Medidata Blog

The Challenge of Identity Management

Reading Time: 2 minutes

Identity management is one of those seemingly obvious problems to solve in clinical development. But it may in fact be one of the hardest.

Identity management sounds easy, right? You just need to set up accounts for your investigators, clinical research coordinators, monitors and everyone else in the trial. You’re probably thinking, “No problem. It’s like sending out wedding invitations, right?” Of course not!

In actuality, activating and maintaining users that are not in your own corporate directory is complicated, error prone and requires many people to coordinate and verify identity. And you need to do it for each and every system you want to use plus maintain access carefully, following all GxP and 21 CFR Part 11 regulations. Although, one might also argue that wedding invitations are just as tricky.

But identity management is really concerned strictly with the verification of identity. Are you who you say you are? And this is a critical part of clinical information systems, because unlike most other industries, clinical information systems require you to provide system access to people that, as I said before, are not in your own corporate directory. This “reaching across” the unknown, between corporate and organizational domains, is terrifying to system administrators and security experts. How are they to know that the person they are providing data access to is really who they say they are? How do they know that the system that person is using has proper physical security? And what if that person leaves their job, or changes their name, or email address, or some other identifier? Who can they ask for verification?

Scary.

Fortunately, there are solutions that are beginning to take shape. Interestingly, these are not necessarily industry specific solutions, but Web 2.0 and social media solutions that finally begin to seriously address the problem of identity management in a cross-organizational manner. Managers within life sciences often think of websites such as Google+, Facebook, LinkedIn, Foursquare and Flickr to be “toys” and in a sense they are. But much like video games are responsible for the creation of entire industries like CGI in the movies, these toys are mapping the future for clinical identity management.

These social media sites have created and encouraged technologies such as SAML and OpenID to allow the true sharing of identity across organizations. These methods work differently than authentication has worked in the past. Instead of providing users with separate sets of credentials or IDs in each system, these methods ask that the two organizations “trust” each other for one or a set of user identities. This is an interesting concept in that it asks us to do exactly what we do in real life and in so doing provides a better match to our business processes.

I’ll save the details of how these technologies work for a separate post, but to clarify my above statements let me pose the following question. Which of these are you more likely to trust?:

  1. Someone who claims to be “Dr. Smith” because she shows you an ID claiming she is Dr. Smith.
  2. Someone who claims to be “Dr. Smith” because someone you know at General Hospital indicates they are Dr. Smith and that they work there.

*Jay Smith lead a session on this very topic at the DIA 2012 48th Annual Meeting. His DIA presentation was titled, “Identity Management Technologies in Clinical Trials.”

More about Jay Smith

Medidata Solutions Image

Medidata Solutions