by David C. Kibbe, MD MBA

For those of you who may not have heard, DirectTrust was recently awarded a Cooperative Agreement under the Exemplar Health Information Exchange Governance Entity Program being run by the Office of the National Coordinator for Health IT (ONC), a division of the Department of Health and Services (HHS).  The grant period started on March 25, 2013, and will continue for one year.

Certainly, the award of this Cooperative Agreement and its funding in the amount of $280,000 is strong recognition of the solid work that DirectTrust members have accomplished over the past year and a half in building a Security and Trust Framework for Direct, and validation of the accreditation program for HISPs and CAs that we've partnered with EHNAC to offer to this large community of interest.

But I think what is says even more importantly is that collaboration is essential in making progress on standards for health information exchange.  Organizations of all types in healthcare -- including health IT firms, provider groups, health plans, HIEs and HIOs, and governmental agencies -- are best served if they do not continue to try to “go it alone” with health information exchange, but instead move to agree on, adopt, and promote compliance with uniform, consensus-based, and to the extent possible, tested and proven security and trust-in-identity policies and practices.

In particular, DirectTrust's success to date carries the message that healthcare organizations interested in data sharing can mutually benefit by rethinking how they engage with one another in the interest of helping individuals, both providers and patients, to allow health data and information to move more freely to where it is needed.  What is being "re-thought" is how to make it possible for all those individuals and their organizations to trust how data about them is being moved and being re-used.  

It's not an easy task to collaborate.  We haven't finished the job yet.  We might still fail, as there is always going to be a tension borne of narrow,proprietary interest that pushes back against collaboratiion and common cause. There will be attacks and criticism from those who say we're not doing enough, or that their goals are more important and deserving of support. It's also hard to persuade people that they ought to take a greater interest in their own health information and how it affects the care they provide or receive, and how something as simple as email plus attachments can measureably improve the outcomes of that care. 

But I'm encouraged nonetheless, and very grateful to the many people and organizations that remain committed to collaboration within the growing community that is DirectTrust.  This will be a very interesting year under the Cooperative Agreement with ONC, and I know one thing for certain: either we continue to collaborate or we will not succeed in reaching our goals.

by David C. Kibbe, MD MBA

On Monday, March 18, 2013, I presented a 25 minute presentation followed by discussion entitled "Scalable Trust: An Introduction to DirectTrust."   New members to DirectTrust especially may find this set of slides helpful, as they introduce the mission and goals of DirectTrust membership, and then lay out the argument for accreditation -- rather than individual one-to-one contracts --as the basis for "scalable trust."   

The presentation slide deck is available here as a PDF.

Kind regards, dCK

by David C. Kibbe, MD MBA, President and CEO, DirectTrust    

It’s hard to imagine that DirectTrust.org, Inc. (DirectTrust) was incorporated only in April, 2012.  That’s just over nine months ago, and seems a very short time given all that DirectTrust’s volunteer members have accomplished to advance the mission of secure, identity-validated Directed exchange of health information.   Having the honor and privilege of being DirectTrust’s first President and CEO gives me the opportunity to review some of the useful work that has been done to establish and maintain a Security and Trust Framework that will support Directed exchange, and possibly additional trust communities, well into the future.

First I’d like to acknowledge the leadership we’ve received from our Board of Directors, both the individuals and the companies that they represent, listed below.  Without their support and direction, we would not have been able to grow our membership to over 40 organizations that include healthcare providers, health IT product and service vendors, EHR technology firms, certification and identity providers, consumer organizations, state agencies, state Health Information Exchanges (HIEs), and consultants, and individuals representing patients and consumers.  Membership in DirectTrust is increasingly attractive to  a very broad spectrum of healthcare related organizations and individuals, who volunteer their time and effort to support the organization’s work and who also contribute through scaled annual membership dues.   Our Board of Directors includes the following people and organizations:

Brian Ahier, as the representative of Gorge Health Connect

John Blair, M.D., as the representative of MedAllies

Gary Christensen, as the representative of Rhode Island Quality Institute

Leslie Kelly Hall, as the representative of Healthwise

Andy Heeren, as the representative of Cerner Corporation

David C. Kibbe, M.D., as the representative of American Academy of Family Physicians

Scott Rea, as the representative of DigiCert, Inc.

