The Direct Project Reference Implementation Architecture

Transcription

1 The Direct Project Reference Implementation Architecture 1

2 NwHIN Direct Approach Develop specifications for a secure, scalable, standardsbased way to establish universal health addressing and transport for participants Send encrypted health information directly to known, trusted recipients over the Internet (Push Model) Participants include providers, laboratories, hospitals, pharmacies and patients Standards and service descriptions designed to address the key Stage 1 requirements for Meaningful Use 2

3 Direct Reference Implementation Open-source reference implementation and associated libraries implementing the Direct Project specification Implementations in Java and in C Sharp(.Net) Actually implemented and used in several pilot projects. New York Hudson Valley and Rhode Island have hooked their pilots together (HISP to HISP) Multiple EHRs vendors in the pilots Workgroup 3

4 JAVA REFERENCE IMPLEMENTATION PLUS DIRECTORY SERVICES HISP Security Domain Real SMTP Server POP/SMTP Internal Client External Direct Health Information s (HISPS) Provider Directory s SMTP(SMIME) Certificate Directory s SMTP (Gateway ) Apache Mailet API Security Agent Apache Mailet API XD* Agent Configuration SQL Configuration Web UI XDR (Receiving XD* SOAP SERVICE XDR Source(Sending 4

5 EHR to EHR cmp EHR to EHR XDR Source (Sending Mutual Authentication HISP/HIE Direct XD* Serv ice Mutual Authentication XDR Serv ice (Receiv ing ProvideAndRegister ProvideAndRegister Search For Entity Search For Provider Get Local Endpoint Prov ider Directory Serv ice Configuration Serv ice 5

6 EHR to EHR Sequence sd EHR to EHRSequence XDR Source (Sending Provider Directory HISP/HIE Direct XD* Configuration XDR (Receiving SearchForProvider(SearchForProviderRequest) :SearchForProviderResponse MutualAuthentication() ProvideAndRegister(ProvideAndRegisterRequest) GetLocalEndpoint(DirectAddress) ProvideAndRegister(ProvideAndRegisterRequest) :ProvideAndRegisterResponse :ProvideAndRegisterResponse 6

7 Why the SMTP Backbone? Allows for the inclusion of providers without EHRs in the Direct model Allows for a security model that does not rely on a strong federation Strongly federated security with dictated CA structure, like the Federal Bridge, seem to be difficult to implement Without strong federation, unanticipated push between two random TLS based SOAP systems is not simple (possible?) Using the Direct Certificate Directory model allows for unanticipated SMIME with dynamic certificate exchange 7

8 THE MAILET, ENABLING SECURE SMTP BASED SERVICES HISP Security Domain Real SMTP Server POP/SMTP Internal Client External Direct Health Information s (HISPS) Provider Directory s SMTP(SMIME(XDM)) Certificate Directory s SMTP (Gateway ) Apache Mailet API Security Agent Apache Mailet API XD* Agent Configuration SQL Configuration Web UI SMTP (XDM) XDR (Receiving XD* SOAP SERVICE XDR Source(Sending 8

9 What Apache Mailets Get You In-flow programmatic access to the (S)MIME message without cumbersome polling or queuing Allows for dynamic certificate exchange, decryption and signature validation Allows for dynamic conversion to more SOA friendly protocols Extremely simple injection mechanism Configuration based 9

10 SOAP to SMTP cmp EHR tosmime Out Mutual Authentication XDR Source (Sending HISP/HIE Direct XD* Serv ice HISP/HIE Direct Mail Serv ice XDM Over SMTP ProvideAndRegister SMIME(XDM) Over SMTP External Direct SMTP Serv ices Search For Entity Search For Provider Get Local Endpoint Get Provider Private Key (Sender, Sign) Get Current Certificates (Recipient, Encrypt) Provider Directory Configuration Certificate Repository 10

11 SOAP to SMTP Sequence sd EHR to SMIME Out Sequence XDR Source (Sending Provider Directory HISP/HIE Direct XD* Configuration HISP/HIE Direct Mail Certificate Repository External Direct SMTP s SearchForProvider(SearchForProviderRequest) :SearchForProverResponse MutualAuthentication() ProvideAndRegister(ProvideAndRegisterRequest) GetLocalEndpoint(DirectAddress) SMTP(XDM) GetProviderPrivateKey() GetCurrentCertificates() SMIMEOverSMTP(XDM) :Ack :Ack :ProvideAndRegisterResponse 11

12 THE MAILET, ENABLING SECURE SMTP BASED SERVICES HISP Security Domain Real SMTP Server POP/SMTP Internal Client External Direct Health Information s (HISPS) Provider Directory s SMTP(SMIME) Certificate Directory s SMTP (Gateway ) Apache Mailet API Security Agent Apache Mailet API XD* Agent Configuration SQL Configuration Web UI XDR XDR (Receiving XD* SOAP SERVICE XDR Source(Sending 12

13 SMTP to SOAP cmp SMIME to EHR In External Direct SMTP s SMIME Over SMTP HISP/HIE Direct Mail ForwardMessage XD Step Up Serv ice ProvideAndRegister HISP/HIE Direct XD* Get Current Certificates (Sender, Validation) Get Local Endpoint Get Provider Private Key (Recipient, Decrypt) Get Local Endpoint Mutual Authentication ProvideAndRegister Certificate Repository Configuration Serv ice XDR Serv ice (Receiv ing 13

14 SMTP to SOAP Sequence sd SMIME to EHR In Sequence External Direct SMTP s HISP/HIE Direct Mail Certificate Repository Configuration XD Step Up HISP/HIE Direct XD* XDR (Receiving SMIMEOverSMTP() GetProviderPrivateKey() GetCurrentCertificates() GetLocalEndpoint() ForwardMessage(Payload) ProvideAndRegister(ProvideAndRegisterRequest) MutualAuthentication() ProvideAndRegister(ProvideAndRegisterRequest) :ProvideAndRegisterResponse :ProvideAndRegisterReponse :Ack :Ack 14

15 Conclusions and Questions? The Direct specification and reference implementation has been an incredible example of cooperative open source development Multiple connectathons and extensive junit testing help make the implementation rock solid Architecture seems as clean as possible with multiple protocols Still firming up the Provider Directory detailed requirements Certificate Directory now uses DNS, may or may not change 15