Exchanging Medical Records Online with Direct

Transcription

1 Exchanging Medical Records Online with Direct Scott Rea, VP GOV/EDU Relations & Sr. PKI Architect, DigiCert, Inc (801)

2 Exchanging Medical Records Online Table of Contents Slide Title 3 The Direct Project 5 Direct The Technology 9 Direct Entities 13 Direct Implementation 17 Direct Trust Framework 24 Policies and Practices 29 DirectTrust Accreditation 33 Summary 37 Questions 38 Contacts

3 What is the Direct Project? A project to create the set of standards and services that, when coupled with a policy framework, enable simple, directed, routed, scalable transport of medical records and Private Health Information (PHI) over the Internet to be used for secure and meaningful exchange between known participants in support of Electronic Healthcare Records (EHR) meaningful use. Primary goal is that solutions must be scalable, relatively inexpensive, and increase security.

4 The Purpose of Direct Direct exchange is part of a long term national strategy to transition from paper-based to electronic health care records that can be shared more easily to reduce costs and improve the quality of patient care. The Office of the National Coordinator (ONC) within the department of Health and Human Services (HHS) is the lead author and publisher of the Direct standard Direct was also designed to support the goal of health information exchange between providers using electronic health records (EHRs) engaged in Meaningful Use, the Medicare and Medicaid programs that help providers to pay for and meaningfully use EHRs. The Center for Medicare and Medicaid Services (CMS) governs the Inventive Programs for the use of EHRs Direct is also intended as a general means of secure exchange (both directions) between providers and patients.

5 Direct Technology The Direct protocol enables SMIME messages with disposition notification within dedicated healthcare domains Sender and receiver must both have SMIME certificates of which there are 2 types: Direct Address cert is traditional SMIME RFC822name in subjectaltname Direct Organization cert is like SMIME wildcard DNSname (FQDN of mail domain) in SAN

6 Direct Technology Direct Address Direct Addresses are used to route information Look like addresses Used only for health information exchange Endpoint Domain Direct Address An individual may have multiple Direct addresses

7 Direct Technology Digital Certificates Each Direct Address must have at least one X.509v3 digital certificate associated with it Address-bound certificate certificate tied to a specific Direct Address Domain-bound certificate certificate tied to the Domain that is part of a Direct Address Digital certificates are used within Direct to express trust relationships and to secure Direct Messages

8 Direct Technology Security/Trust Agents Security/Trust Agents (STAs) are responsible for securing, routing, and processing Direct Messages STA may be a system under the direct control of an exchange participant STA may be a service offered by an intermediary (i.e., HISP) acting on behalf of an exchange participant STAs employ S/MIME and digital certificates to secure health information in transit 1. Sending STA encrypts Message using recipient s certificate 2. Sending STA signs Message using private key associated with sender s certificate 3. Receiving STA verifies signature of Message using sender s certificate 4. Receiving STA decrypts Message using private key associated with recipient s certificate

9 Direct Entities Certification Authorities and Registration Authorities Registration Authority (RA) Collects information for the purpose of verifying the identity of an individual or organization (i.e., identity proofing) Produces certificate requests based on gathered attributes Certificate Authority (CA) Digitally signs certificate requests Issues digital certificate that ties a public key to the gathered attributes

10 Direct Entities How do STAs relate to RAs and CAs? STAs can relate to RAs and CAs in a number of ways. An STA may Act as RA and CA. STA identity proofs during enrollment and issues certificates as appropriate. Act as RA only. STA identity proofs during enrollment, passing necessary information to an independent CA. CA provides certificate to STA upon issuance. Act as CA only. Independent RA identity proofs during enrollment, passing necessary information to STA, which issues certificates as appropriate. Act as neither CA nor RA. Independent RA identity proofs during enrollment, passing necessary information to independent CA, which provides certificate to STA upon issuance.

11 Direct Entities Health Information Service Provider Direct introduces the concept of a Health Information Service Provider (HISP) The purpose of the HISP is to primarily operate the STA functions on behalf Direct Users The role of a HISP is to alleviate the difficulties of implementing the nuts and bolts of PKI e.g. managing private keys and publishing address to certificate bindings; and those controls required by Direct in addition to standard SMIME e.g. Message Disposition Notices (MDN) Direct can however, be used without a HISP, if an individual wishes manage their own keys and provide the appropriate MDN responses

12 Direct Entities Health Information Service Provider Duties of a HISP: provide subscribers with account and Direct addresses provide web portal or EHR/PHR integration arrange for identity verification - org and individual [RA function] arrange for digital certificate issuance, management [CA function] maintain integrity of trust and security framework stay current with federal policies and regulations

13 Direct Implementation HISP as an Endpoint Sending HISP Security/Trust Agent Server Direct (SMTP / SMIME) Receiving HISP Security/Trust Agent Server SSL/TLS Webmail Webmail SSL/TLS Sender Recipient

