David Kibbe of DirectTrust.org at 2012 eCollaboration Forum


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

David Kibbe of DirectTrust.org at 2012 eCollaboration Forum

  1. 1. DirectTrust.orgBuilding the Trust Framework for Directed Exchange David C. Kibbe, MD MBA NeHC University, February 8, 2012 kibbedavid@mac.com
  2. 2. Today’s talk• About DirectTrust.org• Our mission and goals• Brief overview of Directed exchange • Why e-mail? Why ‘push’ ?• The importance of security and trust• Components of the Trust Framework • It’s all about identity!
  3. 3. About DirectTrust.org• DirectTrust.org is being organized as an independent, non-profit, and competitively neutral entity created by and for Direct community participants.• Our goal is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain trust within the Direct exchange community, and to foster widespread public confidence in the Direct exchange of health information.
  4. 4. • Our web presence: About DirectTrust.org www.directtrust.wikispaces.com• ~80 members of the wiki, representing HISPs, HIEs, EHR technology vendors, Certificate Authorities, Identity Providers, state officials, patient advocacy organizations, providers, consultants, others.• Please join if you wish to contribute to the effort!
  5. 5. About DirectTrust.org• Two active workgroups: Security and Trust Compliance; Certificate Policy and Practices• Organizational Committee Members • AAFP, Arcadia Solutions, Cerner, DigiCert, Gorge Health Connect, Relay Health, Rhode Island Quality Institute, SAFE- BioPharma, Surescripts
  6. 6. The Direct Project Created a set of protocols, specifications, and standards, that, with a policy and trust framework, enables simple, secure transport over the Internet, to be used for exchange between known participants in support of meaningful use.
  7. 7. Meaningful Use, Quality Care Direct Project facilitates the communication of many different kinds of content necessary to fulfill meaningful use requirements. Examples of Meaningful Use  Other Providers/Authorized Entities:  Clinical information for care coordination  Labs – test results DIRECT  Referrals – summary of care record EXCH ANGE  Patients:  Health information  Discharge instructions  Clinical summaries b.wells@direct.aclinic.org  Reminders1 Get a Direct Address ( e-mail-like) and a ) security certificate  Public Health:2) Send mail securely using most e-mail  Immunization registries clients OR contract with a HIO or HISP  Syndromic surveillance that performs authentication, encryption and trust verification on your behalf  Laboratory Reporting
  8. 8. Specific HISP duties:- provide subscribers with account and Direct addresses - provide web portal or EHR/PHR integration - arrange for identity verification - org and individual - arrange for digital certificate issuance, management - maintain integrity of trust and security framework - stay current with federal policies and regulations
  9. 9. Security and Trust are Essential!• We trust our doctors and nurses with our health information.• We will need to be able to trust HISPs with our health information.• Without a high level of trust accompanied by the requisite levels of security and privacy protection, health data exchange of any type or technology will likely fail.
  10. 10. Desirable HISP attributes: - strong, validated security practices - a track record in data exchange - working relationship with one or more RA/CA- able and willing to interoperably exchange with other HISPs - robust subscriber directory
  11. 11. Why Digital Certificates are So Important to Directed Exchange• Digital certificates “stand in” for the individual/organizational identity in cyberspace• They are issued by an RA/CA only after identity verification proves you are who you say you are• They are used to sign, validate, and encrypt Direct exchange messages and attachments• Any breach of trust with respect to certificate issuance or use threatens the integrity of exchange
  12. 12. Direct Identity, Trust, and Address Provisioning Certificate Authority (CA) Identity/Trust Certificate Verification Validation Service Certificate Signing Revocation Services Services The CA and RA enforce the 6. Certificate Signing 7. Direct Organization policies specified in the Request Certificate DirectTrust.org and FBCA 2. Request Direct Certificate Policies (CPs). Organization Assume hasDigital Identity Certificate Registration Authority (RA) Certificate 3. Credentials and Documentation Compile/Validate Identity and Trust HCO Documentation  Representative Representative FBCA Credentials  Representative Healthcare AuthorizationOrganization (HCO)  Legal Entity Documents 4. Direct 5. Public 8. Direct Organization Organization  Membership/Trust Domain Key Certificate Agreement  HIPAA status Domain Name System (DNS) 1. Enroll with HISP 9. Direct Address/ Health Information Service Org Certificate Provider (HISP) LDAP Name System Source: DirectTrust.org February, 2012
  13. 13. Issues Remaining to be Resolved withRespect to the Direct Exchange Trust Framework• Who will be acceptable (ie. trustworthy) as Certificate Authorities?• What level(s) of identity verification is required for groups; professionals; patients?• What will be decided at a federal policy level, and what at an industry level?
  14. 14. Questions, Comments• David C. Kibbe, MD MBA• kibbedavid@mac.com• 913 205 7968