Exchanging Medical Records Online with Direct Scott Rea, VP GOV/EDU Relations & Sr. PKI Architect, DigiCert, Inc. sales@digicert.com www.digicert.com +1 (801) 877-2100
Exchanging Medical Records Online Table of Contents Slide Title 3 The Direct Project 5 Direct The Technology 9 Direct Entities 13 Direct Implementation 17 Direct Trust Framework 24 Policies and Practices 29 DirectTrust Accreditation 33 Summary 37 Questions 38 Contacts
What is the Direct Project? A project to create the set of standards and services that, when coupled with a policy framework, enable simple, directed, routed, scalable transport of medical records and Private Health Information (PHI) over the Internet to be used for secure and meaningful exchange between known participants in support of Electronic Healthcare Records (EHR) meaningful use. Primary goal is that solutions must be scalable, relatively inexpensive, and increase security.
The Purpose of Direct Direct exchange is part of a long term national strategy to transition from paper-based to electronic health care records that can be shared more easily to reduce costs and improve the quality of patient care. The Office of the National Coordinator (ONC) within the department of Health and Human Services (HHS) is the lead author and publisher of the Direct standard Direct was also designed to support the goal of health information exchange between providers using electronic health records (EHRs) engaged in Meaningful Use, the Medicare and Medicaid programs that help providers to pay for and meaningfully use EHRs. The Center for Medicare and Medicaid Services (CMS) governs the Inventive Programs for the use of EHRs Direct is also intended as a general means of secure exchange (both directions) between providers and patients.
Direct Technology The Direct protocol enables SMIME messages with disposition notification within dedicated healthcare domains Sender and receiver must both have SMIME certificates of which there are 2 types: Direct Address cert is traditional SMIME RFC822name in subjectaltname Direct Organization cert is like SMIME wildcard DNSname (FQDN of mail domain) in SAN
Direct Technology Direct Address Direct Addresses are used to route information Look like email addresses Used only for health information exchange b.wells@direct.aclinic.org Endpoint Domain Direct Address An individual may have multiple Direct addresses
Direct Technology Digital Certificates Each Direct Address must have at least one X.509v3 digital certificate associated with it Address-bound certificate certificate tied to a specific Direct Address Domain-bound certificate certificate tied to the Domain that is part of a Direct Address Digital certificates are used within Direct to express trust relationships and to secure Direct Messages
Direct Technology Security/Trust Agents Security/Trust Agents (STAs) are responsible for securing, routing, and processing Direct Messages STA may be a system under the direct control of an exchange participant STA may be a service offered by an intermediary (i.e., HISP) acting on behalf of an exchange participant STAs employ S/MIME and digital certificates to secure health information in transit 1. Sending STA encrypts Message using recipient s certificate 2. Sending STA signs Message using private key associated with sender s certificate 3. Receiving STA verifies signature of Message using sender s certificate 4. Receiving STA decrypts Message using private key associated with recipient s certificate
Direct Entities Certification Authorities and Registration Authorities Registration Authority (RA) Collects information for the purpose of verifying the identity of an individual or organization (i.e., identity proofing) Produces certificate requests based on gathered attributes Certificate Authority (CA) Digitally signs certificate requests Issues digital certificate that ties a public key to the gathered attributes
Direct Entities How do STAs relate to RAs and CAs? STAs can relate to RAs and CAs in a number of ways. An STA may Act as RA and CA. STA identity proofs during enrollment and issues certificates as appropriate. Act as RA only. STA identity proofs during enrollment, passing necessary information to an independent CA. CA provides certificate to STA upon issuance. Act as CA only. Independent RA identity proofs during enrollment, passing necessary information to STA, which issues certificates as appropriate. Act as neither CA nor RA. Independent RA identity proofs during enrollment, passing necessary information to independent CA, which provides certificate to STA upon issuance.
Direct Entities Health Information Service Provider Direct introduces the concept of a Health Information Service Provider (HISP) The purpose of the HISP is to primarily operate the STA functions on behalf Direct Users The role of a HISP is to alleviate the difficulties of implementing the nuts and bolts of PKI e.g. managing private keys and publishing address to certificate bindings; and those controls required by Direct in addition to standard SMIME e.g. Message Disposition Notices (MDN) Direct can however, be used without a HISP, if an individual wishes manage their own keys and provide the appropriate MDN responses
Direct Entities Health Information Service Provider Duties of a HISP: provide subscribers with account and Direct addresses provide web portal or EHR/PHR integration arrange for identity verification - org and individual [RA function] arrange for digital certificate issuance, management [CA function] maintain integrity of trust and security framework stay current with federal policies and regulations
Direct Implementation HISP as an Endpoint Sending HISP Security/Trust Agent E-Mail Server Direct (SMTP / SMIME) Receiving HISP Security/Trust Agent E-Mail Server SSL/TLS Webmail Webmail SSL/TLS Sender Recipient
Direct Implementation HISP as a Gateway Sending HISP Security/Trust Agent E-Mail Server Direct (SMTP / SMIME) Receiving HISP Security/Trust Agent E-Mail Server SSL/TLS Endpoint Communication (XDR, SMTP, et al) Endpoint Communication (XDR, SMTP, et al) SSL/TLS Sending System Sender Recipient Receiving System
Direct Implementation Direct-Enabled Endpoint Sending System Security/Trust Agent E-Mail Server Direct (SMTP / SMIME) Receiving System Security/Trust Agent E-Mail Server Sender Recipient
Direct Implementation Direct and EHRs As CMS promotes the adoption of EHRs for better management of PHI, there is one problematic aspect that is introduced: How can the industry avoid the failure of introducing siloed EHRs that have no way of exchanging data with each other A goal of ONC is to utilize Direct to provide a national messaging standard for healthcare Direct enables the interoperability of EHRs by providing that standard Ubiquitous implementation of the Direct protocol should obsolete the use of insecure messaging technologies e.g. Fax, and improve delivery times of others e.g. Mail
Direct Trust Framework Security Features The Direct Applicability Statement for Secure Health Transport is the bible for implementing Direct in a standardized way http://wiki.directproject.org/file/view/applicability%20statement%20for%20secure%20health%20transport%20v1.1.pdf/3 53270730/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf Traditional information security services involve 3 main aspects CIA: Confidentiality, Integrity, Authentication Standard Direct protocols are designed to only provide message integrity and confidentiality services.
