[email protected] www.digicert.com +1 (801) 877-2100
Exchanging Medical
Records Online with Direct
Scott Rea,
VP GOV/EDU Relations & Sr. PKI Architect,
DigiCert, Inc.
Exchanging Medical Records Online
Slide
Title
3 The Direct Project
5 Direct – The Technology 9 Direct Entities
13 Direct Implementation 17 Direct Trust Framework 24 Policies and Practices 29 DirectTrust Accreditation 33 Summary
37 Questions 38 Contacts
A project to create the set of
standards
and
services
that, when coupled with a
policy
framework, enable simple, directed, routed,
scalable
transport
of medical records and
Private Health Information (PHI) over the
Internet to be used for secure and meaningful
exchange between known participants in
support of Electronic Healthcare Records
(EHR)
meaningful use.
Primary goal is that
solutions must be scalable, relatively
inexpensive, and increase security.
The Purpose of Direct
• Direct exchange is part of a long term national strategy to transition from paper-based to electronic health care records that can be shared more easily to reduce costs and improve the quality of patient care.
• The Office of the National Coordinator (ONC) within the department of Health and Human Services (HHS) is the lead author and publisher of the Direct standard
• Direct was also designed to support the goal of health information exchange between providers using electronic health records (EHRs) engaged in
Meaningful Use, the Medicare and Medicaid programs that help providers to pay for and meaningfully use EHRs.
• The Center for Medicare and Medicaid Services (CMS) governs the Inventive Programs for the use of EHRs
• Direct is also intended as a general means of secure exchange (both directions) between providers and patients.
Direct Technology
•
The Direct protocol enables SMIME messages with
disposition notification within dedicated healthcare
domains
•
Sender and receiver must both have SMIME certificates of
which there are 2 types:
–
Direct Address cert is traditional SMIME
• RFC822name in subjectAltName–
Direct Organization cert is like SMIME wildcard
• DNSname (FQDN of mail domain) in SANDirect Technology
Direct Address
• Direct Addresses are used to route information
– Look like email addresses
– Used only for health information exchange
[email protected]
• An individual may have multiple Direct addresses
Endpoint Domain Direct
Direct Technology
•
Each Direct Address must have at least one X.509v3
digital certificate associated with it
–
Address-bound certificate – certificate tied to a specific Direct
Address
–
Domain-bound certificate – certificate tied to the Domain that is
part of a Direct Address
•
Digital certificates are used within Direct to express trust
relationships and to secure Direct Messages
Direct Technology
Security/Trust Agents
•
Security/Trust Agents (STAs) are responsible for securing, routing,
and processing Direct Messages
– STA may be a system under the direct control of an exchange participant
– STA may be a service offered by an intermediary (i.e., HISP) acting on behalf of an exchange participant
•
STAs employ S/MIME and digital certificates to secure health
information in transit
1. Sending STA encrypts Message using recipient’s certificate
2. Sending STA signs Message using private key associated with sender’s certificate
3. Receiving STA verifies signature of Message using sender’s certificate 4. Receiving STA decrypts Message using private key associated with
Direct Entities
Certification Authorities and Registration Authorities
• Registration Authority (RA)
– Collects information for the purpose of verifying the identity of an
individual or organization (i.e., identity proofing)
– Produces certificate requests based on gathered attributes
• Certificate Authority (CA)
– Digitally signs certificate requests
– Issues digital certificate that ties a public key to the gathered
attributes
Direct Entities
How do STAs relate to RAs and CAs?
Act as RA and CA. STA identity proofs during enrollment and
issues certificates as appropriate.
Act as RA and CA. STA identity proofs during enrollment and
issues certificates as appropriate.
Act as RA only. STA identity proofs during enrollment,
passing necessary information to an independent CA. CA provides certificate to STA upon issuance.
Act as RA only. STA identity proofs during enrollment,
passing necessary information to an independent CA. CA provides certificate to STA upon issuance.
Act as CA only. Independent RA identity proofs during
enrollment, passing necessary information to STA, which issues certificates as appropriate.
Act as CA only. Independent RA identity proofs during
enrollment, passing necessary information to STA, which issues certificates as appropriate.
Act as neither CA nor RA. Independent RA identity proofs
during enrollment, passing necessary information to independent CA, which provides certificate to STA upon issuance.
Act as neither CA nor RA. Independent RA identity proofs
during enrollment, passing necessary information to independent CA, which provides certificate to STA upon issuance.
STAs can relate
to RAs and CAs
in a number of
ways.
Direct Entities
Health Information Service Provider
•
Direct introduces the concept of a Health Information Service
Provider (HISP)
•
The purpose of the HISP is to primarily operate the STA
functions on behalf Direct Users
•
The role of a HISP is to alleviate the difficulties of
implementing the nuts and bolts of PKI e.g. managing private
keys and publishing address‐to‐certificate bindings; and those
controls required by Direct in addition to standard SMIME e.g.
