• No results found

Exchanging Medical Records Online with Direct

N/A
N/A
Protected

Academic year: 2021

Share "Exchanging Medical Records Online with Direct"

Copied!
38
0
0

Loading.... (view fulltext now)

Full text

(1)

[email protected] www.digicert.com +1 (801) 877-2100

Exchanging Medical

Records Online with Direct

Scott Rea,

VP GOV/EDU Relations & Sr. PKI Architect,

DigiCert, Inc.

(2)

Exchanging Medical Records Online

Slide

Title

3 The Direct Project

5 Direct – The Technology 9 Direct Entities

13 Direct Implementation 17 Direct Trust Framework 24 Policies and Practices 29 DirectTrust Accreditation 33 Summary

37 Questions 38 Contacts

(3)

A project to create the set of

standards

and

services

that, when coupled with a

policy

framework, enable simple, directed, routed,

scalable

transport

of medical records and

Private Health Information (PHI) over the

Internet to be used for secure and meaningful

exchange between known participants in

support of Electronic Healthcare Records

(EHR)

meaningful use.

Primary goal is that

solutions must be scalable, relatively

inexpensive, and increase security.

(4)

The Purpose of Direct

• Direct exchange is part of a long term national strategy to transition from paper-based to electronic health care records that can be shared more easily to reduce costs and improve the quality of patient care.

• The Office of the National Coordinator (ONC) within the department of Health and Human Services (HHS) is the lead author and publisher of the Direct standard

• Direct was also designed to support the goal of health information exchange between providers using electronic health records (EHRs) engaged in

Meaningful Use, the Medicare and Medicaid programs that help providers to pay for and meaningfully use EHRs.

• The Center for Medicare and Medicaid Services (CMS) governs the Inventive Programs for the use of EHRs

• Direct is also intended as a general means of secure exchange (both directions) between providers and patients.

(5)

Direct Technology

The Direct protocol enables SMIME messages with 

disposition notification within dedicated healthcare 

domains

Sender and receiver must both have SMIME certificates of 

which there are 2 types:

Direct Address cert is traditional SMIME

• RFC822name in subjectAltName

Direct Organization cert is like SMIME wildcard

DNSname (FQDN of mail domain) in SAN

(6)

Direct Technology

Direct Address

• Direct Addresses are used to route information

– Look like email addresses

– Used only for health information exchange

[email protected]

• An individual may have multiple Direct addresses

Endpoint Domain Direct

(7)

Direct Technology

Each Direct Address must have at least one X.509v3

digital certificate associated with it

Address-bound certificate – certificate tied to a specific Direct

Address

Domain-bound certificate – certificate tied to the Domain that is

part of a Direct Address

Digital certificates are used within Direct to express trust

relationships and to secure Direct Messages

(8)

Direct Technology

Security/Trust Agents

Security/Trust Agents (STAs) are responsible for securing, routing,

and processing Direct Messages

– STA may be a system under the direct control of an exchange participant

– STA may be a service offered by an intermediary (i.e., HISP) acting on behalf of an exchange participant

STAs employ S/MIME and digital certificates to secure health

information in transit

1. Sending STA encrypts Message using recipient’s certificate

2. Sending STA signs Message using private key associated with sender’s certificate

3. Receiving STA verifies signature of Message using sender’s certificate 4. Receiving STA decrypts Message using private key associated with

(9)

Direct Entities

Certification Authorities and Registration Authorities

• Registration Authority (RA)

– Collects information for the purpose of verifying the identity of an

individual or organization (i.e., identity proofing)

– Produces certificate requests based on gathered attributes

• Certificate Authority (CA)

– Digitally signs certificate requests

– Issues digital certificate that ties a public key to the gathered

attributes

(10)

Direct Entities

How do STAs relate to RAs and CAs?

Act as RA and CA. STA identity proofs during enrollment and

issues certificates as appropriate.

Act as RA and CA. STA identity proofs during enrollment and

issues certificates as appropriate.

Act as RA only. STA identity proofs during enrollment,

passing necessary information to an independent CA. CA provides certificate to STA upon issuance.

Act as RA only. STA identity proofs during enrollment,

passing necessary information to an independent CA. CA provides certificate to STA upon issuance.

Act as CA only. Independent RA identity proofs during

enrollment, passing necessary information to STA, which issues certificates as appropriate.

Act as CA only. Independent RA identity proofs during

enrollment, passing necessary information to STA, which issues certificates as appropriate.

Act as neither CA nor RA. Independent RA identity proofs

during enrollment, passing necessary information to independent CA, which provides certificate to STA upon issuance.