Venk Reddy, as the representative of Walgreens

Paul Uhrig, Esq., as the representative of Surescripts

A special thanks is also owed to Alice Nyberg and her able staff at the Rhode Island Quality Institute  (RIQI), to Ginna Yost our web master,  and to Elise Dieterich, Esq. at Kutak Rock LLP, for their ongoing administrative and legal support since DirectTrust’s start.  DirectTrust has indeed been a team effort.

Secondly, I’d like to acknowledge the members of the active Workgroups, where most of the activity of DirectTrust takes place. Currently DirectTrust has four active Workgroups and one Sub-Workgroup.  The active workgroups include: the Citizen and Patient Participation in Direct Workgroup, chaired by Leslie Kelly Hall; the Security and Trust Compliance Workgroup, chaired by Andy Heeren; the Certificate Policy and Practices Workgroup, co-chaired by Don Jorgenson and Scott Rea; and the Trust Anchor Bundle Workgroup, chaired by Greg Meyer.  A sub-workgroup of the Certificate Policy and Practices Workgroup is the Tiger Team to Align ID Proofing of DirectTrust and the Kantara Initiative, chaired by Pete Palmer.   In addition to these workgroups, we’ve had an active Steering Committee for the Direct Trusted Agent Accreditation Program (DTAAP), which includes several DirectTrust members as well as Ron Moser and Lee Barrett from the Electronic Healthcare Network Accreditation Commission (EHNAC). 

Because of the dedicated participation of our members attending and participating in workgroup meetings on a weekly basis, and sometimes more often, we’ve been able to come to consensual agreement about “rules of the road” for participants and providers in Directed exchange, particularly for HISPs, CAs, and RAs. Over a remarkably short time, these “rules of the road” have become policies and best practices requirements which, taken together, create a Security and Trust Framework (Framework), operationally defined as a set of technical, business, and legal standards expressed as policies and best practice requirements related to privacy, security, and trust in identity, which the members of DirectTrust have agreed to follow, uphold, and enforce.  

Key elements of the DirectTrust Framework now in use include:

• the DirectTrust Community X.509 Certificate Policy (CP), recently updated to Version 1.2, which describes the unified policy under which a conforming Certificate Authority operates, and specifically, defines the identity vetting requirements and requirements for creation and management of X.509 version 3 public key certificates for use in applications supporting Direct Project message exchange. 
  
  The DirectTrust Community X.509 Certificate Policy follows the structure of Internet Engineering Task Force (IETF) Internet X.509 Public Key Infrastructure (PKI) Certificate Policy and Certification Practices Framework (RFC 3647), and is conformant with identity vetting policy from both the National Institute for Standards and Technology (NIST) Special Publications 800-63-1 and the Federal Bridge Certification Authority (FBCA) Certificate Policy (CP), and;
  
  
• the Direct Trusted Agent Accreditation Program (DTAAP), which is operated in partnership with the Electronic Healthcare Network Accreditation Commission (EHNAC), a national healthcare accreditation organization with seventeen years’ experience.   Accreditation plus audit is a key element of the establishment of scalable or federated trust among members of the Direct community, necessary for participant service providers to avoid costly and time consuming bi-directional contracts.
  
  The DTAAP has been beta tested with six HISPs, CAs, and RAs who currently offer Directed exchange services in two dozen states. The DTAAP was inaugurated to the public as of February 1, 2013, with planned accreditation coverage of service organizations conducting Directed exchange in all fifty states by the middle of 2013. 