14 Direct Implementation HISP as a Gateway Sending HISP Security/Trust Agent Server Direct (SMTP / SMIME) Receiving HISP Security/Trust Agent Server SSL/TLS Endpoint Communication (XDR, SMTP, et al) Endpoint Communication (XDR, SMTP, et al) SSL/TLS Sending System Sender Recipient Receiving System

15 Direct Implementation Direct-Enabled Endpoint Sending System Security/Trust Agent Server Direct (SMTP / SMIME) Receiving System Security/Trust Agent Server Sender Recipient

16 Direct Implementation Direct and EHRs As CMS promotes the adoption of EHRs for better management of PHI, there is one problematic aspect that is introduced: How can the industry avoid the failure of introducing siloed EHRs that have no way of exchanging data with each other A goal of ONC is to utilize Direct to provide a national messaging standard for healthcare Direct enables the interoperability of EHRs by providing that standard Ubiquitous implementation of the Direct protocol should obsolete the use of insecure messaging technologies e.g. Fax, and improve delivery times of others e.g. Mail

17 Direct Trust Framework Security Features The Direct Applicability Statement for Secure Health Transport is the bible for implementing Direct in a standardized way /Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf Traditional information security services involve 3 main aspects CIA: Confidentiality, Integrity, Authentication Standard Direct protocols are designed to only provide message integrity and confidentiality services.

18 Direct Trust Framework Trust governance is deliberately absent from the protocol in terms of who and only generally defined in terms of how However, there must be allowed separate trust polices for incoming vs outgoing messaging With rules governing the underlying PKI however (e.g. an appropriate CP) and a set of best practices for HISPs, it is also possible to achieve the 3 rd security service of authentication through an accreditation process

19 Direct Trust Framework Trust Governance One of the critical components of Direct that has had little definition until recently has been the Trust Governance aspect. When the Direct Project chose to focus on other technologic aspects, members of the Direct community participating in the Direct Project formed an industry consortium to address trust governance DirectTrust.org (DTO) is that consortia and is a membership based nonprofit self-regulatory entity. The goal of DTO is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct community, and to foster widespread public confidence in the Directed exchange of health information DTO has created a Direct Trust Agent Accreditation Program (DTAAP) which has now been endorsed by ONC through a cooperation grant for providing accreditation for Direct entities on a national basis DigiCert is a Board member and founding member of DTO

20 Direct Trust DTO DirectTrust Secures End-to-End Direct Protocol Secures HISP-to-HISP Sending HISP Security/Trust Agent Server Direct (SMTP / SMIME) Receiving HISP Security/Trust Agent Server SSL/TLS Webmail Webmail SSL/TLS Sender Recipient

21 Direct Identity, Trust, and Address Provisioning w/hisp Certificate Authority (CA) Identity/Trust Verification Certificate Validation Service Certificate Signing Services Revocation Services Assume has Digital Identity Certificate HCO Representative Healthcare Organization (HCO) 2. Request Direct Organization or Address Certificate 3. Credentials and Documentation Representative FBCA Credentials Representative Authorization Legal Entity Documents Membership/Trust Agreement HIPAA status 1. Enroll with HISP 6. Certificate Signing Request Registration Authority (RA) Compile/Validate Identity and Trust Documentation 4. Direct Organization Domain 5. CSR + Public Key 7. Direct Organization / Address Certificate 8. Direct Organization / Address Certificate Health Information Service Provider (HISP) 9. Direct Address/ Org Certificate The CA and RA enforce the policies specified in the DirectTrust.org and FBCA Certificate Policies (CPs). Domain Name System (DNS) LDAP Name System Source: DirectTrust.org February, 2012

22 DirectTrust.org Accreditation DirectTrust.org Trust Framework: Normalized HISP Operational Policy (HOP) + Certification and Accreditation against it to ensure compliance for technical, policy, practices, and legal sets of rules. HISPs: Policy: Accredited HISP Operational Policy (HOP) Practices: HISP Practices Statement (HPS) Accreditation: Verify HPS maps to HOP, Direct messaging compliance, HIPAA privacy/security attestation, Accredited CA, audit HISP CAs: Policy: Accredited Certificate Policy (CP) Practices: Certification Practices Statement (CPS) Accreditation: Verify CPS maps to Direct CP, certificate & CRL profile compliance, Accredited RA process, audit RAs: Policy: Accredited Registration Policy (RP) or Certificate Policy Practices: Registration Practices Statement (RPS) Accreditation: Verify RPS maps to CPS or RP, audit

23 DirectTrust Trust Framework DTO publishes a CP that CAs and RAs can be accredited against. The CP allows for multiple Levels of Assurance (LoA) Accredited CAs are placed in a trust bundle (the Direct equivalent of a browser certificate trust store) when accredited Direct also allows the use of self signed or non publicly trusted issuing CAs as trust anchors Direct uses a flat trust model where each issuing CA or self signed cert is included in a trust bundle This means chain validation is not required, only checking that any cert ort its issuer is in an accepted trust bundle Which trust bundles to accept is an open question. ONC only endorses DTO at this point