Act as neither CA nor RA. Independent RA identity proofs

during enrollment, passing necessary information to independent CA, which provides certificate to STA upon issuance.

STAs can relate

to RAs and CAs

in a number of

ways.

(11)

Direct Entities

Health Information Service Provider

Direct introduces the concept of a Health Information Service 

Provider (HISP)

The purpose of the HISP is to primarily operate the STA 

functions on behalf Direct Users

The role of a HISP is to alleviate the difficulties of 

implementing the nuts and bolts of PKI e.g. managing private 

keys and publishing address‐to‐certificate bindings; and those 

controls required by Direct in addition to standard SMIME e.g. 

Message Disposition Notices (MDN)

Direct can however, be used without a HISP, if an individual 

wishes manage their own keys and provide the appropriate 

MDN responses

(12)

Direct Entities

Health Information Service Provider

• Duties of a HISP:

• provide subscribers with account and Direct addresses • provide web portal or EHR/PHR integration

• arrange for identity verification - org and individual [RA function] • arrange for digital certificate issuance, management [CA function] • maintain integrity of trust and security framework

(13)

Direct Implementation

HISP as an Endpoint

Direct (SMTP / SMIME) Sending HISP E-Mail Server Security/Trust Agent SSL/TLS Receiving HISP E-Mail Server Security/Trust Agent SSL/TLS Webmail Webmail Sender Recipient

(14)

Direct Implementation

HISP as a Gateway

Direct (SMTP / SMIME) Sending HISP E-Mail Server Security/Trust Agent Sending System Receiving System SSL/TLS Receiving HISP E-Mail Server Security/Trust Agent SSL/TLS Endpoint Communication (XDR, SMTP, et al) Endpoint Communication (XDR, SMTP, et al) Sender Recipient

(15)

Direct Implementation

Direct-Enabled Endpoint

Direct (SMTP / SMIME) Sending System E-Mail Server Security/Trust Agent Receiving System E-Mail Server Security/Trust Agent Sender Recipient

(16)

Direct Implementation

As CMS promotes the adoption of EHRs for better 

management of PHI, there is one problematic aspect that is 

introduced:

How can the industry avoid the failure of introducing siloed EHRs 

that have no way of exchanging data with each other

A goal of ONC is to utilize Direct to provide a national 

messaging standard for healthcare

Direct enables the interoperability of EHRs by providing that 

standard

Ubiquitous implementation of the Direct protocol should obsolete 

the use of insecure messaging technologies  e.g. Fax, and improve 

delivery times of others e.g. Mail

(17)

Direct Trust Framework

The Direct Applicability Statement for Secure Health 

Transport is the bible for implementing Direct in a 

standardized way

http://wiki.directproject.org/file/view/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf/3 53270730/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf

Traditional information security services involve 3 main 

aspects – CIA: Confidentiality, Integrity, Authentication

Standard Direct protocols are designed to only provide 

message integrity and confidentiality services.

Security Features

(18)

Direct Trust Framework

Trust governance is deliberately absent from the protocol in 

terms of who and only generally defined in terms of how

However, there must be allowed separate trust polices for 

incoming vs outgoing messaging

With rules governing the underlying PKI however (e.g. an 

appropriate CP) and a set of best practices for HISPs, it is 

also possible to achieve the 3

rd

security service of 

authentication ‐ through an accreditation process

(19)

Direct Trust Framework

• One of the critical components of Direct that has had little definition until recently has been the Trust Governance aspect.

• When the Direct Project chose to focus on other technologic aspects,

members of the Direct community participating in the Direct Project formed an industry consortium to address trust governance

• DirectTrust.org (DTO) is that consortia and is a membership based non-profit self-regulatory entity.

• The goal of DTO is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct community, and to foster widespread public confidence in the

Directed exchange of health information

• DTO has created a Direct Trust Agent Accreditation Program (DTAAP) which has now been endorsed by ONC through a cooperation grant for providing accreditation for Direct entities on a national basis

• DigiCert is a Board member and founding member of DTO

(20)

Direct Trust

DTO

Direct (SMTP / SMIME) Sending HISP E-Mail Server Security/Trust Agent SSL/TLS Receiving HISP E-Mail Server Security/Trust Agent SSL/TLS Webmail Webmail Sender Recipient

Direct Protocol Secures HISP-to-HISP

(21)