An additional component of the Framework will be the DirectTrust Anchor Bundle Distribution Program, which is scheduled for testing in first quarter 2013 among the six beta DTAAP participant companies, with completion and expansion to national scale being one of the anticipated products of this Cooperative Agreement should DirectTrust become one of the awardees. 

I think you’ll agree with me that this is a lot of work to have been completed in nine months, by volunteers who all have day jobs, and with very limited funding and administrative support! 

So what’s on the horizon for 2013?  Looking forward, I see these among the many challenges and opportunities:

• As many of you know, DirectTrust has applied for an award program from ONC, called the Exemplar Health Information Exchange Governance Entities Cooperative Agreement Program. Quoting from the ONC website: “This grant program will allow ONC to work collaboratively with entities already involved in governance of health information exchange to encourage the continued development and adoption of policies, interoperability requirements, and business practices that will increase the ease of electronic health information exchange, reduce implementation costs, and assure the privacy and security of data being exchanged.”   If awarded a portion of this program (there would be at least two other governance entities as awardees under the terms of the grant), DirectTrust will be able to expand the reach of DirectTrust policies, interoperability requirements, and business practice requirements to additional participants seeking to become part of a national trust community dedicated to Directed exchange.   In collaboration with ONC, this objective would be achieved through the development of appropriate informational, educational, and outreach materials and activities, something our current budget and funding sources have not permitted us to offer.  We’ll know the results of the ONC selection process in late March.
  
  
• I  expect that our work in the area of citizen and patient participation in Directed exchange will gain momentum, particularly as Stage 2 Meaningful Use makes it possible for patients to “view, download, and transmit to a third party of their choice” relevant personal health information such as Clinical Summaries and lab and test results.  The “transmit” part of this requirement will demand Direct compliance for patient portals and PHRs, in most cases.  Recent changes in our Certificate Policy make it much easier for entities acting as HISPs to offer patients full participation status in Directed exchanges with providers, with clarity, transparency, and flexible choice as to levels of identity assurance.   It is not quite yet popular knowledge that Stage 2 MU requires all provider organizations to have operational patient-facing health IT systems, a development that is very similar in many respects to the advent of online banking accounts for bank and financial services company customers, and which occurred roughly over the period of 1993-2000.   As more and more provider practices and hospitals offer their patients these patient portals, the volume of patients who can manage and control their own health information will slowly but surely increase.  Identity, credentialing, and access management will be a necessary component of the patient’s online health experience, without a doubt.
  
  
• As the business models for Directed exchange of health information expand and mature, it is likely that we’ll see additional demand for Directed exchange beyond the clinical exchange paradigm of meaningful use.   Certainly the accountable care and payment reforms, that incentivize providers on the basis of quality instead of just quantity of care delivered, will drive provider organizations of many kind to adopt Directed exchange due to the need for standards based, inter-vendor communications in care coordination, transitional care management, and other patient population activities.  However, I also see a role for Directed exchange on the more administrative side of healthcare transactions, especially for document exchanges occurring between providers and health plans, health plan intermediaries, and health information handlers.  Medicare and Medicaid alone request many millions of documents a year from doctors, hospitals, durable medical equipment suppliers, and the like, most of which is now transacted by mail, fax, and courier.  Replacing these with s imple “push” exchange via Direct email represents an astronomical potential savings for health plans and for providers, too, subject to the caveat that identity assurance levels and security protections are adequate to meet the demands set by the relying parties.
  
  
• It’s good to remember that Direct and Directed exchange is not the only technology that calls for use of identity, credentials, and access management (ICAM) to be applied.   ICAM for both providers and patients is quickly becoming a part of the fabric that is enabling health information exchange to occur safely via networks and the over Internet. Assuring that high levels of security and trust in identity are present is important if the public is to trust that their personal information is handled fairly and confidentially.  Awareness of this has triggered a response within the healthcare industry and by governmental agencies involved in the regulation of health IT .   At least three high priority federal programs besides Directed exchange utilize digital identity and credentials, including:
   
  • The E-prescribing of Controlled Substances (EPCS) Program, governed by a standard promulgated by the Department of Health and Human Services (HHS) and with regulatory safeguards provided by the Drug Enforcement Agency (DEA), requires providers to become credentialed to use a two-factor authentication process for access to EPCS systems and certificates for signing of each controlled substance prescription.
     