24 CA Policy and Practices The Certificate Policy (CP) & Certification Practice Statement (CPS) is a formal statement that describes who may have certificates, how certificates are generated and what they may be used for. The CP defines the polices that must be adhered to The CPS describes the processes and practices that are used to implement the policies An audit determines: A) Does the CPS implement the CP B) Does the CA operate in accordance with its CPS

25 RA Policy and Practices The CP defines the polices that must be adhered to The Registration Practices Statement (RPS) describes the processes and practices that are used to implement the registration or identity vetting related policies An RPS is a sub-component extract of Registrationspecific activities from the CPS if the CA is also an RA or it is mapped to the CPS if the RA is an external party An audit determines: A) Does the RPS match the CPS B) Does the RA operate in accordance with its CPS

26 HISP Policy and Practices The HISP Operating Policy (HOP) defines the polices that must be adhered to The HISP Practices Statement HPS describes the processes and practices that are used to implement the policies An audit determines: A) Does the HPS implement the HOP B) Does the HISP operate in accordance with its HPS

27 HISP CA RA Relationship Health Information Service Provider (HISP) Direct Identity Services Direct Messaging Services HIPAA Privacy & Security Compliance Direct Directory Services DirectTrust HISP Operational Policy (HOP) HISP Practices Statement DirectTrust Audit CA Agreement SLA Audit Certificate Authority (CA) Identity/Trust Verification Certificate Signing Services Certificate Validation Service Revocation Services FBCA CP Certification Practices Statement DirectTrust CP PKI Audit RA Agreement SLA Audit PKI Audit Registration Practices Statement Registration Authority (RA) Compile/Validate Identity and Trust Documentation Source: DirectTrust.org June, 2012

28 Current DirectTrust Policies DirectTrust has 2 Certificate Policy documents that have been published V1.1 of the DT CP has only a single LoA requires FBCA Medium equivalent Identity vetting processes and CA operations that are a lightweight version of the same V1.2 of the DT CP has 4 LoAs defined matching NIST SP and only requires FBCA Basic equivalent CA operations V1.3 of the DT CP is being developed DirectTrust is currently working on a HISP Operating Policy Existing HISPs are evaluated against DTAAP requirements

29 DirectTrust A National Trust Infrastructure Full Accreditation

30 DirectTrust A National Trust Infrastructure Accreditation In Process

31 DirectTrust A National Trust Infrastructure HISP Name CA Operator RA Operator CP Compliance Cert Type(s) Cerner Cerner Cerner DT CP 1.1 Org Inpriva Inpriva Inpriva DT CP 1.1 Org & Addr Inpriva Inpriva DT CP 1.1 Org & Addr DigiCert Inpriva DT CP 1.1/1.2 Org & Addr DigiCert Inpriva DT CP 1.1/1.2 Org & Addr ICA ICA ICA DT CP 1.1 Org Surescripts Surescripts Surescripts DT CP 1.2 Org MaxMD MaxMD MaxMD DT CP 1.2 Org & Addr DataMotion DigiCert DigiCert DT CP 1.1/1.2 Org & Addr EMR Direct EMR Direct EMR Direct DT CP 1.2 Addr Infomedtrix Infomedtrix Infomedtrix DT CP 1.2 Org & Addr

32 DirectTrust A National Trust Infrastructure HISP CA Name CPS URI Cerner CernerDirect Professional Community CA Inpriva ICA Inpriva Direct CE CA Rhode Island Trust Community CA Inpriva ClickID CA RITC Inpriva ClickID CA ICAPROD ICA SUB1 CA CA Surescripts Surescripts Direct Issuing CA 0Abbreviated.pdf MaxMD MaxMD CA v2.5 DataMotion DigiCert Accredited Direct Med CA EMR Direct phicert Direct Subscriber CA Infomedtrix InfomedtrixCA CPS v1.2.pdf

33 Summary

34 Summary Direct = Secure for PHI data with 3 additional features: Addresses must be in dedicated healthcare domains Message Disposition Notifications (assurance receipts) HISP to ease PKI key management in certifiable secure infrastructures

35 Summary DirectTrust = Direct with end-to-end assurance by securing the last mile (STA to user) Accreditation of HISP, CA, RA (DTAAP) Trust Anchor distribution service National Trust Infrastructure Several HISP, CA, RA entities have already been accredited and many more are in the queue from EHR, HISP, HIE, and CA entities

36 Summary CMS is using the EHR Meaningful Use program to drive adoption of the Direct protocol to interconnect electronic healthcare record systems Health Providers have incentives under MU2 to communicate electronically with their patients, other providers, and government agencies

37 Questions Q & A

38 Contact Details Links: Scott Rea: (801) ,