Direct Trust Framework Trust governance is deliberately absent from the protocol in terms of who and only generally defined in terms of how However, there must be allowed separate trust polices for incoming vs outgoing messaging With rules governing the underlying PKI however (e.g. an appropriate CP) and a set of best practices for HISPs, it is also possible to achieve the 3 rd security service of authentication through an accreditation process
Direct Trust Framework Trust Governance One of the critical components of Direct that has had little definition until recently has been the Trust Governance aspect. When the Direct Project chose to focus on other technologic aspects, members of the Direct community participating in the Direct Project formed an industry consortium to address trust governance DirectTrust.org (DTO) is that consortia and is a membership based nonprofit self-regulatory entity. The goal of DTO is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct community, and to foster widespread public confidence in the Directed exchange of health information DTO has created a Direct Trust Agent Accreditation Program (DTAAP) which has now been endorsed by ONC through a cooperation grant for providing accreditation for Direct entities on a national basis DigiCert is a Board member and founding member of DTO
Direct Trust DTO DirectTrust Secures End-to-End Direct Protocol Secures HISP-to-HISP Sending HISP Security/Trust Agent E-Mail Server Direct (SMTP / SMIME) Receiving HISP Security/Trust Agent E-Mail Server SSL/TLS Webmail Webmail SSL/TLS Sender Recipient
Direct Identity, Trust, and Address Provisioning w/hisp Certificate Authority (CA) Identity/Trust Verification Certificate Validation Service Certificate Signing Services Revocation Services Assume has Digital Identity Certificate HCO Representative Healthcare Organization (HCO) 2. Request Direct Organization or Address Certificate 3. Credentials and Documentation Representative FBCA Credentials Representative Authorization Legal Entity Documents Membership/Trust Agreement HIPAA status 1. Enroll with HISP 6. Certificate Signing Request Registration Authority (RA) Compile/Validate Identity and Trust Documentation 4. Direct Organization Domain 5. CSR + Public Key 7. Direct Organization / Address Certificate 8. Direct Organization / Address Certificate Health Information Service Provider (HISP) 9. Direct Address/ Org Certificate The CA and RA enforce the policies specified in the DirectTrust.org and FBCA Certificate Policies (CPs). Domain Name System (DNS) LDAP Name System Source: DirectTrust.org February, 2012
DirectTrust.org Accreditation DirectTrust.org Trust Framework: Normalized HISP Operational Policy (HOP) + Certification and Accreditation against it to ensure compliance for technical, policy, practices, and legal sets of rules. HISPs: Policy: Accredited HISP Operational Policy (HOP) Practices: HISP Practices Statement (HPS) Accreditation: Verify HPS maps to HOP, Direct messaging compliance, HIPAA privacy/security attestation, Accredited CA, audit HISP CAs: Policy: Accredited Certificate Policy (CP) Practices: Certification Practices Statement (CPS) Accreditation: Verify CPS maps to Direct CP, certificate & CRL profile compliance, Accredited RA process, audit RAs: Policy: Accredited Registration Policy (RP) or Certificate Policy Practices: Registration Practices Statement (RPS) Accreditation: Verify RPS maps to CPS or RP, audit
DirectTrust Trust Framework DTO publishes a CP that CAs and RAs can be accredited against. The CP allows for multiple Levels of Assurance (LoA) Accredited CAs are placed in a trust bundle (the Direct equivalent of a browser certificate trust store) when accredited Direct also allows the use of self signed or non publicly trusted issuing CAs as trust anchors Direct uses a flat trust model where each issuing CA or self signed cert is included in a trust bundle This means chain validation is not required, only checking that any cert ort its issuer is in an accepted trust bundle Which trust bundles to accept is an open question. ONC only endorses DTO at this point
CA Policy and Practices The Certificate Policy (CP) & Certification Practice Statement (CPS) is a formal statement that describes who may have certificates, how certificates are generated and what they may be used for. http://www.ietf.org/rfc/rfc3647.txt The CP defines the polices that must be adhered to The CPS describes the processes and practices that are used to implement the policies An audit determines: A) Does the CPS implement the CP B) Does the CA operate in accordance with its CPS