  • The Electronic Submission of Medical Documentation program (esMD) is sponsored by the Centers for Medicare and Medicaid Services (CMS) and run out of the Standards and Interoperability Framework (S&I Framework) of ONC.  Its goals include the electronic signing and transmission medical documents requested by Medicare and Medicaid contractors and submitted by providers in medical practices, hospitals, durable equipment providers, and so on.  All actors involved in esMD must obtain and maintain a non-repudiation digital identity used for signing of documents.
     
  • The Automate the Blue Button Initiative (ABBI) seeks to make patients’ access to their own health information stored in providers’ EHRs easier and ubiquitous, and is based on patient participation in Directed exchange, which requires patients to utilize X.509 digital certificates within the PKI architecture of the Direct Project, at specified levels of assurance of identity.  The ABBI is sponsored by the White House and administered through the S&I Framework under ONC.  The Veterans Administration (VA) operates the largest implementation of Blue Button access for patients using the VA’s personal health record (PHR) known as MyHealtheVet.

As these applications for ICAM proliferate within healthcare it is becoming obvious that each community of trust and the agencies responsible for its regulation are developing separate and isolated identity provisioning, Public Key Infrastructures (or other token infrastructures), and policy frameworks.  If this trend continues, it is bound to impose significant duplication of requirements and additional, unnecessary cost burdens on individuals and organizations seeking secure and easy-to-use identity solutions in place of IDs and passwords. 

My hope is that the work started in 2012 by DirectTrust’s members will contribute in 2013 to more generalizable efforts to an alignment of health identity management activities for the healthcare ecosystem, within a single voluntary security and trust framework, and to providing uniformity, trust, and interoperability in online transactions engaged in by both healthcare professionals and patients.

As personal goals for 2013, I'd like to see membership top 100 organizations, and I'd like to see us develop a robust membership support program capable of meeting the needs for several different types of support needed by our broad and diverse membership.

by David C. Kibbe, MD MBA

In this blog post, I want to provide members of the Direct community my interpretation of the outcomes of the November 29-30, 2012, Scalable Trust for Direct meeting held by ONC in Washington, DC.  There will be a document forthcoming from ONC to formally memorialize the event, to be published soon we hope.   Fifteen of our DirectTrust.org members took part in this meeting either one or both days.  About 90 people attended all together.  Some important consensual decisions were made at this meeting, which taken together create a "new approach" to arriving at scalable trust for Direct during the coming months.

The basic reason for calling this meeting is the push that ONC and CMS want to give to Direct message exchange in 2013.  Farzad Mostahari, head of ONC, wants every certified EHR system to be able to "talk" to every other certified EHR system -- via Direct -- by the end of the year 2013.   And that's a very short period of time for all parties to act.  

As I've explained in previous posts, a key feature of Direct is the role played by the Health Information (or Internet) Services Provider, HISP, in assigning Direct email-like addresses to subscribers, and then processing the messages sent and received by the subscribers in a secure and trustworthy fashion.  The HISP is acting as a "trusted agent" for the subscriber/provider, guaranteeing the security and privacy of the messages from sender to receiver, and vice versa.  

There is thus significant liability and risk being assumed by any HISP; knowing whether and how to trust any other HISP is a big challenge.  In some ways, the security and trust issues here are similar to those of Bank A making an electronic transfer of funds to Bank B on behalf of customers.  There has to be a set of rules that the parties can trust and that are binding upon the counter party in the exchange.

