DirectTrust.org is an independent non-profit organization created by and for participants in Direct exchange to develop and promote rules and best practices to maintain trust. Its goal is to foster widespread confidence in Direct exchange of health information. The organization has over 80 members from healthcare and technology organizations. It has working groups focused on security, compliance, and certificate policy. Direct exchange allows secure transmission of health information like test results, referrals, and clinical summaries to support meaningful use. Security, privacy, and trust are essential for health information exchange to succeed. Digital certificates are important for verifying identity and encrypting messages in Direct exchange. Issues around who can be certificate authorities and what identity verification is required still need resolution.

1. DirectTrust.org
Building the Trust Framework for Directed
Exchange
David C. Kibbe, MD MBA
NeHC University, February 8, 2012
kibbedavid@mac.com

2. Today’s talk
• About DirectTrust.org
• Our mission and goals
• Brief overview of Directed exchange
• Why e-mail? Why ‘push’ ?
• The importance of security and trust
• Components of the Trust Framework
• It’s all about identity!

3. About DirectTrust.org
• DirectTrust.org is being organized as an
independent, non-profit, and
competitively neutral entity created by
and for Direct community participants.
• Our goal is to develop, promote and, as
necessary, help enforce the rules and
best practices necessary to maintain
trust within the Direct exchange
community, and to foster widespread
public confidence in the Direct
exchange of health information.

4. • Our web presence:
About DirectTrust.org
www.directtrust.wikispaces.com
• ~80 members of the wiki, representing
HISPs, HIEs, EHR technology vendors,
Certificate Authorities, Identity Providers,
state officials, patient advocacy
organizations, providers, consultants,
others.
• Please join if you wish to contribute to the
effort!

5. About DirectTrust.org
• Two active workgroups: Security and Trust
Compliance; Certificate Policy and
Practices
• Organizational Committee Members
• AAFP, Arcadia Solutions, Cerner, DigiCert,
Gorge Health Connect, Relay Health,
Rhode Island Quality Institute, SAFE-
BioPharma, Surescripts

6. The Direct Project
 Created a set of protocols,
specifications, and standards, that,
with a policy and trust framework,
enables simple, secure transport
over the Internet, to be used for
exchange between known
participants in support of
meaningful use.

7. Meaningful Use, Quality Care
Direct Project facilitates the communication of many different kinds of content
necessary to fulfill meaningful use requirements.
Examples of Meaningful Use
 Other Providers/Authorized Entities:
 Clinical information for care coordination
 Labs – test results
DIRECT  Referrals – summary of care record
EXCH ANGE
 Patients:
 Health information
 Discharge instructions
 Clinical summaries
b.wells@direct.aclinic.org  Reminders
1 Get a Direct Address ( e-mail-like) and a
)
security certificate  Public Health:
2) Send mail securely using most e-mail  Immunization registries
clients OR contract with a HIO or HISP  Syndromic surveillance
that performs authentication, encryption
and trust verification on your behalf  Laboratory Reporting

8. Specific HISP duties:
- provide subscribers with account and Direct addresses
- provide web portal or EHR/PHR integration
- arrange for identity verification - org and individual
- arrange for digital certificate issuance, management
- maintain integrity of trust and security framework
- stay current with federal policies and regulations

9. Security and Trust
are Essential!
• We trust our doctors and nurses with our
health information.
• We will need to be able to trust HISPs
with our health information.
• Without a high level of trust accompanied
by the requisite levels of security and
privacy protection, health data exchange of
any type or technology will likely fail.

10. Desirable HISP attributes:
- strong, validated security practices
- a track record in data exchange
- working relationship with one or more RA/CA
- able and willing to interoperably exchange with other
HISPs
- robust subscriber directory

11. Why Digital Certificates are So
Important to Directed Exchange
• Digital certificates “stand in” for the
individual/organizational identity in cyberspace
• They are issued by an RA/CA only after identity
verification proves you are who you say you are
• They are used to sign, validate, and encrypt Direct
exchange messages and attachments
• Any breach of trust with respect to certificate
issuance or use threatens the integrity of exchange

12. Direct Identity, Trust, and Address Provisioning
Certificate Authority (CA)
Identity/Trust Certificate
Verification Validation Service
Certificate Signing Revocation
Services Services
The CA and RA enforce the
6. Certificate Signing 7. Direct Organization policies specified in the
Request Certificate
DirectTrust.org and FBCA
2. Request Direct Certificate Policies (CPs).
Organization
Assume has
Digital Identity
Certificate
Registration Authority (RA)
Certificate
3. Credentials and
Documentation Compile/Validate Identity and Trust
HCO Documentation
 Representative
Representative FBCA Credentials
 Representative
Healthcare Authorization
Organization (HCO)  Legal Entity
Documents
4. Direct
5. Public 8. Direct Organization
Organization
 Membership/Trust Domain Key Certificate
Agreement
 HIPAA status
Domain Name System
(DNS)
1. Enroll with HISP 9. Direct Address/
Health Information Service Org Certificate
Provider (HISP) LDAP Name System
Source: DirectTrust.org February, 2012

13. Issues Remaining to be Resolved with
Respect to the Direct Exchange Trust
Framework
• Who will be acceptable (ie. trustworthy) as
Certificate Authorities?
• What level(s) of identity verification is
required for groups; professionals;
patients?
• What will be decided at a federal policy
level, and what at an industry level?

14. Questions, Comments
• David C. Kibbe, MD MBA
• kibbedavid@mac.com
• 913 205 7968