I attended remotely, the RA21 webinar Friday morning and it was interesting. I hope they recorded it and will make the recording available for everyone because this needs to be on the radar of medical and hospital librarians…now. Those attending MLA in Atlanta there will be session Sunday 4-4:20 Leading Easy Access to Content: RA21 Pilots Transform Researcher Productivity and Privacy in the Hyatt Regency Embassy C.
Why should medlibs care? The publishers are looking to do away with the current method of online resource authentication, IP validation. There is a whole slew of reasons as to why IP validation has problems, one of the biggest is piracy like SciHub.
What is RA21? The RA21 website goes into further details, but it is basically an initiative to facilitate seamless access to online resources while preventing piracy and improving authentication methods.
This is big, because right now many hospital and medical libraries use IP validation, EZ Proxy or both to authenticate users. RA21 seeks to eliminate IP validation from your on campus IPs as well as your EZ Proxy.
There are privacy issues that concern many people. I am not going to focus on that. I am going to focus on just implementation issues in hospitals.
I don’t understand all of the technical nuts and bolts to RA21 but here is what I learned from the webinar and why hospital librarians need start paying attention.
- Publishers are pushing to eliminate IP validation and the method for authentication. This means you won’t be able to give your hospital’s IP ranges or your proxy server and have your patrons automatically access library resources (without passwords).
- Patrons will not be able to click and access a resource simply by just being on campus.
- RA21 will require people to validate themselves and sign into the resources. So a doctor will click on Wiley’s Cochrane Library and be asked to login, even when on campus.
- They mention that the doctor will only have to login once because the system will know him/her. What doctor do you know stays in one place and uses one computer? Doctors will have to login multiple times through out the day.
- RA21 follows the user not the user’s location. So there will need to be some database of approved users.
- Librarians will need to maintain that. They are the one who will have to add users and delete users.
- Some libraries are set up to be able to do this through their ILS patron database. However, other ILS systems can’t share patron database info.
- Additionally, A LOT of hospital libraries don’t have an ILS, they still have sign out cards!
- EVERYONE, academic medical libraries and hospitals will need something like Shibboleth or OpenAthens to be able to implement RA21. This is not good. There are A LOT of hospital libraries who can barely afford their journals let alone OpenAthens or another product to manage online access.
- Libraries with walk up access via their computers will have to figure out how to time out people. The doctor is not going to logoff of a journal when they leave.
Now I am admittedly fuzzy on what authentication methods they are using. Whether they have a database of approved users who have created their own ID and password or they have something else. Some groups seem to be talking about email addresses while other groups talk about login IDs and two factor authentication.
However, every user must authenticate. There will be no more pass throughs via IP. So every time a doctor wants to use an online resource they will have to login. Now as many hospital librarians know, the doctors are not going to want to login to access an online resource. I believe I heard one medical librarian say her doctors will have kittens if they had to have yet another username and password to remember just to get journal articles. We have an online resource that contains both ejournals and ebooks within it. The ejournal articles allow IP validation to access the PDF. The online resource used to require doctors to use a username and password to access the PDF of the books. Our doctors absolutely refused to use any of the ebooks from that product. They didn’t want to bother with logging in. Requiring a login to view the PDF of those books impacted usage. IMHO RA21 in a hospital environment will impact usage.
What about single sign-on? RA21 keeps talking about single sign-on. Most likely hospitals will not allow us (or anyone) to tie our library login to their network login. So there is no real “single” sign-on. They will need to remember 2 different usernames and passwords, one to get onto the hospital network and one to get library resources. What do you think will happen? Doctors will use the same network passwords as the passwords for the library. That’s not good.