Message Disposition Notices (MDN)
•
Direct can however, be used without a HISP, if an individual
wishes manage their own keys and provide the appropriate
MDN responses
Direct Entities
Health Information Service Provider
• Duties of a HISP:
• provide subscribers with account and Direct addresses • provide web portal or EHR/PHR integration
• arrange for identity verification - org and individual [RA function] • arrange for digital certificate issuance, management [CA function] • maintain integrity of trust and security framework
Direct Implementation
HISP as an Endpoint
Direct (SMTP / SMIME) Sending HISP E-Mail Server Security/Trust Agent SSL/TLS Receiving HISP E-Mail Server Security/Trust Agent SSL/TLS Webmail Webmail Sender RecipientDirect Implementation
HISP as a Gateway
Direct (SMTP / SMIME) Sending HISP E-Mail Server Security/Trust Agent Sending System Receiving System SSL/TLS Receiving HISP E-Mail Server Security/Trust Agent SSL/TLS Endpoint Communication (XDR, SMTP, et al) Endpoint Communication (XDR, SMTP, et al) Sender RecipientDirect Implementation
Direct-Enabled Endpoint
Direct (SMTP / SMIME) Sending System E-Mail Server Security/Trust Agent Receiving System E-Mail Server Security/Trust Agent Sender RecipientDirect Implementation
•
As CMS promotes the adoption of EHRs for better
management of PHI, there is one problematic aspect that is
introduced:
•
How can the industry avoid the failure of introducing siloed EHRs
that have no way of exchanging data with each other
•
A goal of ONC is to utilize Direct to provide a national
messaging standard for healthcare
•
Direct enables the interoperability of EHRs by providing that
standard
•
Ubiquitous implementation of the Direct protocol should obsolete
the use of insecure messaging technologies e.g. Fax, and improve
delivery times of others e.g. Mail
Direct Trust Framework
•
The Direct Applicability Statement for Secure Health
Transport is the bible for implementing Direct in a
standardized way
http://wiki.directproject.org/file/view/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf/3 53270730/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf•
Traditional information security services involve 3 main
aspects – CIA: Confidentiality, Integrity, Authentication
•
Standard Direct protocols are designed to only provide
message integrity and confidentiality services.
Security Features
Direct Trust Framework
•
Trust governance is deliberately absent from the protocol in
terms of who and only generally defined in terms of how
–
However, there must be allowed separate trust polices for
incoming vs outgoing messaging
•
With rules governing the underlying PKI however (e.g. an
appropriate CP) and a set of best practices for HISPs, it is
also possible to achieve the 3
rdsecurity service of
authentication ‐ through an accreditation process
Direct Trust Framework
• One of the critical components of Direct that has had little definition until recently has been the Trust Governance aspect.
• When the Direct Project chose to focus on other technologic aspects,
members of the Direct community participating in the Direct Project formed an industry consortium to address trust governance
• DirectTrust.org (DTO) is that consortia and is a membership based non-profit self-regulatory entity.
• The goal of DTO is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct community, and to foster widespread public confidence in the
Directed exchange of health information
• DTO has created a Direct Trust Agent Accreditation Program (DTAAP) which has now been endorsed by ONC through a cooperation grant for providing accreditation for Direct entities on a national basis
• DigiCert is a Board member and founding member of DTO
Direct Trust
DTO
Direct (SMTP / SMIME) Sending HISP E-Mail Server Security/Trust Agent SSL/TLS Receiving HISP E-Mail Server Security/Trust Agent SSL/TLS Webmail Webmail Sender RecipientDirect Protocol Secures HISP-to-HISP
Direct
Identity
,
Trust
, and
Address
Provisioning w/HISP
Certificate Authority (CA) Registration Authority (RA) Health Information Service Provider (HISP) LDAP Name System Healthcare Organization (HCO) HCO Representative Assume has Digital Identity Certificate 9. Direct Address/ Org Certificate 1. Enroll with HISP 2. Request Direct Organization or Address Certificate Domain Name System (DNS) Certificate Validation Service Identity/Trust Verification Revocation Services Certificate Signing Services Compile/Validate Identity and Trust Documentation Representative FBCA Credentials Representative Authorization Legal Entity Documents Membership/Trust Agreement HIPAA status 3. Credentials and Documentation Source: DirectTrust.org February, 2012 5. CSR + Public Key 4. Direct OrganizationDomain 8. Direct Organization / Address Certificate
The CA and RA enforce the policies specified in the DirectTrust.org and FBCA Certificate Policies (CPs).
6. Certificate Signing
DirectTrust.org Accreditation
HISP
RAs:
Policy: Accredited Registration Policy (RP) or Certificate Policy Practices: Registration Practices Statement (RPS)
Accreditation: Verify RPS maps to CPS or RP, audit
CAs:
Policy: Accredited Certificate Policy (CP)
Practices: Certification Practices Statement (CPS)
Accreditation: Verify CPS maps to Direct CP, certificate & CRL profile compliance, Accredited RA process, audit
HISPs:
Policy: Accredited HISP Operational Policy (HOP) Practices: HISP Practices Statement (HPS)
Accreditation: Verify HPS maps to HOP, Direct messaging compliance, HIPAA privacy/security attestation, Accredited CA, audit
DirectTrust.org Trust Framework:
Normalized HISP Operational Policy (HOP) + Certification and Accreditation against it to ensure compliance for technical, policy, practices, and legal sets of rules.
