Tuesday, I got an email regarding Important Changes to NCBI Accounts Coming in 2021. Basically, NCBI will be transitioning away from NCBI managing logins (My NCBI, SciENcv, and MyBibliography) require people to login to their My NCBI using federated account credential from eRA Commons, Google login, or a university or institutional point of access to login.
While I get that NCBI wants to be out of the password management game, I have some concerns regarding the impact this might have.
The eRA Commons is primarily used by people and institutions for grants. “The eRA Commons is online interface where grant applicants, grantees and federal staff at NIH and grantor agencies can access and share administrative information relating to research grants.” Looking at the institutions listed on their list of federated institutions (login drop down menu on left side), it is primarily all universities and colleges which makes sense since it is for NIH grantees. I counted only 3 hospitals, Cincinnati Children’s Hospital, Mayo Clinic, and Johns Hopkins. Now several large hospitals partner with universities and colleges to do research, so some people at other hospitals might have this type of login through their research with a listed university, but many may not.
Google is a complicated hot mess in hospitals these days. Quite frankly I am surprised that NCBI didn’t realize this. In November, hospitals around the United States blocked access to Google and many social network and file sharing sites. The FBI issued a warning to hospital and health care institutions of credible cyber security threats using Google and other file sharing sites. With Google blocked at a majority of hospitals in the United States, this has the potential to cause problems logging into My NCBI using a Google account. This is not an unfounded concern, some hospital librarians have reported on medlib-l of difficulties using Docline with their Google login.
I emailed NCBI support asking how we could set up our institution so our users could login with an institutional account. I asked if this requires the institution to have single sign-on or if it is possible for libraries with proxy servers to implement something.
This was the response.
“The institutional 3rd party login is set up with InCommon participants and uses the institution’s login system to log users into My NCBI. For example, if a university is a member of InCommon and the institution is listed in the My NCBI login, the user can choose their university from the dropdown and login with their university credentials once their university is linked with My NCBI. If your institution is not already a member of InCommon, please have your network administrator contact InCommon here: https://incommon.org/federation/federation-join/. Once an institution is a participant in InCommon, the network administrator should email firstname.lastname@example.org to be added to the list of 3rd party logins.”
InCommon is a fee based service to manage single sign-on, access to cloud and local services, and seamless global collaboration for students, faculty, staff, and researchers. The list of Federation entities is pretty long and still skews heavily to universities and colleges. So your institution must use InCommon to be able to login to MyNCBI via their institution. So hospitals who don’t allow single sign-on or don’t use InCommon for single sign-on will not be able to have their users sign on via their institution.
NCBI support said, “If your system is not able to participate in InCommon, there are other 3rd parties besides Google that will still work with My NCBI. These include eRA Commons for NIH grantees (already discussed above), ORCiD, or login.gov.
Since eRA Commons is for NIH grantees, it would seem ORCiD or login.gov are the best options for most users in hospitals who aren’t NIH grantees. I would guess that most hospital users don’t have ORCiD accounts. While ORCiD is intended as a single ID for researchers, there is no rule (that I know of) that requires you to be a researcher. So that may be an option. Login.gov “offers the public secure and provide online access to participating government programs” and that would be an additional option for hospitals.
It is disappointing that NCBI and NLM don’t seem to understand the access restrictions and issues in hospitals today. Recommending using Google as a login option clearly illustrates this. Most of the other options are also clearly more directed to grant researchers not the average hospital physician or librarian. I also understand NCBI’s desire to get out of the managing personal information (however, limited there is in My NCBI account). There is a definite desire in everyone to have better password management, balancing the desire for one login for everything like Google or single sign-on with the security risks versus managing multiple logins for multiple resources.
It seems that NCBI and NLM make changes to popular programs in vacuum or without consulting of the very people (especially “power users”) who use their products. I feel like the vast majority of hospitals will have to tell their users to use ORCiD or login.gov and will be unable to help their users have single sign-on via their institution.
This lack of understanding and lack of engagement was highlighted as an opportunity/challenge for NLM by the Medical Library Association/Association of Academic Health Sciences Libraries in their response to Request for Information (RFI): Strategic Opportunities and Challenges for the National Library of Medicine, National Institutes of Health. (Read the full text here, login required)
Regarding technological challenges the MLA/AAHSL committee stated:
“More support is needed for a national health information technological infrastructure that enhances interoperability, reduces risk, and maintains privacy and security of information. NLM should have a role in setting standards that prevent hospitals from creating systems that actively obstruct the free flow of health information, and support hospital librarians in their role in ensuring that their institutions meet these standards.
NLM must acknowledge and collaborate with technology companies so hospitals and health care professionals can better utilize the 21st century technologies that NLM and other technology companies are developing, and to ensure they are compliant with current and future federal and state regulations such as HIPAA. Many of the products, services, and initiatives from NLM and technology companies (e.g. data sharing and document sharing/storage) are blocked by institutions because they are considered a risk to healthcare security and HIPAA.”
Regarding the lack of engagement between NLM and users the MLA/AAHSL committee stated:
“Health Science Librarians as Key Stakeholders in the Future of the National Library of Medicine Health sciences librarians across the United States and globally continue to maintain a strong sense of connection to NLM through freely available, high quality resources such as PubMed and other NCBI databases. As “power users”, educators, and promoters of these resources to students, clinicians, and researchers, health sciences librarians have a vested interest in the design and content of these resources. As NLM grows in exciting new directions, health sciences librarians need to know that their voices and feedback are being heard and that we are being engaged in discussions regarding the redesign of current resources (such as PubMed) and the sunsetting of others (such as Genetics Home Reference). Current communication mechanisms, such as the NLM Director’s Musings from the Mezzanine blog, have assisted some, but these mechanisms appear to serve as marketing tools, rather than inviting honest feedback and true transparency. We call for a richer form of dialogue between our associations.”
So we will see in June if this change for My NCBI login is a big deal, or if I am worried about nothing. I hope it is not a big deal. I hope it goes over well with minimal problems. But it still doesn’t change the need for better communication, transparency, understanding, and collaboration between NLM and its core users and supporters.