Direct Exchange Security Guidance IssuedONC Recommendations Could Help Build Trust
New guidance from federal regulators is designed to ensure a more uniform approach to security and interoperability among organizations implementing the Direct secure messaging protocol for health information exchange. And that could help build trust among those sharing data, says independent IT security consultant Tom Walsh.
The new guidance, Direct: Implementation Guidelines for Assuring Security and Interoperability, issued by the Office of the National Coordinator for Health IT on May 24, recommends a common set of policies and practices for use of the Direct protocol.
"The guide will help build confidence in [Direct] health information exchange," Walsh says. "The guidance provides some standards and requirements to meet in order to facilitate data sharing and establish trust among the participating entities that the party they are sharing the data with, is, indeed, who they claim to be. Prior to the release of the guide, there may have also been trust issues with the participants."
The Direct Exchange protocol offers specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the Internet. It facilitates only the simplest form of health information exchange.
Leveraging the Direct protocol for data exchange requires the use of a Health Internet Service Provider, or HISP, and a certificate authority. The HISPs and CAs handle such tasks as encryption and digital certificate management. Although HIE organizations can serve as HISPs and CAs, others can too, including vendors of electronic health records (see: Will 'Direct' Exchange Doom HIEs?).
Health information exchange is a requirement for hospitals and physicians participating in Stage 2 of the HITECH Act incentive program for electronic health records. Data exchange based on the Direct protocol for secure messaging is one method healthcare providers can use to achieve Stage 2 requirements.
"The guide is important because it describes the growing public-private consensus around how to implement Direct Exchange in a manner that will be uniform, consistent, and lead to reliable health information exchanges and data flow," says David Kibbe, M.D., president and CEO of DirectTrust, a non-profit trade association. DirectTrust created and maintains the security and trust framework for using the Direct protocol.
"It's very important that people have confidence and trust in Direct implementers - the service providers such as HISPs, certificate authorities and registration authorities," Kibbe says. "No one can do Direct health information exchange on their own: collaboration is a must."
Recommendations in the guidance touch upon issues such as business associate agreements, trusted identities and risk assessment.
"ONC strongly encourages health information service providers providing Direct services to [healthcare] providers and hospitals for [HITECH] Meaningful Use Stage 2 ... to conform to these policies and practices and participate in accreditation programs and/or trust communities that adopt them," the guidance states.
Among the various security-related recommendations in the ONC guidance are that organizations using the Direct protocol should:
- Determine whether they are business associates under the HIPAA Omnibus Rule and thus must comply with the HIPAA Security Rule;
- Have contractually binding legal agreements with their clients who send and receive individually identifiable health information using Direct;
- Demonstrate - through either availability of a written security audit report or formal accreditation provided by an independent third-party entity - conformance with industry standard practices related to meeting privacy and security regulations in terms of both technical performance and business processes. HISPs that manage private encryption keys should perform a risk assessment and then take risk mitigation steps to ensure that the private keys have the strongest protection from unauthorized use;
- Issue Direct addresses only to organizations and/or individuals that have had their identity verified according to NIST Level of Assurance 3 requirements, at a minimum, through in-person or remote options.
Network of Networks
The network of networks that is evolving to support Direct exchange "will only be as strong as its weakest link," Kibbe stresses.
"If the policy and standards bar for security and trust-in-identity for Direct is set too high, the result will be that no one uses it - it becomes too difficult and too costly. But if the bar is set too low, then the risks and liabilities will quickly rise to the surface, and people will avoid Direct as being unsafe," he says.
"So, this guidance is part of the ongoing effort to set the bar at the right place, balancing ease-of-use and cost with tight enough security and trust to avoid risks."