One way to get this level of trust is for HISP A to sign a legal contract with HISP B.  However, that is a one-off solution, that, if required to be repeated between all HISPs, could take years to create a network effect.  Each contract might be slightly different than the next, and each HISP would have to have as many contracts in place as there are HISPs it wants or needs to exchange messages with.  Massively inefficient, slow, and costly.  In other words, not scalable.

But this is what has been starting to happen out there in the real world, mostly among a number of state and regional HIEs who are operating Direct exchange services. And to be fair to the HIEs, there hasn't been an alternative yet.  ONC want to head this off.  What ONC -- and most everyone else -- wants instead is for there to emerge an approach that would "scale trust" across the industry, so that a HISP in California would know how to trust a HISP in New York without a contract being necessary. Lower costs, less friction, no "dropped messages."

Thus, the meeting November 29 and 30 called Scalable Trust for Direct. Surprisingly, at least to me, a consensus was reached on several important points and issues, getting us much farther down the road to federated, and scalable, trust for Direct.  Here are the components of a scalable trust framework that participants in the meeting agreed to on Friday last, to the best of my memory.  

1. EHRs will be required to test and certify as capable of permitting their users to engage in Direct message exchange of health information, allowing for data to be moved across organizational and EHR system boundaries, at scale over the Internet.  This is already part of the regulatory fabric of Stage 2 Meaningful Use. Certification is expected to begin January 2, 2013.
   
   There are several routes that EHRs may take to achieve Stage 2 MU certification, e.g. they can become a HISP themselves, or pair up with a HISP and certify as a couple, or use SOAP+XDR with a HISP that offers that edge client.  In my opinion, many EHRs will choose to pair up with a particular HISP for testing and certification against the Direct standard, but no one really knows for sure.  This is an area that needs to be closely monitored by ONC.
2. There will be an accreditation body (or bodies) to assure adherence to industry standards, policies, and best practices for security and trust in association with Direct.  
   
   DirectTrust.org is the organization most ready to take on this role, having recently partnered with EHNAC, a known and trusted accreditation commission. DirectTrust.org and EHNAC plan to immediately begin a robust, rapid beta Direct Trusted Agent Accreditation Program with up to seven companies, and to begin accepting applications from HISPs, CAs, and RAs for larger scale accreditation by February 1, 2013.   Readiness of this program turns out to be one of the key ingredients to success of the "new approach" outlined here.
   
   
3. NIST Level of Assurance, LoA, 3 will become the baseline or minimum for identity vetting of health care professionals when issuing to them or their organizations X.509 digital certificates for use in Direct message exchange. This maps to an FBCA "basic" LoA.  FBCA "medium" LoA process and documentation will also be available for use by Direct subscribers when interacting with federal agencies and the VA.
4. The Direct Project will start a new Workgroup to create a standards-based method for the distribution of Trusted Anchor Bundles, these being groups of root certificates of accredited HISPs and CAs that, when placed in the trust store of any accredited HISP, will help to automate both security and trust.   
   
   In essence, this distribution creates the mechanism for HISPs to "know which certificates to trust, and which not to trust," and includes the notification for any revoked certificates. DirectTrust.org and the Western States Consortium (of HIEs) will participate in this new Workgroup, among others.
5. A "Federation Agreement" will be used to help build confidence in the certification and accreditation programs, possibly becoming part of the accreditation process from DirectTrust.org and EHNAC.  This document is additive to the accreditation process, not intended to replace it.  It should be kept very short, its major purpose to indemnify the parties from additional kinds of liability that might be incurred through federation of trust.
6. It is explicitly prohibited to an HIE or similiar entity to use one single X.509 digital certificate for all of its subscribers, as the HIE does not have the accountability for the various organizations and their members needed to satisfy HIPAA or the basic tenets of a PKI.  
   
