Direct 2.0 Boot Camp: Deep Dive Into the Direct Trusted Agent Accreditation Program
Upcoming SlideShare
Loading in...5
×
 

Direct 2.0 Boot Camp: Deep Dive Into the Direct Trusted Agent Accreditation Program

on

  • 3,222 views

 

Statistics

Views

Total Views
3,222
Views on SlideShare
1,581
Embed Views
1,641

Actions

Likes
1
Downloads
21
Comments
0

13 Embeds 1,641

http://www.ahier.net 1473
https://twitter.com 74
http://8852684919029181544_72bbacf1329e217dafa25c3e01ab7d6ba8675714.blogspot.com 58
http://www.newsblur.com 14
http://newsblur.com 12
http://www.inoreader.com 2
http://conversation.ecairn.com 2
http://cloud.feedly.com 1
http://tweetedtimes.com 1
http://www.wellsphere.com 1
http://www.yatedo.com 1
https://www.google.com 1
http://reitbok4.rssing.com 1
More...

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Direct 2.0 Boot Camp: Deep Dive Into the Direct Trusted Agent Accreditation Program Direct 2.0 Boot Camp: Deep Dive Into the Direct Trusted Agent Accreditation Program Presentation Transcript

  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 A Deep Dive into the Direct Trusted Agent Accreditation Program, DTAAP David C. Kibbe, MD MBA President and CEO, DirectTrust Lee Barrett Executive Director, EHNAC August 13, 2013 Direct Boot Camp 2.0
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Mission and Goals: DirectTrust DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit trade alliance dedicated to the support of Direct exchange of health information, and to the growth of Direct exchange at national scale, through the establishment of policies, interoperability requirements, and business practice requirements that will enhance public confidence in privacy, security, and trust in identity. The latter, taken together, create a Security and Trust Framework for the purpose of bridging multiple communities of trust. DirectTrust is the recipient of an ONC Cooperative Agreement award in the amount of $280,205 as part of the Exemplar HIE Governance Program. Within this Program, DirectTrust is charged by ONC with further development of the Direct Trusted Agent Accreditation Program, and the build out of a national trust anchor bundle distribution service for Direct exchange. 2
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036  Increase interoperability, decrease cost and complexity, and facilitate trust among participants using Direct for health information exchange of personal health information for health care improvements.  Advance industry engagement in the Electronic Healthcare Network Accreditation Commission (EHNAC)-DirectTrust program for voluntary accreditation of HISPs, CAs, and RAs, who act as trusted agents on behalf of Direct exchange participants (DTAAP).  Design, build out, and operate at scale a Trust Anchor Bundle Distribution Service, TABs, that transparently identifies attributes of anchor certificates from accredited HISPs, and distributes these anchors to the public, thereby permitting trust relationships to grow at “scale,” and removes the need for costly, time consuming, one-off contract negotiations between HISPs or their users/subscribers. DirectTrust Priority Goals Under the EHIEGE Program
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Mission and Goals: EHNAC Founded in 1993, the Electronic Healthcare Network Accreditation Commission, EHNAC, is a federally-recognized standards development organization and tax-exempt 501(c)(6) non-profit accrediting body designed to improve transactional quality, operational efficiency, and data security in healthcare. DirectTrust and EHNAC have formed a partnership to accredit trusted agents in Direct, HISPs, Certificate Authorities, and Registration Authorities, in order to facilitate security and trust at scale, helping to avoid the need for costly and complicated one-off contractual arrangements between relaying parties in Direct exchange. 4
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Questions we will address today • Who needs to become accredited, and who is “accreditable” ? • Why are there 3 accreditation tracks, one for HISPs, CAs, and RAs? • Who is playing one or more of these roles for Direct exchange? • Is the entity supporting the Direct implementation the HISP, or the vendor, or both? And who needs accreditation? • How long does accreditation take? • How much does it cost? • What is the trust anchor bundle distribution service, and how does it work to facilitate scalable trust and a network effect? • How do I get my HISPs trust anchor into the DirectTrust bundle? • When will the DirectTrust network reach critical mass?
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 DrBob@direct.familypractice.com (has been identity vetted, has X.509 Digital certificate bound to address.) DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to address.) Direct exchange will often involve HISP-HISP transactions with EHRs as edge clients 6 EHR EHR encryption identity validation
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Separate roles and responsibilities for “trusted agents” to the exchanges determine separate accreditation tracks 7 Health Information Service Provider (HISP) Healthcare Organization (HCO) Identity vetting at a specific level of Assurance, LoA. Certificate Authority (CA) Certificate Validation Service X.509 Certificate Issuance Service Revocation Services Certificate Signing Services Registration Authority (RA) Compile/Validate Identity and Trust Documentation The CA and RA enforce the policies specified in the DirectTrust and FBCA Certificate Policy (CP). Crediential issued on the basis of RA’s Identity vetting at specific LoA.. HCO Direct Addressees Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard, The HISP enforces the policies specified in the DirectTrust HISP Policy (HP), and MUST use accredited RA and CA. The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate responsibility for HIPAA privacy and security.
