A look back and a look forward for DirectTrust.org and Direct exchange

7 views
Skip to first unread message

David Kibbe

unread,
Dec 27, 2011, 2:42:51 PM12/27/11
to DirectTrust.org
Dear Colleagues:

First, let me wish all of you a very Happy Holiday Season, and my
hopes that you're enjoying some restful time with family and friends.

Also let me thank you for your generous participation in the Rules of
the Road Workgroup, and now the workgroups and activities of
DirectTrust.org. The time, energy, and experience you have brought to
establishing a trust framework in support of Direct exchange is going
to make all the difference in assuring that Direct will meet its goals
as a secure, standardized, and easy-to-use means of health data
transport over the next few years.

I think it's appropriate at the start of a New Year to take a look
backwards to the origins of DirectTrust.org in 2011, and in that
perspective include some of the milestones along the way. After that
(in a separate e-mail), I'll also venture some predictions for the
coming year, and say a few things about where I think DirectTrust.org
may be going in 2012.

2011 Highlight #1 -- Getting Started.
The Direct Rules of the Road Workgroup was formed in April, 2011, when
David McAllie, Brett Peterson, Sean Nolan, Arien Malec, Greg Chittim,
myself, and several others got together to discuss what appeared to be
the "unfinished business" of the Direct Project, namely how and by
what means a trust framework could be established and maintained so as
to promote growth-at-scale for Direct implementations around the
country.

The need for a trust framework boils down to the requirement for a
Public Key Infrastructure for Direct exchange. Although I didn't
realize it at the time, a PKI is more than just the technology
involved in issuing digital certificates. Most of you did understand
that a PKI includes the architecture, organization, techniques,
policies, practices, and procedures that collectively support the
implementation and operation of a certificate-based public key
cryptographic system - an infrastructure for trust. We're talking
about something that is social and political, as well as economic and
technical. All needed if HISPs and HISP-CAs were going to
interoperate across boundaries.

And which didn't seem to be in place....

2011 Highlight #2 -- Thinking through what a Trust Community needs.
Gary Christensen and his team at the Rhode Island Quality Institute,
RIQI, certainly understood this, as they were setting out to create a
trust community in Rhode Island in the context of their role as the
designated entity for an HIE, a REC, and one of the Beacon Community
grants in their state. Gary, along with Greg Chittim and Brett
Peterson, were instrumental in guiding the RotR workgroup to take on
the difficult tasks of crafting a Digital Certificate Policy, CP, and
a "measuring stick" of criteria and best practices for security and
trust -- both of which would be necessary to guide and help govern a
trust community formed explicitly for the purposes of enabling Direct
exchange implementations to go forward with stability and
interoperability.

2011 Highlight #3 -- First mention of DirectTrust.org.
Very early on in these discussions, I think some time in May, David
McAllie of Cerner Corporation made the remark that, sooner or later, a
broad industry group would be required to maintain and enforce the
"rules of the road" for any trust community instantiating a PKI for
Direct exchange. I think what he said was something like, "Well,
there's got to be some group that sets the rules and can be the
"police" for the industry -- let's call it 'DirectTrust.org'. Even
though no one likes mentioning the idea of enforcing standards,
somehow it's got to be there eventually, or people won't be able to
trust one another." Leave it to David to bring up the uncomfortable
but very real issues involved! In any case, the name stuck.

2011 Highlight #4 -- The DirectTrust X.509 CP gets written and raises
important questions.
The work on the CP went forward very quickly in large part due to
Brett Peterson's energy and dedication to it. The discussions around
the level of identity verification stipulations within the CP led to
a series of meetings about the difference between digital certificate
issuance to organizations versus to individuals. In a debate that
continues to this day, there were some who favored a Direct exchange
PKI that would root uniquely to the FBCA, and others who were of the
opinion that requiring Direct exchange certificates to be issued only
by CAs cross-certified with the FBCA would incur unnecessary cost and
complexity, and perhaps lead to a delay in Direct exchange adoption in
this country.

The heart of the problem of requiring compliance with the FBCA
policies and practices for digital certificates within the context of
Direct exchange was and is this: Direct exchange is assumed to occur
among known providers, who are members of covered entities (or
business associates of covered entities) and thus regulated by HIPAA.
(Leave out for the moment the important issue of provider-patient
Direct exchange.) In practical terms, this means that the digital
certificates that HISP-CAs involved in Direct exchange would issue
for signing and encryption of messages could be issued to
organizations, e.g. medical practices, hospitals, laboratories, public
health departments, etc. who are, of course, responsible for the
identity verification of their staff and employees under HIPAA
security rules already in place (federal law).