Direct 

Identity

Trust

, and 

Address

Provisioning w/HISP

Certificate Authority (CA) Registration Authority (RA) Health Information Service Provider  (HISP) LDAP Name System Healthcare Organization  (HCO) HCO  Representative Assume has  Digital Identity  Certificate 9. Direct Address/  Org Certificate 1. Enroll with HISP 2. Request Direct  Organization or  Address  Certificate Domain Name System  (DNS) Certificate Validation  Service Identity/Trust  Verification Revocation Services Certificate Signing  Services Compile/Validate Identity and Trust  Documentation  Representative FBCA  Credentials  Representative  Authorization  Legal Entity  Documents  Membership/Trust  Agreement  HIPAA status 3. Credentials and  Documentation Source:  DirectTrust.org February, 2012  5. CSR +  Public Key 4. Direct Organization

Domain 8. Direct Organization / Address Certificate

The CA and RA enforce the policies specified in the DirectTrust.org and FBCA Certificate Policies (CPs).

6. Certificate Signing 

(22)

DirectTrust.org Accreditation

HISP

RAs:

Policy: Accredited Registration Policy (RP) or Certificate Policy Practices: Registration Practices Statement (RPS)

Accreditation: Verify RPS maps to CPS or RP, audit

CAs:

Policy: Accredited Certificate Policy (CP)

Practices: Certification Practices Statement (CPS)

Accreditation: Verify CPS maps to Direct CP, certificate & CRL profile compliance, Accredited RA process, audit

HISPs:

Policy: Accredited HISP Operational Policy (HOP) Practices: HISP Practices Statement (HPS)

Accreditation: Verify HPS maps to HOP, Direct messaging compliance, HIPAA privacy/security attestation, Accredited CA, audit

DirectTrust.org Trust Framework:

Normalized HISP Operational Policy (HOP) + Certification and Accreditation against it to ensure compliance for technical, policy, practices, and legal sets of rules.

(23)

DirectTrust

DTO publishes a CP that CAs and RAs can be accredited against. 

– The CP allows for multiple Levels of Assurance (LoA)

Accredited CAs are placed in a trust bundle (the Direct equivalent of a 

browser certificate trust store) when accredited

Direct also allows the use of self‐signed or non‐publicly trusted issuing CAs 

as trust anchors

– Direct uses a flat trust model where each issuing CA or self‐signed cert is  included in a trust bundle – This means chain validation is not required, only checking that any cert ort its  issuer is in an accepted trust bundle – Which trust bundles to accept is an open question. ONC only endorses DTO at  this point

Trust Framework

(24)

CA Policy and Practices

• “The Certificate Policy (CP) & Certification Practice

Statement (CPS) is a formal statement that describes

who may have certificates, how certificates are

generated and what they may be used for.”

– http://www.ietf.org/rfc/rfc3647.txt

• The CP defines the polices that must be adhered to

• The CPS describes the processes and practices that are

used to implement the policies

• An audit determines:

– A) Does the CPS implement the CP

(25)

RA Policy and Practices

• The CP defines the polices that must be adhered to

• The Registration Practices Statement (RPS) describes

the processes and practices that are used to implement

the registration or identity vetting related policies

• An RPS is a sub-component extract of

Registration-specific activities from the CPS if the CA is also an RA or

it is mapped to the CPS if the RA is an external party

• An audit determines:

– A) Does the RPS match the CPS

(26)

HISP Policy and Practices

• The HISP Operating Policy (HOP) defines the polices

that must be adhered to

• The HISP Practices Statement HPS describes the

processes and practices that are used to implement the

policies

• An audit determines:

– A) Does the HPS implement the HOP

(27)

HISP – CA – RA Relationship

Certificate Authority (CA)

Registration Authority (RA) Certificate Validation Service Identity/Trust Verification Revocation Services Certificate Signing Services

Compile/Validate Identity and Trust Documentation

Source: DirectTrust.org June, 2012

Certification Practices Statement Registration Practices Statement PKI Audit RA Agreement

Health Information Service Provider (HISP)

CA Agreement SLA Audit SLA Audit HISP Practices Statement PKI Audit DirectTrust Audit DirectTrust CP FBCA CP

DirectTrust HISP Operational Policy (HOP)

Direct Messaging Services

Direct Directory Services

HIPAA Privacy & Security Compliance Direct Identity

(28)

Current DirectTrust Policies

• DirectTrust has 2 Certificate Policy documents that have

been published

– V1.1 of the DT CP has only a single LoA requires FBCA Medium equivalent

Identity vetting processes and CA operations that are a lightweight version of the same

– V1.2 of the DT CP has 4 LoAs defined matching NIST SP800-63-1 and only requires FBCA Basic equivalent CA operations

V1.3 of the DT CP is being developed

DirectTrust is currently working on a HISP Operating Policy

(29)

