Report from the InSight Initiative Summit: Thinking about Security and the Future of IP Authentication
Submitted by Gerald J. Perry, AHIP, FMLA, Libraries, University of Arizona–Tucson; Andrea Lopez, Annual Reviews; Gabriel R. Rios, Ruth Lilly Medical Library, Indiana University–Indianapolis; and Rich Lampert, Doody Consulting
The MLA InSight Initiative was developed to create a forum in which librarians and vendors can discuss topics of mutual interest in a collegial environment. Much of the time at the first InSight Initiative Summit, held in March, was devoted to small-group discussions of issues that both librarians and vendors regarded as challenging, with each group consisting of equal numbers of medical librarians and vendor representatives. This is the first of four articles that synthesize key points from the discussions.
Information security is critical to the business models of most publishers and other library vendors, and medical librarians regard it as a critical aspect of their jobs. At the same time, both librarians and vendors want to facilitate convenient user access to maximize usage. Vendors recognize that their claims of ownership of intellectual property have been compromised by so-called “pirate” sites, and they count on cooperation from libraries to forestall further compromise. Librarians work with publishers who detect untoward downloading by managing their proxy-based systems.
Security and other concerns continue to drive change in library security arrangements, which must be implemented not just with library users, but also with the multiple vendors that provide intellectual property. Similarly, publisher changes, such as the change from http to https, reverberate through all the libraries that access licensed content. Evolutions going in both directions create increasing demands on information technology (IT) staffs at both libraries and vendors. Because librarians have direct contact with end users, they feel particular strain if IT modifications compromise the user experience. Another source of end-user confusion is the availability of multiple authentication systems: systems such as Shibboleth and openATHENS are perceived as “inside baseball” (a detail-oriented approach to the minutiae of a subject) that merely irritate users. Overall, both librarians and vendors believe that there is a need to simplify the experience of users who want to access licensed information.
This is a complicated challenge because the technical bases of security do not always match up neatly with the reality of health care settings. For instance, many hospitals use firewalls specifically designed to forestall violations of the Health Insurance Portability and Accountability Act (HIPAA) that, in turn, complicate access to information products. Another element is that a given Internet protocol (IP) range for a health care system can encompass multiple sites, whereas the licenses for some information products may be restricted to a single site. Issues of this kind create challenges for vendors in writing license agreements and for libraries in implementing them.
Ongoing efforts to develop Resource Access for the 21st Century (RA21), which authenticates individuals rather than an IP range, are not yet well understood by medical librarians, and it is clear that both RA21 developers and medical librarians need to be proactive in clarifying their expectations and needs before the system is deemed ready to implement. Librarians are hopeful that RA21 will enable publishers to block a single user in the event of a serious breach, rather than blocking potentially many users within an IP range, and will address some of the challenges of differentiating among single- and multi-site licenses. Librarians emphasize that making security modifications to their systems is a major burden, so they are hoping that RA21 developers are providing a gradual transition, presumably with current security arrangements coexisting with RA21 for a significant length of time.
One discussion group asked if a federated identity scheme would contribute toward a solution, but that raises the question of what would be a third-party source of the identity that individuals, libraries, and vendors would fully trust. Another novel idea about authentication is the notion of making some resources available on a geolocation basis to a major institutional area.
Another discussion group considered the development of publisher ecosystems that engage user-authors “from cradle to grave,” potentially establishing career-long brand loyalty and thereby eroding the ideal of the library as a resource that aims to not prioritize sources. In addition, consolidation of all kinds—of libraries, of publishers, of health systems—is abetted by digital solutions and is likely to further increase strains in vendor/library relationships.
So the balancing act is likely to continue: information security and convenient user access balanced in a complementary relationship, while evolving digital technologies generate new possibilities and new challenges.
Other articles in this series cover other topics that small-group discussions focused on at the first summit: lessons learned from pirate sites, specialized discover tools to maximize user engagement, and imagining the ideal social networking site for collaboration and sharing.
MLA’s InSight Initiative is supported by the following organizations: Annual Reviews, American Psychiatric Association Publishing, BMJ, Elsevier, F1000, The JAMA Network, McGraw-Hill Education, NEJM Group, Springer Nature, and Wolters Kluwer.