Building a Framework for Secure ExchangeDirectTrust CEO Explains Best Practice Initiative
David Kibbe of DirectTrust says the group's effort to enhance its security and trust framework could help hospitals and physicians meet the HITECH Act electronic health record incentive program's Stage 2 health information exchange requirements.
DirectTrust received $280,000 in federal funding to expand security and trust best practices, standards and policies, with a goal of helping to enable nationwide health information exchange (see: HIE Security Best Practices Get a Boost).
DirectTrust created and maintains the security and trust framework for using the Direct Project for secure e-mail. The protocol offers specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the Internet. But it facilitates only the simplest form of health information exchange.
Healthcare providers will need to use security best practices to meet the HITECH Act electronic health record incentive program's Stage 2 requirements for health information exchange, Kibbe says in an interview with HealthcareInfoSecurity (transcript below).
"The most critical work that DirectTrust is going to do [as a result of that funding] is to facilitate and enable vendor-to-vendor, provider-to-provider, and provider-to-patient exchanges in line with the objectives for meaningful use Stage 2," Kibbe says.
Under the HITECH Act's incentive program, healthcare providers can receive incentive payments for meeting certain criteria. In Stage 2, which starts in 2014, secure health data exchange is among those requirements.
DirectTrust's work focuses on the direct exchange of health information using secure messaging and encrypted attachments. "Because these [messages] will include personal health information, they must be secure from tampering or disclosure en route, and must ensure senders and receivers that the messages are going to the right person, and ensure the identity of those in the correspondence," he says.
In the interview, Kibbe also discusses:
- Details of DirectTrust's new accreditation program launched with the Electronic Healthcare Network Accreditation Commission;
- DirectTrust's role in the Blue Button project, which enable patients to securely access, download and transmit their records.
- Why federal regulators hammering out voluntary guidelines for nationwide health information exchange need to encourage health IT vendors to keep secure messaging free.
In addition to his work at DirectTrust, Kibbe is a senior adviser for the American Academy of Family Physicians and principal at The Kibbe Group LLC, a health IT consulting firm. He also serves on a number of national boards and workgroups.
MARIANNE KOLBASUK MCGEE: To start, could you tell us briefly about DirectTrust and your role?
KIBBE: The individuals and member organizations of DirectTrust, which now number about 50, are collaborating to establish a set of common standards, policies and best practices around security and trust in identity. We call this a security and trust framework, and its purpose is to have a clear, transparent and open set of "rules of the road," so to speak, that directed exchange service providers can follow and enforce. My role has been to act as coach for what's really an exciting non-profit start-up.
Nationwide Health Information Exchange
MCGEE: Why's secure nationwide health information exchange so important? What are the biggest privacy and security challenges that need to be overcome?
KIBBE: In a phrase, lack of inoperability is the problem. We still have electronic health records that, for the most part, cannot talk to one another. Physicians and nurses who are using, let's say, Allscripts can't send messages to physicians and nurses using Epic, and none of them can communicate with patients. The whole purpose here is to create health information exchange that allows people to easily, safely and securely send messages and attachments to others as easily as we use e-mail today via Gmail or Apple mail.
The privacy and security challenges are that Direct is an Internet protocol, so these messages are going over an inherently insecure environment, namely the Internet, and the challenge is to make those messages secure via encryption and to assure the identity of the senders and receivers so that they aren't by mistake sent to the wrong person.
MCGEE: Tell us about the new cooperative agreement that DirectTrust has with ONC and the work you'll be doing?
KIBBE: The Officer of the National Coordinator for Health IT has decided to create a new program aimed at helping to accelerate the governance of health information exchange nationally, and DirectTrust is one of the two organizations that will now work very closely with ONC on that project. Specifically, DirectTrust will continue to expand our work in establishing this security and trust framework, the rules of the road. This is an ongoing process. It's not completed. We will advance the adoption of those rules through our trusted agent accreditation program, which we've developed in partnership with EHNAC [Electronic Healthcare Network Accreditation Commission].
MCGEE: What are the goals for the cooperative agreement with ONC?
KIBBE: The most critical work that DirectTrust is going to do is to facilitate and enable vendor-to-vendor, provider-to-provider and provider-to-patient exchanges in line with the objectives for meaningful use Stage 2, which is the [HITECH Act] EHR adoption program that awards bonus monies to providers, such as medical practices and hospitals, that use electronic health records. The overarching goal is to make these electronic health records - which are being acquired and used more and more every day; approximately 50 percent of America's physicians are now using electronic health records - able to communicate with one another.