   Several participants of the meeting contrasted an HIE using a single Direct organizational cert with a large medical practice or hospital doing so.  In the latter case HIPAA requires the covered entity to be responsible for the privacy and security actions of its employees or members, and the covered entity has accountability for them.  An HIE, on other hand, is not generally an employer of the many different medical practices and health care organizations that make up its membership, and thus has no way to hold them accountable.
7. ONC will engage in a number of supportive activities over the next 9-12 months, including convening meetings, engaging in educational activities, creating a lexicon of terms with definitions, and offering guidance in a number of areas where the parties see uncertainty about risk, especially with respect to "safe harbors" for breaches for trusted agents engaging in Direct message exchanges.

We will, of course, need to wait for confirmation from ONC as to any nuances that might be attached to these components of a new framework for getting to scalable trust for Direct. However, in my opinion, many disparate policy and best practice pieces of the puzzle began to fall together for the first time, and there has been created as the result a whole new level of certainty and confidence about how to proceed with Directed exchange in this country.  I'd personally, and on behalf of the membership of DirectTrust.org, like to thank the many people who gave of their time and expertise to attend this meeting, and whose good faith and willingness to assume good intentions contributed to this outcome. 

by David C. Kibbe

A challenge facing the Direct community in developing our Trust Framework is that of harmonizing that framework with existing standards utilized by the Federal government agencies that frequently interact with health care, as well as those developed and used by other constituencies and trust communities that follow Federal identity standards for their own interactions and needs.  "Silos" of identity management standards and tools are undesireable, and should be avoided, by design if possible.  And yet the needs of physicians, nurses, hospital staff, and patients for security, trust, and identity assurance in cyberspace related to Directed exchanges are not necessarily precisely those of the professionals in the Federal agencies, nor even other sectors in health care that have defined focused needs for identity credentials suitable to their members.  Thus, the need for interoperability of identity standards in health care's varied ecosystem is very real.  One size may not fit all.

From its inception as the Direct Project's Rules of the Road Workgroup, and during our transition to DirectTrust.org, members of this organization have consistently been supportive of the identity credential standards, policies, and practices of the Federal Government, including those of FICAM,  the FPKIA, the FBCA, and NIST. Our wiki, and now the DirectTrust.org website, have prominently displayed statements to the effect that DirectTrust.org seeks to work within the governance rules and regulations for the Direct Project promulgated by ONC and CMS, as well as according to the mandates of the ARRA/HITECH and the Accountable Care Act. Additionally, the DirectTrust.org Ecosystem Community X.509 Certificate Policy for Draft Use contains this explicit statement in Section 1.0: "This CP is intended to be fully consistent with the Federal Bridge Certificate Authority (FBCA) Certificate Policy. However, this CP is also intended to specify policies that further constrain the conditions under which a DirectTrust Ecosystem Community conformant digital certificate may be issued. In any case where this CP is found inconsistent or incompatible with the FBCA CP, the incompatibilities will be addressed at the time of policy mapping."

As further indication of our commitment to and support for interoperability, DirectTrust.org is a Participating Member of the Identity Ecosystem Steering Group, IDESG, a project that has come about through the agency of the National Strategy for Trusted Identity in Cyberspace sponsored by the White House, and which is run by the National Institute for Standards and Technology, NIST, and the Department of Commerce.  We are strong supporters of the NSTIC aim of establishing interoperable identity credentialing and management standards, and we are particpating in the Healthcare Workgroup of the IDESG, whose charter in part is "to identify, coordinate, and harmonize with ongoing and emerging Health Care identity initiatives, standards, and technologies."  We certainly hope that this Workgroup will make good progress in helping to avoid "silos" of identity standards as health care professionals and their patients begin to acquire credentials of various kinds.

While we do recognize that the Federal rules and standards that pertain to identity credentialing are not themselves monolithic or uniform -- for example, there are some differences between the methods and documents required for identity proofing and verification as set out for different Levels of Assurance (LoA) by NIST and by the FBCA, and there is not at this time a one-to-one mapping of LoAs between these two standards -- DirectTrust.org is completely neutral with respect to the choices that are made by various trust communities as to their uses of these standards, and we will seek to accommodate and harmonize these differences wherever possible.