Tuesday, I got an email regarding Important Changes to NCBI Accounts Coming in 2021. Basically, NCBI will be transitioning away from NCBI managing logins (My NCBI, SciENcv, and MyBibliography) require people to login to their My NCBI using federated account credential from eRA Commons, Google login, or a university or institutional point of access to login.
While I get that NCBI wants to be out of the password management game, I have some concerns regarding the impact this might have.
The eRA Commons is primarily used by people and institutions for grants. “The eRA Commons is online interface where grant applicants, grantees and federal staff at NIH and grantor agencies can access and share administrative information relating to research grants.” Looking at the institutions listed on their list of federated institutions (login drop down menu on left side), it is primarily all universities and colleges which makes sense since it is for NIH grantees. I counted only 3 hospitals, Cincinnati Children’s Hospital, Mayo Clinic, and Johns Hopkins. Now several large hospitals partner with universities and colleges to do research, so some people at other hospitals might have this type of login through their research with a listed university, but many may not.
Google is a complicated hot mess in hospitals these days. Quite frankly I am surprised that NCBI didn’t realize this. In November, hospitals around the United States blocked access to Google and many social network and file sharing sites. The FBI issued a warning to hospital and health care institutions of credible cyber security threats using Google and other file sharing sites. With Google blocked at a majority of hospitals in the United States, this has the potential to cause problems logging into My NCBI using a Google account. This is not an unfounded concern, some hospital librarians have reported on medlib-l of difficulties using Docline with their Google login.
I emailed NCBI support asking how we could set up our institution so our users could login with an institutional account. I asked if this requires the institution to have single sign-on or if it is possible for libraries with proxy servers to implement something.
This was the response.
“The institutional 3rd party login is set up with InCommon participants and uses the institution’s login system to log users into My NCBI. For example, if a university is a member of InCommon and the institution is listed in the My NCBI login, the user can choose their university from the dropdown and login with their university credentials once their university is linked with My NCBI. If your institution is not already a member of InCommon, please have your network administrator contact InCommon here: https://incommon.org/federation/federation-join/. Once an institution is a participant in InCommon, the network administrator should email [email protected] to be added to the list of 3rd party logins.”
InCommon is a fee based service to manage single sign-on, access to cloud and local services, and seamless global collaboration for students, faculty, staff, and researchers. The list of Federation entities is pretty long and still skews heavily to universities and colleges. So your institution must use InCommon to be able to login to MyNCBI via their institution. So hospitals who don’t allow single sign-on or don’t use InCommon for single sign-on will not be able to have their users sign on via their institution.
NCBI support said, “If your system is not able to participate in InCommon, there are other 3rd parties besides Google that will still work with My NCBI. These include eRA Commons for NIH grantees (already discussed above), ORCiD, or login.gov.
Since eRA Commons is for NIH grantees, it would seem ORCiD or login.gov are the best options for most users in hospitals who aren’t NIH grantees. I would guess that most hospital users don’t have ORCiD accounts. While ORCiD is intended as a single ID for researchers, there is no rule (that I know of) that requires you to be a researcher. So that may be an option. Login.gov “offers the public secure and provide online access to participating government programs” and that would be an additional option for hospitals.
It is disappointing that NCBI and NLM don’t seem to understand the access restrictions and issues in hospitals today. Recommending using Google as a login option clearly illustrates this. Most of the other options are also clearly more directed to grant researchers not the average hospital physician or librarian. I also understand NCBI’s desire to get out of the managing personal information (however, limited there is in My NCBI account). There is a definite desire in everyone to have better password management, balancing the desire for one login for everything like Google or single sign-on with the security risks versus managing multiple logins for multiple resources.
It seems that NCBI and NLM make changes to popular programs in vacuum or without consulting of the very people (especially “power users”) who use their products. I feel like the vast majority of hospitals will have to tell their users to use ORCiD or login.gov and will be unable to help their users have single sign-on via their institution.