The idea behind the Direct project, which initiated all of this, was very simple. Let's tackle the problem posed by these health IT systems that can't talk with each other. As a first step, use the familiar and ubiquitous e-mail plus attachments model or paradigm as the means to cross those boundaries imposed by the different health IT systems. The big difference, let me just say, is that Direct e-mail exchanges carry, or most of them will carry, personal health information, and therefore they must be secure from tampering or disclosure en route, and they must assure the senders and receivers that messages are going to the right person. That is, they have to assure the identity of the correspondence in those health information exchanges.
MCGEE: You made reference a few minutes ago that DirectTrust also has an accreditation program with the Electronic Healthcare Network Accreditation Commission, which is a standards organization. Could you tell us a little bit about that program? Why did you launch it?
KIBBE: We launched that program with EHNAC to make security and trust scalable. That is, so that exchanges of health information via the Direct standard wouldn't require the various service providers that are known as HISPs, or health information service providers, to contract with one another individually, but instead could use accreditation as a seal of approval. DirectTrust and its members are developing a policy of best practices. EHNAC has a long record of accreditation and audit, so it was a real natural fit for the two organizations to collaborate to create this accreditation program.
The thing that's important to understand is that HISPs are a lot like regular Internet service providers in that they provide Direct e-mail accounts and addresses, and then they manage the transactions for the subscribers. If you think about this, imagine that every time you wanted to e-mail someone with a Yahoo! mail account from your Google e-mail account, you had to invoke a contract between those two parties and they had to have one-off contracts with Mac.mail and every webmail service - you get an idea of how convoluted and expensive that could become. Accreditation is like both a test and a contract. It asserts the accredited party as practicing good security and is trustworthy.
Security, Privacy Efforts
MCGEE: Besides the cooperative agreement with ONC and the new accreditation program, are there any other privacy and security-related efforts under way or planned at DirectTrust that you can tell us a bit about?
KIBBE: One of the most exciting of those is our work in conjunction with ONC and others on the Blue Button project. The Blue Button is a way for patients, consumers of healthcare, to signal to their providers that they would like their health information downloaded or transmitted to a third party of their choice. Suppose you have a personal health record application that you use and you would like a doctor who you see to send a secure summary of your health information. Blue Button allows you to go online and indicate what address you'd like that information sent to and there it is.
We're involved with that project and are helping to figure out how to distribute the digital certificates which are part of the security and trust mechanism that allows encryption and signing of these messages when they go over the Internet. We're going to see for the first part of this award a focus on provider-to-provider information exchanges because meaningful use has that provision that the EHR vendors are working very hard to [achieve]. But in the longer term, provider-to-patient is just as important - and probably even more important when you think about what you can do with your personal health information to make your healthcare better, easier to understand. And it engages the patient in the decision-making.
HIE Best Practices
MCGEE: The Office of the National Coordinator for Health IT has developed some voluntary guidelines and best practices for health information exchange based on feedback that it's been getting from the healthcare sector. Can you comment on those?
KIBBE: ... Some of them came from DirectTrust. ... If you go back two years when DirectTrust was not an industry alliance, but was a workgroup within the Direct Project that we called the Rules of the Road workgroup, we had started to develop these guidelines.
One of the things we'll be doing within the framework in the context of this award is to increase the numbers of those guidelines and best practices to map what we have in our accreditation program with the ideas that have been framed up with ONC, filling in the gaps. One example that is very important as a guideline is that there should not be any charge, any transaction fee, for the basic messaging between health Internet service providers. This is one of those areas where the industry needs federal guidance and maybe a little bit of a firm hand on the shoulder, so to speak, because we're used to using e-mail without having to pay for the transactions. Sure, we often pay for the Internet service provider. Somebody has to get you connected to the Internet and set up the account. But you don't pay on a per-transaction basis when you send e-mails. If we did, we'd probably have a lot fewer e-mails. But we want to make sure that nationwide health information [exchange] and its governance has this free and open highway, so to speak - at least at the level of the face messages and attachments that go through it.
MCGEE: Are there currently EHR platforms that have a fee attached to sending a message back and forth?
KIBBE: Not that I know, and I think that's a good thing. The assumption has been all along within the Direct project and within ONC's guidance that, in fact, transaction fees would not be attached to Direct e-mail messages. But there's always that worry that someone will put up a toll booth and say, "In order to exchange information for these providers, you have to pay a fee." I'm just using this as an example, [but] it's one of those areas where public/private consideration of the issue and a guideline as a result of that will be very helpful.