DirectTrust
•
DTO publishes a CP that CAs and RAs can be accredited against.
– The CP allows for multiple Levels of Assurance (LoA)•
Accredited CAs are placed in a trust bundle (the Direct equivalent of a
browser certificate trust store) when accredited
•
Direct also allows the use of self‐signed or non‐publicly trusted issuing CAs
as trust anchors
– Direct uses a flat trust model where each issuing CA or self‐signed cert is included in a trust bundle – This means chain validation is not required, only checking that any cert ort its issuer is in an accepted trust bundle – Which trust bundles to accept is an open question. ONC only endorses DTO at this pointTrust Framework
CA Policy and Practices
• “The Certificate Policy (CP) & Certification Practice
Statement (CPS) is a formal statement that describes
who may have certificates, how certificates are
generated and what they may be used for.”
– http://www.ietf.org/rfc/rfc3647.txt
• The CP defines the polices that must be adhered to
• The CPS describes the processes and practices that are
used to implement the policies
• An audit determines:
– A) Does the CPS implement the CP
RA Policy and Practices
• The CP defines the polices that must be adhered to
• The Registration Practices Statement (RPS) describes
the processes and practices that are used to implement
the registration or identity vetting related policies
• An RPS is a sub-component extract of
Registration-specific activities from the CPS if the CA is also an RA or
it is mapped to the CPS if the RA is an external party
• An audit determines:
– A) Does the RPS match the CPS
HISP Policy and Practices
• The HISP Operating Policy (HOP) defines the polices
that must be adhered to
• The HISP Practices Statement HPS describes the
processes and practices that are used to implement the
policies
• An audit determines:
– A) Does the HPS implement the HOP
HISP – CA – RA Relationship
Certificate Authority (CA)
Registration Authority (RA) Certificate Validation Service Identity/Trust Verification Revocation Services Certificate Signing Services
Compile/Validate Identity and Trust Documentation
Source: DirectTrust.org June, 2012
Certification Practices Statement Registration Practices Statement PKI Audit RA Agreement
Health Information Service Provider (HISP)
CA Agreement SLA Audit SLA Audit HISP Practices Statement PKI Audit DirectTrust Audit DirectTrust CP FBCA CP
DirectTrust HISP Operational Policy (HOP)
Direct Messaging Services
Direct Directory Services
HIPAA Privacy & Security Compliance Direct Identity
Current DirectTrust Policies
• DirectTrust has 2 Certificate Policy documents that have
been published
– V1.1 of the DT CP has only a single LoA requires FBCA Medium equivalent
Identity vetting processes and CA operations that are a lightweight version of the same
– V1.2 of the DT CP has 4 LoAs defined matching NIST SP800-63-1 and only requires FBCA Basic equivalent CA operations
•
V1.3 of the DT CP is being developed
•
DirectTrust is currently working on a HISP Operating Policy
DirectTrust
Full Accreditation
DirectTrust
Accreditation In‐Process
DirectTrust
A National Trust Infrastructure
HISP Name CA Operator RA Operator CP Compliance Cert Type(s)
Cerner Cerner
Cerner
DT CP 1.1 Org
Inpriva
Inpriva
Inpriva
DT CP 1.1 Org & Addr
Inpriva
Inpriva
DT CP 1.1 Org & Addr
DigiCert Inpriva
DT CP 1.1/1.2 Org & Addr
DigiCert
Inpriva
DT CP 1.1/1.2 Org & Addr
ICA
ICA
ICA
DT CP 1.1
Org
Surescripts
Surescripts
Surescripts
DT CP 1.2
Org
MaxMD
MaxMD
MaxMD
DT CP 1.2 Org & Addr
DataMotion
DigiCert
DigiCert DT CP 1.1/1.2 Org & Addr
EMR Direct EMR Direct EMR Direct DT CP 1.2
Addr
DirectTrust
A National Trust Infrastructure
HISP CA Name CPS URI
Cerner CernerDirect Professional Community CA http://www.cerner.com/CPS
Inpriva Inpriva Direct‐CE CA http://www.inpriva.com/cps
Rhode Island Trust Community CA http://www.inpriva.com/cps
Inpriva‐ClickID CA https://www.digicert.com/CPS
RITC‐Inpriva‐ClickID CA https://www.digicert.com/CPS
ICA ICAPROD‐ICA‐SUB1‐CA‐CA https://direct.icainformatics.com/resources/ICA_CPS.pdf
Surescripts Surescripts Direct Issuing CA http://www.surescripts.com/SurescriptsDirectIssuingCACPSv1‐0Abbreviated.pdf
MaxMD MaxMD CA v2.5 http://www.max.md/CA_Repository/MaxMD_CPSV1.2.pdf
DataMotion DigiCert Accredited Direct Med CA https://www.digicert.com/CPS
EMR Direct phiCert Direct Subscriber CA https://www.phicert.com/cps