Embed Size (px)
Citation preview
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Direct Exchangefrom Provider to Patient/Consumer
….and Back!
David C. Kibbe, MD MBAPresident and CEO, DirectTrust
Senior Advisor, American Academy of Family Physicians
August 23, 2013
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Mission and Goals: DirectTrust
2
DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit trade alliance dedicated to the support of Direct exchange of health information, and to the growth of Direct exchange at national scale, through the establishment of policies, interoperability requirements, and business practice requirements that will enhance public confidence in privacy, security, and trust in identity. The latter, taken together,create a Security and Trust Framework for the purpose of bridging multiple communities of trust.
DirectTrust is the recipient of an ONC Cooperative Agreement award in the amount of $280,205 as part of the Exemplar HIE Governance Program. Within this Program, DirectTrust is charged by ONC with further development of the Direct Trusted Agent Accreditation Program, and the build out of a national trust anchor bundle distribution service for Direct exchange.
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Questions/issues to address today
3
• What is the DirectTrust approach to establish and scale trust between parties in Direct exchanges, and how does this support BlueButton+?
• The BlueButton+ use case as “outbound-only” Direct email from provider to patient/consumer.
• What are the limitations or gaps in this use case?
• What are the opportunities for bi-directional BlueButton2+
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
DirectTrust members have established a standards-based approach to trustedDirect exchange over the Internet
4
The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, CAs, and RAs to voluntarily follow the “rules of the road” for privacy, security, and trust-in-identity controls, while also easily and inexpensively knowing who else is following them.
Security & Trust Framework
EHNAC-DirectTrust Accreditation Program
Trust Anchor Bundle Distribution
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036 55
Health Information Service Provider (HISP)
Healthcare Organization (HCO)
Identity vetting at
a specific level of
Assurance, LoA.
Certificate Authority (CA)
Certificate Validation Service
X.509 Certificate
Issuance Service
Revocation Services
Certificate Signing Services
Registration Authority (RA)
Compile/Validate Identity and Trust Documentation
The CA and RA enforce the
policies specified in the DirectTrust
and FBCA Certificate Policy
(CP).
Crediential issued
on the basis of RA’s
Identity vetting at
specific LoA..
HCO Direct
Addressees
Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard,
The HISP enforces the policies specified in the
DirectTrust HISP Policy (HP), and MUST use accredited RA
and CA.
The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate
responsibility for HIPAA privacy and security.
Three separate roles and responsibilitiesfrom “trusted agents” combine to enableDirect exchange
1.2.
3.
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
DirectTrust Anchor Bundle
DirectTrust Anchor Bundle for
“scaling” of trust relationships
Trust Community Anchor Distribution Site
BuTrust Bundle
(PKCS7)
HISP B
Trust Store
HISP C
Trust Store
HISP D
Trust Store
HISP A
Trust Store
HTTP(S)
As of August, 2013,there are 10 accredited HISPs’ trust anchors in theTrust Anchor Bundle, leveraging90 separate connections between the HISPs, and linking over 1,000 health care organizationsto the DirectTrust network.
6
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
This technology and trust framework supportsDirect exchange between providers engagedin Stage 2 Meaningful Use programs
[email protected](has been identity vetted, has X.509Digital certificate bound to address.)
[email protected](has been identity vetted, has X.509Digital certificate bound to address.)
ARC OF LIABILITY
EHR EHR
encryption
identity validation
7
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
All of this technology and trust framework also supports BlueButton+ but as “outbound-only” from EHRto patient’s receiving system (edge client)
[email protected](has been identity vetted, has X.509Digital certificate bound to verifiable address.)
[email protected](has NOT been identity vetted, has X.509Digital certificate bound to non-verifiable address.)
ARC OF LIABILITY
EHR “PHR”
encryption
identity validation
* MyPHR.com
8
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Gaps in BB+ Direct exchange
1. Direct address supplied by patient-HISP and used by patient/consumer is not necessarily a verifiable end point, if certificate bound to address was issued at NIST Level of Assurance 1 (control of email address, but no proof of identity, e.g. presentation of Driver’s license, is required to obtain certificate).
2. Trust is not only about identity. No verifiable assertion by patient-HISPs of privacy and security controls being in place for “trust” anchors placed in to BB+ anchor bundle creates a potential risk for inbound messages from those sources.
3. Most provider HISPs, therefore, restrict BB+ to “outbound-only” Direct exchange to patient HISPs and to patients/consumers who are addressed by those patient HISPs.
9
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Opportunities for bi-directional Direct exchange between providers and patients
• Several patient/consumer oriented vendors in DirectTrust are:– asserting HIPAA compliance although not CEs– offering identity verification at LoA 2 or 3 prior to issuance of Direct
address certificates for patients/consumers– seeking a pathway towards EHNAC-DirectTrust accreditation as HISPs, CAs,
and/or RAs
• New product offerings are “next generation” PHRs or “medical information homes” that feature Direct exchange
• Bi-directional Direct exchange expected to gain momentum during 2014
10
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Contact Information
David C. Kibbe MD, President and CEO [email protected]@mac.com913.205.7968
11
