Last week, MedAllies CEO John Blair, MD, was elected chair of DirectTrust.org, which concentrates on secure health information exchange (HIE) between providers and patients. DirectTrust’s direction going forward is of great interest in the healthcare industry because of the Office of the National Coordinator for Health Information Technology’s (ONC) recent announcement that it awarded DirectTrust.org (along with the EHR/HIE Interoperability Workgroup) an Exemplar HIE Government Program Cooperative Agreement.
Upon being named to his position, Blair cited “gaps related to trust and security” that he wants DirectTrust to face quickly and swiftly before ONC’s and Centers for Medicare and Medicaid’s (CMS) interoperability progress is negatively affected before Stage 2 Meaningful Use goes into effect in January 2014.
In an interview with HealthITSecurity.com, Blair expanded on those comments and explained that he wanted to focus on access that Direct health information service providers (HISPs) receive when sending and receiving data through Direct networks. Specifically, he said some of the standards and transport specifications, such as interface and content standards, that are dealt with in Stage 2 Meaningful Use have begun to help out with interoperability. However, there are still areas of concern when it comes to using Direct HISPs for interoperability between EHRs.
Concentration on access, not technology
HIE security technology has not lagged in Blair’s opinion, as before information leaves a provider, it has to be encrypted under Direct, it stays encrypted while in transit and is de-encrypted when it arrives to the provider.
Encryption has been handled with Simple Mail Transfer Protocol (SMTP) or Secure/Multipurpose Internet Mail Extensions(S/MIME) when you move HISP to HISP and the requirements on Transport Layer Security (TLS) between EHRs and a HISP cover [encryption as well]. So authentication and encryption have been dealt with technically.
As most followers of the government meetings on HIE standards and policies know, access has yet to be fully vetted. Blair referenced a hypothetical scenario where a healthcare organization may have very high security requirements on one network that minimizes risk. And there could simultaneously be very low assurances on another organization’s network that the first organization is now exposed to. Blair would like DirectTrust to start forming a standard security floor around how organizations approach identity proofing. There are going to be minimum standards [for Direct] that start with HIPAA but have all types of access requirements, such as International Organization for Standardization (ISO), that ask more of healthcare organizations.
You need to start to create a floor that deals with access and baseline security. If I’m my own HISP, I know what my requirements are. But I have no idea who I’m receiving messages from on another HISP if they’re at the same level. I either take that chance and connect or I contractually obligate them, and even then, I’m still taking a risk unless I audit and do a bunch of other things. DirectTrust creates that floor of security standards that I’ll be comfortable with to the point where I’m willing to do transactions with other HISPs.
The idea would be that organizations have a certain assurance level with any accredited organization and they’ve already met certain requirements that are auditable. Sharing between HISPs will be a requirement and something that becomes a service that DirectTrust manages to provide to trust anchors. Blair maintains that organizations can only go so far with specifications on standards. “When you start to cross over from certification to security, then you get to an accreditation process where you have to manually check things and audit them,” Blair said. “With access, how do you have a requirement on proofing so you can verify user access? These are the things that you need to add to ONC’s technical certifications to help handle security.”
Though Blair sits in on the Privacy and Security workgroup and the Federal Advisory Committee (FACA), he said DirectTrust doesn’t intend on dictating the level of assurance nationally.