This group certificate methodology would greatly simplify and reduce
the cost of establishment and ongoing management of Direct
implementations, as provider organizations could forego the costs of
having each individual go through identity assurance and issuance/
management of individual certificates. The health care organization
would need to prove that it was a valid CE, a valid BA, or attest its
compliance with HIPAA security and privacy rules, while also
submitting an organizational representative for NIST level 3 identity
verification. But individual staff of health care organizations thus
qualified for group certificates might utilize (and others would
trust) their group's certificate for the purposes of signing and
encrypting Direct exchange messages. Another way of saying this is
the obverse: a requirement for FBCA cross-certification and
individual certificates might very likely multiply the cost and
complexity of Direct exchange implementation many times, without any
apparent additional benefits in terms of greater security or trust, at
least for the "ecosystem community" whose members abide by the
umbrella of HIPAA.

2011 Highlight #5 -- The government isn't sure what its rules will be,
and confronts the conundrum of the Direct exchange community's special
needs
As of September, 2011, ONC is officially in a rule making mode re:
governance of the NwHIN, including both Direct and Exchange
components. Strictly speaking, until governance rule making is final,
only federal agencies and non-federal entities that are part of a
federally-sponsored contract, grant or cooperative agreement that
pertains to Nationwide Health Information Network activities can claim
to be engaged in NwHIN exchange. Expanding public/private activity
and involvement in the NwHIN, and particularly expansion of Direct
exchange activity, is one of the major reasons for the rule making,
according to ONC's Doug Fridsma.

One aspect of work running up to, and presumably contributing to, ONC
governance rule making on the NwHIN, was the HIT Policy Committee's
investigation of "architectural and operational alternatives for
cross-certifying Health ISPs[sic], HISPs, with the Federal Bridge
Certificate Authority, including an examination of potential benefits
and implications on cost, market dynamics, and complexity." This
occurred in August and September of 2011. (See
http://healthit.hhs.gov/portal/server.pt/document/955218/onc_certificate_interoperability_final_report_v11_0_ppt).

Initially, the ONC HITPC Tiger Team members had agreed to recommend
that "(A)ll certificates used in NwHIN exchanges must meet Federal
Bridge standards and must be issued by a Certificate Authority (or one
of its authorized resellers) that is a member of the Federal PKI
framework," under the assumption that a majority of NwHIN users
including small practices or hospitals using Direct exchange would
need to exchange information with federal agencies. This assumption
may or may not be accurate, but members of this community thought that
there well might be a significant demand for Direct exchange by
providers and other health care groups who did not, at least
initially, plan to exchange personal health data with a federal
agency.

In addition, as ONC had to eventually admit after discussions with
some of the RotR wg members and others, "(C)urrent FBCA policy does
not issue organization-level certificates, as required by Direct – nor
does it address the policies and procedures to verify organizational
identities." (ref. Certificate Interoperability S&I Framework
Initiative Final Report, PPT slides, August 17, 2011.)

Thus, the fit between the trust community involved in Direct exchange
and the PKI used by federal agencies and whose policies are the
province of the FBCA, did not seem as well matched as some had thought
it would be. Whether you see this as a limitation of the FBCA CP
because it was designed for a different community than health care and
different use cases, or alternatively that there is the need for
augmentation of that CP to be more appropriately scaled to meet Direct
exchange circumstances, it does seem there is a gap between what the
Direct exchange community needs and the federal agencies and
government contractors need with respect to a PKI.

It's my opinion that filling this gap in a creative and yet efficient
manner suitable to the Direct exchange community needs -- perhaps as a
Trust Bridge -- is one of the tasks that DirectTrust.org is being
asked to undertake.

In any case.....As a result of these new findings about a gap between
what ONC has recommended and existing FBCA policy and practice, ONC
agreed to coordinate with GSA staff (the GSA has statutory mandate for
control over the FBCA) on the development of policy revisions and it
is almost certain that the NwHIN governance rule will cover policy for
organizational identity as well as new guidance on how to
operationalize organizational certificate issuance.

And that's pretty much where we are today, folks. We eagerly await
the federal rule on NwHIN governance in NPRM form, and trust that our
work will be complementary to it in a number of ways.

With very kind regards, DCK

*******

Brian Hoffman

unread,
Dec 29, 2011, 11:45:15 AM12/29/11
to DirectTrust.org
I think this year has been very exciting on the whole for Direct
Project. Definitely interested to hear back from ONC regarding the
certificate situation as well as their stance on applicable use cases
for leveraging Direct. Thanks to all for their hard work.

BH
Booz | Allen | Hamilton
> occurred in August and September of 2011.  (Seehttp://healthit.hhs.gov/portal/server.pt/document/955218/onc_certific...).
Reply all
Reply to author
Forward
0 new messages