Sharing electronic medical information is a highly complex initiative – which is why we’re thankful for an organization like DirectTrust to help establish a trust framework and educate industry leaders on how to share that information safely, and securely.
DirectTrust is a nonprofit, competitively neutral, self-regulatory entity initially created in 2013 by an Office of National Coordinator for Health Information Technology (ONC) Cooperative Agreement Grant to create the trust framework for The Direct Standard™ which was then called the Direct Protocol. Today, the DirectTrust is a thriving community that includes health information service providers (HISPs), Registration Authorities, Certificate Authorities, health systems, hospitals, doctors, clinical laboratories, patients, payers, EHR’s and other HealthIT vendors, and three Federal Agencies – the Veterans Health Administration, the Indian Health Administration, and the Social Security Administration.
In addition to creating the HIPAA compliant rules around sharing in the DirectTrust community, DirectTrust is also an ANSI Standards Development Organization with Consensus Bodies for three standards – The Direct Standard™, Trusted Instant Messaging, and most recently the IG for Notifications via Direct. DirectTrust HISPs, such as iShare Medical, provide secure encrypted bidirectional sharing of medical supporting provider-to-provider, provider-to-payer, payer-to-payer, as well as patient-to-provider and patient-to-payer using the Direct Standard™ for exchange.
The following is an excerpt from a webinar with Scott Steuwe, President and CEO of DirectTrust, regarding the 3 foundations of digital trust to share and exchange medical information.
>> Request the full webinar recording here.
When it comes to getting access to your data, it all comes down to the ability to get access to the medical records or medical health information.
If we can’t verify someone’s digital identity, it becomes problematic and even dangerous to share electronic information! The challenge in doing this begins with authentication and then authorization.
2 Factors Critical to Sharing Health Information
In other areas of our life, we have credentials that prove we are who we say we are. And those things grant us certain opportunities to move about the world -- things like a driver’s license or passport.
When we travel, or fly for instance, we show those credentials. But you didn’t get that trust credential the day you traveled. Instead, you got it days, weeks, or months in advance. You simply put it to use, showing that trust credential to TSA who is going to authenticate that the trust credential is valid such as looking at you and comparing you to the photo on your drivers license or passport and verifying that the drivers license or passport is real. If you match then you are authenticated to your identity and TSA will grant you access to the airport.
This is an example of a universal credential. It is trusted by the relying parties in the USA and even, in the case of a passport, outside of the USA.
While this is critical first step, this trust credential alone does not get you on the plane. To get on the plane you need a ticket. A ticket authorizes you to get on a specific plane or set of planes to travel from one valid location from another. This is similar with the Direct Standard™ because the origination and destination locations are validated before information is shared.
When it comes to trusted sharing of health information, you must have authenticated credentials (prove who you are) and authorized credentials (have permission for bi-directional sharing data between two locations).
The Missing Universal Trust Credential in Healthcare
The 21st Century Cure Act does not have a mechanism for a trust credential that can be relied upon by all parties. The Rule provides a mechanism through OAuth2 for the authorization (permission) but delegates to each provider organization authentication (proving who you are) through user to log in. The problem is that user log ins only work to authenticate the person by the organization that created it.
Therefore, Oauth2 is not a universal credential because it is only trusted by the provider organization that created it and not by other organizations. This means that each person has to get a separate log in to each system that they would want to share data with and get authenticated to each endpoint. This makes the current approach very hard to scale.
Being Certain of Someone’s Digital Identity
To safely and securely share medical health information electronically, DirectTrust HISPs like iShare Medical use a Registration Authority and Certificate. The Registration Authority provides identity verification, meaning you are who you say you are. In DirectTrust the level of assurance is to either LoA3 or higher in accordance with NIST 800-63-2 or IAL2 or higher in accordance with NIST 800-63-3.
Once the identity has been proven by the Registration Authority, then the Certificate Authority binds that identity to an X.509 certificate containing to two key pairs – one key pair is used for encryption of the message and the other is used for digital signature.
The Direct Address is then created and is bound to the Certificate. There's metadata behind the Certificate that provides information about the who is using the Certificate including things like:
DirectTrust Anchors use this certificate bound identity as a key component of how direct messaging works. In a DirectTrust Direct Message, the proven identity of the sender and receiver are always known.
Direct transaction bind the sender and receivers certificate such that there is in fact no way for anyone but the receiver to decrypt the message that's how these key pairs work.
It’s mechanisms like these that help patients, providers, and payers scale their efforts and create a more complete picture of the medical information for the patient.
>> Stay tuned for more updates on how we’re contributing to this overall goal!
Go Deeper on This Topic – Watch the Webinar
To learn more about the DirectTrust framework, the scalability of the network, and the role it plays in interoperability and how that affects your organization, we invite you to watch the entire webinar recording.
>> Request the Full Recording of the Webinar Here
___
Special Thanks to EHNAC and DirectTrust for sharing their insights on the webinar and providing the content to educate our industry!