DirectTrust

Full Accreditation

(30)

DirectTrust

Accreditation In‐Process

(31)

DirectTrust

A National Trust Infrastructure

HISP Name CA Operator RA Operator CP Compliance Cert Type(s)

Cerner       Cerner

Cerner

DT CP 1.1      Org 

Inpriva

Inpriva

Inpriva

DT CP 1.1       Org & Addr

Inpriva

Inpriva

DT CP 1.1       Org & Addr

DigiCert      Inpriva

DT CP 1.1/1.2         Org & Addr

DigiCert 

Inpriva

DT CP 1.1/1.2         Org & Addr

ICA 

ICA 

ICA 

DT CP 1.1

Org 

Surescripts

Surescripts

Surescripts

DT CP 1.2 

Org 

MaxMD

MaxMD

MaxMD

DT CP 1.2      Org & Addr

DataMotion

DigiCert 

DigiCert       DT CP 1.1/1.2      Org & Addr

EMR Direct   EMR Direct         EMR Direct       DT CP 1.2

Addr

(32)

DirectTrust

A National Trust Infrastructure

HISP CA Name CPS URI

Cerner       CernerDirect Professional Community CA   http://www.cerner.com/CPS

Inpriva Inpriva Direct‐CE CA      http://www.inpriva.com/cps

Rhode Island Trust Community CA       http://www.inpriva.com/cps

Inpriva‐ClickID CA      https://www.digicert.com/CPS

RITC‐Inpriva‐ClickID CA       https://www.digicert.com/CPS

ICA  ICAPROD‐ICA‐SUB1‐CA‐CA       https://direct.icainformatics.com/resources/ICA_CPS.pdf

Surescripts Surescripts Direct Issuing CA   http://www.surescripts.com/SurescriptsDirectIssuingCACPSv1‐0Abbreviated.pdf

MaxMD MaxMD CA v2.5       http://www.max.md/CA_Repository/MaxMD_CPSV1.2.pdf

DataMotion DigiCert Accredited Direct Med CA      https://www.digicert.com/CPS

EMR Direct   phiCert Direct Subscriber CA       https://www.phicert.com/cps

(33)
(34)

Summary

• Direct = Secure Email for PHI data with 3

additional features:

– Addresses must be in dedicated healthcare

domains

– Message Disposition Notifications (assurance

receipts)

– HISP to ease PKI key management in

certifiable secure infrastructures

(35)

Summary

• DirectTrust = Direct with end-to-end assurance

by securing the last mile (STA to user)

– Accreditation of HISP, CA, RA (DTAAP)

– Trust Anchor distribution service

– National Trust Infrastructure

• Several HISP, CA, RA entities have already

been accredited and many more are in the

queue from EHR, HISP, HIE, and CA entities

(36)

Summary

• CMS is using the EHR Meaningful Use

program to drive adoption of the Direct

protocol to interconnect electronic

healthcare record systems

• Health Providers have incentives under

MU2 to communicate electronically with

their patients, other providers, and

(37)

Questions

(38)

Links:

http://www.digicert.com/direct-project

http://www.directtrust.org/

http://www.directproject.org/

Scott Rea:

(801) 701-9636

,

[email protected]

References

Related documents

Traditional IT Infrastructure Security Disk Encryption Database Encryption SSL/TLS/Firewalls Security Gap Security Gap Security Gap Security Gap SSL/TLS/Firewalls

PRODUCED BY NUNES, MATA AND VALÉRIO (1989) — Carlos Robalo Marques, Paulo Soares Esteves. 5/94 EXCHANGE RATE RISK IN THE EMS AFTER THE WIDENING OF

backdrop of career development. In order to aim the general goal described above, the research is articulated in secondary goals needed to the model implementation. The research

Syed Al-Attas had clarify how human are related to the God in Islam, which is different.. than the concept of religion understood by

Recipient (Bob) Mail server (smtp.destination.com) Eavesdropper Sender (Alice) Mail server (smtp.source.com) STARTTLS: TLS for SMTP.. Allow TLS session to be started
 during an

Best placed in the DMZ, the HOB WebSecureProxy is an SSL gateway that SSL-encrypts the e-mail traffic on the client side and transfers it unencrypted to the mail server on the

Companies operating in manufacturing, trading, and knowledge-based service industries show positive performance relationships whereas firms in capital-based service industries

Pufferbench: Evaluating and Op- timizing Malleability of Distributed Storage, in Proceedings of 2018 IEEE/ACM 3 rd Inter- national Workshop on Parallel Data Storage & Data