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 HISP definition 1. In order for there to be Direct services, there must be a Health Information Service Provider, HISP. 2. A HISP is an entity that conducts the secure transmission of Direct messages to and from Direct Addresses, each of which is bound to a Direct X.509 digital certificate (i.e. provides “Direct Services”). 3. A HISP may act in the capacity of a Business Associate or Contractor for the Customer, in which case the HISP may hold and manage PKI private keys associated with Direct digital certificates on behalf of the Customer’s users/addressees. 4. A HISP may be a part of a larger organization that offers and performs services that are beyond the boundary of the HISP’s roles and responsibilities. 5. A HISP does NOT use, manage, analyze, or otherwise perform actions upon the information transmitted and made secure.
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 How to know if you’re a HISP  Do you operate your own data center?  Do you carry out the STA functions on behalf of the Direct addressees?  Do you store the private keys of the Direct addressees? X Have you hired a third party to operate the basic HISP functionality? X Do you use or act upon the messages or the contents of Direct exchanges in some way? Some examples, please. Panel will add to understanding.
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 DirectTrust offers Trust Anchor Bundles to help facilitate scalable trust The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, to voluntarily know of and follow the “rules of the Road,” while also easily and inexpensively knowing who else is following them. Security & Trust Framework EHNAC- DirectTrust Accreditation Program Trust Anchor Bundle Distribution
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Trust anchor bundles – How it works HISP Accreditation via EHNAC-DirectTrust • HISPs apply for accreditation, become candidates for DTAAP HISP • HISPs complete self-attestation and audit, successful complete accreditation HISP obtains trust anchor from accredited CA in accordance with DirectTrust Standard Operating Policies document. HISP submits its trust anchor to DirectTrust Review Committee. Upon successful review, HISP’s trust anchor is included in trust anchor bundle, available on EV cert-protected website, Bundles.DirectTrust.org . HISPs may upload bundle of trust anchors, and place trust anchors in their HISP trust stores, readying themselves to trust incoming request from subscribers of these accredited HISPs using end-entity certificates that march anchors.
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Packaging & Distribution Trust Community Anchor Distribution Site Bu Bundle(PKCS7) HISP Trust Store HISP Trust Store HISP Trust Store HISP Trust Store HTTP(S)
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 DirectTrust Approach Avoid this: With this!:
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 2003614 Example of the DirectTrust Community KEY Trust relationship based on accreditation HISP BHISP A Provider A Provider B Centralized Trust Anchor Bundle Store HISP C Provider C
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 DTAAP ACCREDITATION PROCESS 15
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Criteria Development Development • Criteria Committee recommends new and modified criteria to Commission • Commission Approves, Rejects, or sends back to Criteria Committee Criteria released for public comment, with press release Comment period of at least 45 calendar days Final modifications per comment period Executive Committee recommends final revision to Commission 16
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Criteria: Programs and Sections • 3 Programs: DTAAP-HISP, DTAAP-CA, and DTAAP-RA • The first five criteria sections in each are identical (75 criteria): – I. Introduction to Candidate Environment – II. Privacy and Confidentiality – III. Technical Performance – IV. Resources – V. Security • Section VI is unique to each program: – HISP (14 criteria), CA (64 criteria), or RA (56 criteria) 17
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Other Notes • An organization may apply for accreditation for DTAAP-HISP, DTAAP-CA, DTAAP-RA, or any combination. • If no PHI is handled by the organization (such as with some CA and RA organizations), the PHI-related criteria should be addressed based on PII controls. • EHNAC provides detailed instructions. These must be read and followed. 18
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 ACCREDITATION PROCESS & TIMELINE 19
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Accreditation Process • Pre-Application • Application • Self-Assessment • Site Review • Award • Re-Accreditation 20
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 EHNAC Accreditation Process Pre-application • Ensures qualification based on type of business Application • Collects additional information and annual fees Self-Assessment • Demonstrates evidence of compliance with criteria Site Review • Tests Self- Assessment claims via on-site review. Award • Awards level of accreditation achieved (Full, Provisional, Interim, Failed). 21 Timeline Candidate is approved and has 1 year to complete. Maximum 8 mos. to submit the self-assessment allowing up to 4 mos. for site review(s), final report and approval process
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Scoring • Compliance with each criterion will be scored 0, .5, or 1 • A minimum of 85% must be earned to achieve Full Accreditation. • Many criteria are designated “MANDATORY”. Each of these must be fully met, irrespective of the overall score, to achieve Full Accreditation. 22
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Re-Accreditation • Must occur every two years in order to remain accredited. • EHNAC sends notice of pending expiration at 12 month and 6 month notifications prior to the expiration date. • Process is very similar to first-time accreditation but much reduced resource effort. 23
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 2003624 PRICING
  • www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Contact Information David Kibbe MD, President/CEO DirectTrust.org kibbedavid@mac.com 913.205.7968 Lee Barrett Executive Director EHNAC lbarrett@ehnac.org 860.651.6574