The Electronic Health Record Association (EHR Association), recently released advice on EHR and data transmission security in its paper titled, Practical Guidance to Implement Meaningful Use Stage 2 Secure Health Transport for Certification and Meaningful Use. The group broke down security and certification requirements in Section 170.202 of Stage 2 Meaningful Use regulations that apply to EHR and health information exchange (HIE) security.
The three transport standards adopted for healthcare messaging include:
1. ONC Applicability Statement for Secure Health Transport
This specification discusses the Direct protocol for provider-to- provider messaging. The core component in the technology stack is standard, secure email (SMTP/SMIME).
2. ONC XDR and XDM for Direct Messaging Specification
This specification discusses the application of XDR and XDM to the direct messaging environment and the interaction between the primary Direct Project environment, which uses SMTP and RFC 5322 to transport and encode healthcare content, and the XDR (Web Services push) and XDM (Email with metadata) specifications.
3. ONC Transport and Security Specification This document defines the primary set of Web Services-based (SOAP) security and transport protocols needed to establish a messaging, security, and privacy foundation for HIE.
Listed below are the Stage 2 Meaningful Use direct messaging send and receive security requirements.
SEND
1. Required Certification: (a) Direct SMTP Only
- Bundling by the EHR vendor of the capability to locate a destination direct email address and association of the signing/encryption certificate with the EHR module supporting the criterion requiring transport.
- Partnering by the EHR vendor with a 3rd party operating as “relied upon software” for the capability to locate a destination direct Email address and association of the signing/encryption certificate.
2. Optional Certification: (a+b) Direct with XDM
3. Optional Certification: (b+c) XDR (with SOAP)
RECEIVE
1. Required Certification: (a) Direct SMTP Only
- Bundling by the EHR vendor of the capability to receive an SMTP (as email server or STA) and to decipher the S-MIME attachment and enabling a POP or IMAP service to pull email from a specific email service mailbox and to check the signature and decipher the SMIME attachment.
- Have the EHR vendor partner with a 3rd party operating as “relied upon software” the capability to receive an SMTP Email and decipher the S-MIME attachment.
2. Optional Certification: (a+b) Direct with XDM
- This certification is optional in addition to (a), not instead of (a), as (a) is minimally required.
- This certification for receive is identical to (a) and only involves the addition of the ability to unwrap the C-CDA document (one or more) and associated metadata and extract it in the S-MIME attachment.
3. Optional Certification: (b+c) XDR (with SOAP)
- XDR relies on Web services and not on Email as transport. However, it offers the same ability to extract from the SOAP message.
Charles Parisot, Manager, Standards and Testing, GE Healthcare, and chair of the Association’s Standards and Interoperability Workgroup, led the effort to develop the white paper. “This was a great collaboration among workgroup members, bringing together the perspectives and experiences of experts from several companies,” Parisot said in a press release.