The National Board of Medical Examiners (NBME), whose job is to accredit physicians in the U.S., has set up an extranet to provide online access to doctors' test scores and other data.
Medical schools, state medical licensing authorities, hospitals and other organizations need to know how medical students have scored on the tough exams given by the NBME, which also keeps track of whether or not physicians are in good standing.
The NBME decided it could disseminate such information much more quickly over the Web than it could via paper. The NBME's main challenge was finding a way to really be sure of the online user's identity and restrict access to the appropriate information, all housed in an Oracle database.
"Once we decided to use the Web, we needed to have a good way to qualify users online to make sure they are who they say they are," says Steve Lopez, the NBME's director of IT. Simple passwords and IDs, used over and over again, were seen as inadequate because they can easily be compromised through sharing with others, he says.
The better answer for the extranet, Lopez says, was what security experts call "two-factor authentication" -- which means generating a one-time password through a software or hardware token given to the user along with a unique PIN number.
Because the NBME was satisfied with the Raptor firewall from Axent Technologies it has been using for a long time, Lopez last year looked at adding two other Axent products -- the SecureLink Bridge Server and WebDefender. These two products work inside the intranet to provide the remote user with single sign-on to Web pages.
The Unix-based SecureLink Bridge Server acts as a proxy to the firewall for the remote user -- in this case, an individual at a medical school or other organization who wants to obtain physicians' records. The outsider has to prove his identity over the Web by entering a one-time password created by the WebDefender software token issued by the NBME.
The bridge server passes this identity authentication request to the WebDefender server, and if the remote user's identity checks out, WebDefender issues a software ticket. The ticket grants restricted access to a Web application server.
"We have about 130 outside people from medical schools using this to get test-score information from the NBME," says Lopez, who notes the system has been in place since the fall.
The NBME's IT staff made sure to keep the organization's business divisions fully informed about the extranet project to encourage future use of the technology.
The next extranet application under way at the NBME will give college professors a way to discuss testing online rather than in person.