An Introduction to DirectTrust

Transcription

1 An Introduction to DirectTrust David C. Kibbe, MD MBA President and CEO, DirectTrust Senior Advisor, American Academy of Family Physicians Prepared HIMSS October 16, 2013

2 Goals for this brief presentation Provide an overview of the DirectTrust approach to national, scalable trust for Direct exchange implementations and their subscribers Present current status of membership goals and deliverables under the Cooperative Agreement with ONC Questions and discussion 2

3 Mission and Goals: DirectTrust DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit trade alliance dedicated to the growth of Direct exchange at national scale, through the establishment of policies, interoperability requirements, and business practice requirements. DirectTrust offerings include an accreditation service for Direct service providers, and a trust anchor bundle for scalable national trust. Security & Trust Framework EHNAC-DirectTrust Accreditation Program Trust Anchor Bundle Distribution Requirements 3

4 DirectTrust Members 4

5 A brief definition of Direct exchange Direct exchange is plus attachments for the transport of Protected Health Information between providers, and between providers and patients. Direct transport is point-to-point via Internet, with payload encrypted and digitally signed to assure security and trust-in-identity. Direct is NOT a secure messaging service. Direct is a federal standard required of all certified EHR technology for Privacy, security, and trust-in-identity controls are not specified by federal agencies or regulations.

6 Three separate roles and responsibilities from trusted agents combine to enable Direct exchange 1. HCO Direct Addressees Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard, Registration Authority (RA) Compile/Validate Identity and Trust Documentation 3. Healthcare Organization (HCO) Health Information Service Provider (HISP) The CA and RA enforce the policies specified in the DirectTrust and FBCA Certificate Policy (CP). 2. Certificate Authority (CA) X.509 Certificate Issuance Service Certificate Signing Services The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate responsibility for HIPAA privacy and security. The HISP enforces the policies specified in the DirectTrust HISP Policy (HP), and MUST use accredited RA and CA. Certificate Validation Service Revocation Services Identity vetting at a specific level of Assurance, LoA. Crediential issued on the basis of RA s Identity vetting at specific LoA.. 9

7 This technology and trust framework supports Direct exchange between providers engaged in Stage 2 Meaningful Use programs identity validation encryption EHR EHR DrBob@direct.familypractice.com (has been identity vetted, has X.509 Digital certificate bound to address.) DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to address.)

8 This technology and trust framework also supports BlueButton+ as outbound-only from EHR to patient s receiving system (edge client) identity validation * MyPHR.com encryption EHR PHR DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to verifiable address.) JohnDoe@direct.MyPHR.net (has NOT been identity vetted, has X.509 Digital certificate bound to non-verifiable address.)

9 of Trust Communities Trust Community B Trust Community A Trust Community C

10 Contact Information David C. Kibbe MD, President and CEO DirectTrust.org