This lack of understanding and lack of engagement was highlighted as an opportunity/challenge for NLM by the Medical Library Association/Association of Academic Health Sciences Libraries in their response to Request for Information (RFI): Strategic Opportunities and Challenges for the National Library of Medicine, National Institutes of Health. (Read the full text here, login required)
Regarding technological challenges the MLA/AAHSL committee stated:
“More support is needed for a national health information technological infrastructure that enhances interoperability, reduces risk, and maintains privacy and security of information. NLM should have a role in setting standards that prevent hospitals from creating systems that actively obstruct the free flow of health information, and support hospital librarians in their role in ensuring that their institutions meet these standards.
NLM must acknowledge and collaborate with technology companies so hospitals and health care professionals can better utilize the 21st century technologies that NLM and other technology companies are developing, and to ensure they are compliant with current and future federal and state regulations such as HIPAA. Many of the products, services, and initiatives from NLM and technology companies (e.g. data sharing and document sharing/storage) are blocked by institutions because they are considered a risk to healthcare security and HIPAA.”
Regarding the lack of engagement between NLM and users the MLA/AAHSL committee stated:
“Health Science Librarians as Key Stakeholders in the Future of the National Library of Medicine Health sciences librarians across the United States and globally continue to maintain a strong sense of connection to NLM through freely available, high quality resources such as PubMed and other NCBI databases. As “power users”, educators, and promoters of these resources to students, clinicians, and researchers, health sciences librarians have a vested interest in the design and content of these resources. As NLM grows in exciting new directions, health sciences librarians need to know that their voices and feedback are being heard and that we are being engaged in discussions regarding the redesign of current resources (such as PubMed) and the sunsetting of others (such as Genetics Home Reference). Current communication mechanisms, such as the NLM Director’s Musings from the Mezzanine blog, have assisted some, but these mechanisms appear to serve as marketing tools, rather than inviting honest feedback and true transparency. We call for a richer form of dialogue between our associations.”
So we will see in June if this change for My NCBI login is a big deal, or if I am worried about nothing. I hope it is not a big deal. I hope it goes over well with minimal problems. But it still doesn’t change the need for better communication, transparency, understanding, and collaboration between NLM and its core users and supporters.
Thank you for helping to make the Login.gov better.
Just wanted to point out that we made the “account name” for Login.gov better on https://catalog.nlm.nih.gov/. It will now be the email you use for all users, at least until the NLM Reading Room can again let people on site.
Also, I don’t speak for NLM in any official capacity; I just work on the tech of federated login and this blog post was heard loud and clear by me.
Thanks for this article. Wow, our hospital locked out all Google and Social Media access. We are not able to get back into Docline. We are scrambling trying to figure out what to do.
I would love to hear what others have done to continue to use Docline. I have the old ALA ILL form to email to libraries. I am waiting it out to see how our hospital responds.
Waiting without Docline….
Password retirement is now reaching our library’s patrons, and I very much appreciate that you recorded these thoughts. In Canada, our Health Authorities are very very restrictive. We can’t even access most personal webmail over our networks.
We will make the best recommendations we can to support our users, but I am so surprised that a health and library organization has rolled out this change with no acknowledgement of the issues involved for access, and also personal / professional privacy.
Since this is coming up next week now (starts June 1st!) I wanted to add some info about Login.gov:
It is free, and anyone can use it.
More info here: https://login.gov/create-an-account/
They have a side note: “Depending on the security needs of the agency, you may need to prove your identity using a social security number, address, and/or U.S. based state-issued identification.”
But for an NCBI account, you just need the basic stuff: an email address, a password or phrase, and an authentication method.
I support your views entirely, Michelle. How about if those who appose the NCBI’s new changes
would write a letter, sign it and post it on the NCBI’s social media site?
Thank you for the blog, Michelle. Google services are restricted in our hospital. We are from the Netherlands, I’m not sure if we can use login.gov because it is for US goverment agencies. I wonder if NLM en NCBI take worldwide users in account to all the recent changes. We use the MyNCBI for filters and easy 24 hour access to our subscriptions.
Thanks, Michelle, for the detailed hospital & AAHSL perspective. Beyond the grant application concern, it seems totally lost on NCBI that a global universally & available platform to save search strategies and sharable citation collections is like data version of Voice of America, a functional beacon of non-fake scientific information that should be shared and appreciated, even in places where gmail cannot be used. The energy and manpower needed to maintain a universal login is great investment in American bioscience education leadership.