DirectTrust.org is an independent non-profit organization created by and for participants in Direct exchange to develop and promote rules and best practices to maintain trust. Its goal is to foster widespread confidence in Direct exchange of health information. The organization has over 80 members from healthcare and technology organizations. It has working groups focused on security, compliance, and certificate policy. Direct exchange allows secure transmission of health information like test results, referrals, and clinical summaries to support meaningful use. Security, privacy, and trust are essential for health information exchange to succeed. Digital certificates are important for verifying identity and encrypting messages in Direct exchange. Issues around who can be certificate authorities and what identity verification is required still need resolution.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
DirectTrust.org: Building the Trust Framework for Directed Exchange
1. DirectTrust.org
Building the Trust Framework for Directed
Exchange
David C. Kibbe, MD MBA
NeHC University, February 8, 2012
kibbedavid@mac.com
2. Today’s talk
• About DirectTrust.org
• Our mission and goals
• Brief overview of Directed exchange
• Why e-mail? Why ‘push’ ?
• The importance of security and trust
• Components of the Trust Framework
• It’s all about identity!
3. About DirectTrust.org
• DirectTrust.org is being organized as an
independent, non-profit, and
competitively neutral entity created by
and for Direct community participants.
• Our goal is to develop, promote and, as
necessary, help enforce the rules and
best practices necessary to maintain
trust within the Direct exchange
community, and to foster widespread
public confidence in the Direct
exchange of health information.
4. • Our web presence:
About DirectTrust.org
www.directtrust.wikispaces.com
• ~80 members of the wiki, representing
HISPs, HIEs, EHR technology vendors,
Certificate Authorities, Identity Providers,
state officials, patient advocacy
organizations, providers, consultants,
others.
• Please join if you wish to contribute to the
effort!
5. About DirectTrust.org
• Two active workgroups: Security and Trust
Compliance; Certificate Policy and
Practices
• Organizational Committee Members
• AAFP, Arcadia Solutions, Cerner, DigiCert,
Gorge Health Connect, Relay Health,
Rhode Island Quality Institute, SAFE-
BioPharma, Surescripts
6. The Direct Project
Created a set of protocols,
specifications, and standards, that,
with a policy and trust framework,
enables simple, secure transport
over the Internet, to be used for
exchange between known
participants in support of
meaningful use.
7. Meaningful Use, Quality Care
Direct Project facilitates the communication of many different kinds of content
necessary to fulfill meaningful use requirements.
Examples of Meaningful Use
Other Providers/Authorized Entities:
Clinical information for care coordination
Labs – test results
DIRECT Referrals – summary of care record
EXCH ANGE
Patients:
Health information
Discharge instructions
Clinical summaries
b.wells@direct.aclinic.org Reminders
1 Get a Direct Address ( e-mail-like) and a
)
security certificate Public Health:
2) Send mail securely using most e-mail Immunization registries
clients OR contract with a HIO or HISP Syndromic surveillance
that performs authentication, encryption
and trust verification on your behalf Laboratory Reporting
8. Specific HISP duties:
- provide subscribers with account and Direct addresses
- provide web portal or EHR/PHR integration
- arrange for identity verification - org and individual
- arrange for digital certificate issuance, management
- maintain integrity of trust and security framework
- stay current with federal policies and regulations
9. Security and Trust
are Essential!
• We trust our doctors and nurses with our
health information.
• We will need to be able to trust HISPs
with our health information.
• Without a high level of trust accompanied
by the requisite levels of security and
privacy protection, health data exchange of
any type or technology will likely fail.
10. Desirable HISP attributes:
- strong, validated security practices
- a track record in data exchange
- working relationship with one or more RA/CA
- able and willing to interoperably exchange with other
HISPs
- robust subscriber directory
11. Why Digital Certificates are So
Important to Directed Exchange
• Digital certificates “stand in” for the
individual/organizational identity in cyberspace
• They are issued by an RA/CA only after identity
verification proves you are who you say you are
• They are used to sign, validate, and encrypt Direct
exchange messages and attachments
• Any breach of trust with respect to certificate
issuance or use threatens the integrity of exchange
12. Direct Identity, Trust, and Address Provisioning
Certificate Authority (CA)
Identity/Trust Certificate
Verification Validation Service
Certificate Signing Revocation
Services Services
The CA and RA enforce the
6. Certificate Signing 7. Direct Organization policies specified in the
Request Certificate
DirectTrust.org and FBCA
2. Request Direct Certificate Policies (CPs).
Organization
Assume has
Digital Identity
Certificate
Registration Authority (RA)
Certificate
3. Credentials and
Documentation Compile/Validate Identity and Trust
HCO Documentation
Representative
Representative FBCA Credentials
Representative
Healthcare Authorization
Organization (HCO) Legal Entity
Documents
4. Direct
5. Public 8. Direct Organization
Organization
Membership/Trust Domain Key Certificate
Agreement
HIPAA status
Domain Name System
(DNS)
1. Enroll with HISP 9. Direct Address/
Health Information Service Org Certificate
Provider (HISP) LDAP Name System
Source: DirectTrust.org February, 2012
13. Issues Remaining to be Resolved with
Respect to the Direct Exchange Trust
Framework
• Who will be acceptable (ie. trustworthy) as
Certificate Authorities?
• What level(s) of identity verification is
required for groups; professionals;
patients?
• What will be decided at a federal policy
level, and what at an industry level?