RA Policy and Practices The CP defines the polices that must be adhered to The Registration Practices Statement (RPS) describes the processes and practices that are used to implement the registration or identity vetting related policies An RPS is a sub-component extract of Registrationspecific activities from the CPS if the CA is also an RA or it is mapped to the CPS if the RA is an external party An audit determines: A) Does the RPS match the CPS B) Does the RA operate in accordance with its CPS
HISP Policy and Practices The HISP Operating Policy (HOP) defines the polices that must be adhered to The HISP Practices Statement HPS describes the processes and practices that are used to implement the policies An audit determines: A) Does the HPS implement the HOP B) Does the HISP operate in accordance with its HPS
HISP CA RA Relationship Health Information Service Provider (HISP) Direct Identity Services Direct Messaging Services HIPAA Privacy & Security Compliance Direct Directory Services DirectTrust HISP Operational Policy (HOP) HISP Practices Statement DirectTrust Audit CA Agreement SLA Audit Certificate Authority (CA) Identity/Trust Verification Certificate Signing Services Certificate Validation Service Revocation Services FBCA CP Certification Practices Statement DirectTrust CP PKI Audit RA Agreement SLA Audit PKI Audit Registration Practices Statement Registration Authority (RA) Compile/Validate Identity and Trust Documentation Source: DirectTrust.org June, 2012
Current DirectTrust Policies DirectTrust has 2 Certificate Policy documents that have been published V1.1 of the DT CP has only a single LoA requires FBCA Medium equivalent Identity vetting processes and CA operations that are a lightweight version of the same V1.2 of the DT CP has 4 LoAs defined matching NIST SP800-63-1 and only requires FBCA Basic equivalent CA operations V1.3 of the DT CP is being developed DirectTrust is currently working on a HISP Operating Policy Existing HISPs are evaluated against DTAAP requirements
DirectTrust A National Trust Infrastructure Full Accreditation
DirectTrust A National Trust Infrastructure Accreditation In Process
DirectTrust A National Trust Infrastructure HISP Name CA Operator RA Operator CP Compliance Cert Type(s) Cerner Cerner Cerner DT CP 1.1 Org Inpriva Inpriva Inpriva DT CP 1.1 Org & Addr Inpriva Inpriva DT CP 1.1 Org & Addr DigiCert Inpriva DT CP 1.1/1.2 Org & Addr DigiCert Inpriva DT CP 1.1/1.2 Org & Addr ICA ICA ICA DT CP 1.1 Org Surescripts Surescripts Surescripts DT CP 1.2 Org MaxMD MaxMD MaxMD DT CP 1.2 Org & Addr DataMotion DigiCert DigiCert DT CP 1.1/1.2 Org & Addr EMR Direct EMR Direct EMR Direct DT CP 1.2 Addr Infomedtrix Infomedtrix Infomedtrix DT CP 1.2 Org & Addr
DirectTrust A National Trust Infrastructure HISP CA Name CPS URI Cerner CernerDirect Professional Community CA http://www.cerner.com/cps Inpriva ICA Inpriva Direct CE CA http://www.inpriva.com/cps Rhode Island Trust Community CA http://www.inpriva.com/cps Inpriva ClickID CA https://www.digicert.com/cps RITC Inpriva ClickID CA https://www.digicert.com/cps ICAPROD ICA SUB1 CA CA https://direct.icainformatics.com/resources/ica_cps.pdf Surescripts Surescripts Direct Issuing CA http://www.surescripts.com/surescriptsdirectissuingcacpsv1 0Abbreviated.pdf MaxMD MaxMD CA v2.5 http://www.max.md/ca_repository/maxmd_cpsv1.2.pdf DataMotion DigiCert Accredited Direct Med CA https://www.digicert.com/cps EMR Direct phicert Direct Subscriber CA https://www.phicert.com/cps Infomedtrix InfomedtrixCA http://www.infomedtrix.com/pki/infomedtrix CPS v1.2.pdf
Summary
Summary Direct = Secure Email for PHI data with 3 additional features: Addresses must be in dedicated healthcare domains Message Disposition Notifications (assurance receipts) HISP to ease PKI key management in certifiable secure infrastructures
Summary DirectTrust = Direct with end-to-end assurance by securing the last mile (STA to user) Accreditation of HISP, CA, RA (DTAAP) Trust Anchor distribution service National Trust Infrastructure Several HISP, CA, RA entities have already been accredited and many more are in the queue from EHR, HISP, HIE, and CA entities
Summary CMS is using the EHR Meaningful Use program to drive adoption of the Direct protocol to interconnect electronic healthcare record systems Health Providers have incentives under MU2 to communicate electronically with their patients, other providers, and government agencies
Questions Q & A
Contact Details Links: http://www.digicert.com/direct-project http://www.directtrust.org/ http://www.directproject.org/ Scott Rea: (801) 701-9636, Scott@DigiCert.com