Health information service provider (HISP)-to-HISP communication has become among the most-discussed aspects of health information exchange (HIE) recently, as DirectTrust.org chair John Blair recently cited HISP identity proofing a as a security barrier. In yesterday’s blog post, Beth Israel Deaconess Medical Center CIO John Halamka offered some details on HISP-to-HISP interaction concerns in the Massachusetts HIE.
There are myriad issues with the Massachusetts having to support both XDR/SOAP and SMTP/SMIME transport protocols, at the top being the fact that a sender and receiver may not have protocols that line up correctly and one protocol needs to convert to the other. Halamka noted that XDR support is unique in that HISPs must hold the private key for use in the conversion from and to SMTP/SMIME.
Healthcare organizations have to be aware of four simple scenarios that may pop up:
1. An SMTP/SMIME sender to an SMTP/SMIME receiver
2. An SMTP/SMIME sender to an XDR receiver
3. An XDR sender to an SMTP/SMIME receiver
4. An XDR sender to an XDR receiver
Halamka explained that since the Massachusetts HIE stakeholders now fully understand the complexity of connecting different HISPs and government users with different protocols and how those communications make full encryption even more difficult. As he has in the past, he stated that he would prefer to not offer these options to HIE users and instead use application programming interfaces (APIs) like hData that include lightweight, web-based specifications for HIE.
Seeing how the Massachusetts HIE moves forward with HISP-to-HISP standards will be worth watching because clearly not everyone is in agreement as to the required protocols for communication. This directly impacts security as well, because as Halamka said, encrypting and securing the data becomes even more complex when there are disparate protocols.
For more information on HISP-to-HISP communication on a national level, check out ONC’s implementation guidelines for Direct exchange.