David Kibbe of DirectTrust.org at 2012 eCollaboration Forum
DirectTrust.orgBuilding the Trust Framework for Directed Exchange David C. Kibbe, MD MBA NeHC University, February 8, 2012 email@example.com
Today’s talk• About DirectTrust.org• Our mission and goals• Brief overview of Directed exchange • Why e-mail? Why ‘push’ ?• The importance of security and trust• Components of the Trust Framework • It’s all about identity!
About DirectTrust.org• DirectTrust.org is being organized as an independent, non-profit, and competitively neutral entity created by and for Direct community participants.• Our goal is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain trust within the Direct exchange community, and to foster widespread public confidence in the Direct exchange of health information.
• Our web presence: About DirectTrust.org www.directtrust.wikispaces.com• ~80 members of the wiki, representing HISPs, HIEs, EHR technology vendors, Certificate Authorities, Identity Providers, state officials, patient advocacy organizations, providers, consultants, others.• Please join if you wish to contribute to the effort!
About DirectTrust.org• Two active workgroups: Security and Trust Compliance; Certificate Policy and Practices• Organizational Committee Members • AAFP, Arcadia Solutions, Cerner, DigiCert, Gorge Health Connect, Relay Health, Rhode Island Quality Institute, SAFE- BioPharma, Surescripts
The Direct Project Created a set of protocols, specifications, and standards, that, with a policy and trust framework, enables simple, secure transport over the Internet, to be used for exchange between known participants in support of meaningful use.
Meaningful Use, Quality Care Direct Project facilitates the communication of many different kinds of content necessary to fulfill meaningful use requirements. Examples of Meaningful Use Other Providers/Authorized Entities: Clinical information for care coordination Labs – test results DIRECT Referrals – summary of care record EXCH ANGE Patients: Health information Discharge instructions Clinical summaries firstname.lastname@example.org Reminders1 Get a Direct Address ( e-mail-like) and a ) security certificate Public Health:2) Send mail securely using most e-mail Immunization registries clients OR contract with a HIO or HISP Syndromic surveillance that performs authentication, encryption and trust verification on your behalf Laboratory Reporting
Specific HISP duties:- provide subscribers with account and Direct addresses - provide web portal or EHR/PHR integration - arrange for identity verification - org and individual - arrange for digital certificate issuance, management - maintain integrity of trust and security framework - stay current with federal policies and regulations
Security and Trust are Essential!• We trust our doctors and nurses with our health information.• We will need to be able to trust HISPs with our health information.• Without a high level of trust accompanied by the requisite levels of security and privacy protection, health data exchange of any type or technology will likely fail.
Desirable HISP attributes: - strong, validated security practices - a track record in data exchange - working relationship with one or more RA/CA- able and willing to interoperably exchange with other HISPs - robust subscriber directory
Why Digital Certificates are So Important to Directed Exchange• Digital certificates “stand in” for the individual/organizational identity in cyberspace• They are issued by an RA/CA only after identity verification proves you are who you say you are• They are used to sign, validate, and encrypt Direct exchange messages and attachments• Any breach of trust with respect to certificate issuance or use threatens the integrity of exchange
Direct Identity, Trust, and Address Provisioning Certificate Authority (CA) Identity/Trust Certificate Verification Validation Service Certificate Signing Revocation Services Services The CA and RA enforce the 6. Certificate Signing 7. Direct Organization policies specified in the Request Certificate DirectTrust.org and FBCA 2. Request Direct Certificate Policies (CPs). Organization Assume hasDigital Identity Certificate Registration Authority (RA) Certificate 3. Credentials and Documentation Compile/Validate Identity and Trust HCO Documentation Representative Representative FBCA Credentials Representative Healthcare AuthorizationOrganization (HCO) Legal Entity Documents 4. Direct 5. Public 8. Direct Organization Organization Membership/Trust Domain Key Certificate Agreement HIPAA status Domain Name System (DNS) 1. Enroll with HISP 9. Direct Address/ Health Information Service Org Certificate Provider (HISP) LDAP Name System Source: DirectTrust.org February, 2012
Issues Remaining to be Resolved withRespect to the Direct Exchange Trust Framework• Who will be acceptable (ie. trustworthy) as Certificate Authorities?• What level(s) of identity verification is required for groups; professionals; patients?• What will be decided at a federal policy level, and what at an industry level?
Questions, Comments• David C. Kibbe, MD MBA• email@example.com• 913 205 7968