Hospitals tend to have extremely locked down IT environments, some hospitals more than others. I know of hospitals that can’t provide off campus access to the ejournals because their IT forbids them from using proxy access (even if it is outsourced and off site). The folks at RA21 kept talking about working with our IT departments and it is clear that none of them have had to deal with hospital IT. The hospital IT department does not care about the library. The hospital IT only cares about the EMR and locking everything down as tight as possible from the outside world…including medical publishers. I know a librarian at a government healthcare agency library that routinely loses access to PubMed due to IT restrictions. Yes, a government healthcare agency library loses access to a government database because the government agency IT has things extremely locked down. So IT is not going to be on board. It isn’t in their interests which is the total security of the hospital network….not STEM piracy prevention or user experience. This change will fall to the library staff to handle.
Now I agree that IP validation is a flawed system and we need something better. However, I have concerns as to how it can be implemented in hospital libraries. Not one of the RA21 Steering Committee is from a hospital library. They are all big STEM and research and have tested it in the academic library environment. When I asked for examples of implementation or testing in hospitals I heard nothing. I don’t think they realize how different hospitals are. After all, they kept presenting the idea that we can tell IT that it will be a better user experience. IT is does not care about user experience.
I think your major hospital systems will be able to adapt. Sure the docs will have kittens about the login requirements and usage might go down because they don’t want to bother logging in for something quick. But I really worry about the hospitals that aren’t big. I worry about the ones with budgets that are little more than pennies. I worry about the ones that aren’t allowed to use any outsourced resources to provide journal authentication. I worry about the solo librarians with no contacts in IT. How are those hospitals going to handle things?
We need to pay attention so that we can be an active partner in trying to make RA21 or whatever method for authentication something that is feasible for medical libraries.
I was also at the InSight Initiative and was left with major concerns about RA21 and hospital libraries. I work in one of those small hospital libraries with no funding for OpenAthens. We don’t even have a proxy server. Part of the reason we don’t have these things is money, but the other part is IT and security. Even giving IP addresses to vendors is problematic for IT. They see it as a security problem. Michelle is totally right; IT isn’t concerned about the user experience. They are concerned with protecting patient information.
While at Insight I tweeted out my concerns and received a response from the presenter where she said RA21 was being tested in pharmacy research companies so it wasn’t just applicable to academia. But she also said plainly in the tweet “RA21 might not work in every industry”. (https://twitter.com/sphcow/status/971167898059362304) What?! So you’re going to have publishers get rid of IP authentication and then what? How are we supposed to access our content? I pressed her further in person about hospitals and her responses were not reassuring. I tried explaining access issues and hospital security but it made no impact. This isn’t on their radar. These people are operating in a bubble where everyone can afford EZ Proxy and everyone has access to whatever they want (ie some hospitals don’t allow access to Gmail/Google Drive).
I was actually reassured (slightly) that the table of publishers I was sitting with was also concerned when they realized that my users might not be able to access the content I buy from them. I doubt it will make any difference in the end, but at least it registered with some people.
Ditto what Lisa said…I was left less than enthused about RA21 when we had their presentation. I’m having kittens about 2-factor authentication which our I.T. department is talking about. Who is going to use 2 factor authentication for library resources when they complain about a user name and password already. RA21, for me, has privacy FERPA and HIPAA concerns written all over it if the user can be tracked by anyone other than the person with access to our proxy logs.
And here is a response to that article: https://scholarlykitchen.sspnet.org/2018/02/07/myth-busting-five-commonly-held-misconceptions-ra21/
I haven’t even actually read it yet… but Michelle’s post got us thinking and so we have been gathering data.
Thanks all for getting us exploring this issue.
I was in attendance at the MLA Insight futures event last month and hear similar concerns from hospital librarians in attendance.
FWIW, many academic institutions aren’t really all that interested in losing IP and proxy access either. And, being at an institution that does have Shibboleth, I can tell you from a personal perspective that there are multiple times a month where the Shib path fails out and I have to navigate back to the library and re-access the publisher site via the proxy server.
ICYMI – here’s the piece I wrote that “outed” the RA21 intention to kill off IP and proxy access and raised other issues like privacy, tracking, etc.: https://scholarlykitchen.sspnet.org/2018/01/16/what-will-you-do-when-they-come-for-your-proxy-server-ra21/