foundation. We will get incredible ROI over time."

Tags: Service-oriented architecture (SOA) education,  SOA implementations,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Service-oriented architecture (SOA) education SOA Manifesto urges both agility and business focus SOA skills, slings and arrows Playbook for the SOA Red Zone Win SOA Design Patterns book Take part in SearchSOA.com survey. Help define the state of SOA. New year – same old SOA tempests? The annals of SOA Talk Software architects navigate transitions Ten ways to identify services Analysts, users find roadblocks along the SOA highway Service-oriented architecture (SOA) education Research SOA implementations New SOA products for November 2009 SOA implementation evolves from open source to Oracle SOA suite U.S. Coast Guard adopts SOA and ESB to better track ships at sea SOA Implementation: Should top down meet bottom up? ESB watered down by EAI, but distinction remains On the road to SOA – Part 1, Boubez on early insights On the road to SOA – Part 2, Governance is fundamental Sparx releases new SoaML profile for Enterprise Architect 7.5 SOA implementation: It's the increments, stupid Bury SOA inside a larger architectural vision SOA implementations Research SOA standards bodies The standards behind Web services WSDL 2.0 finalized OASIS okays Web services signature standard Is WSRP dead? WS-BPEL finally official OASIS forms group to advance SCA and SDO Google: Ajax thrives on standards 'abuse' eBay pilot takes RIA Web services direct to desktop W3C begins work on new HTML spec Alcatel-Lucent joins WS-I

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary middleware  (SearchSOA.com) Semantic Web  (SearchSOA.com) service-oriented integration  (SearchSOA.com) service-oriented management  (SearchSOA.com) Web-Based Enterprise Management  (SearchSOA.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary