ONC's Fridsma on Security for HIEsOutlines Security Approaches for NHIN and The Direct Project
In an interview (transcript below) following a presentation at the Healthcare Information and Management Systems Society Conference in Orlando, Fridsma:
- Explains that the federal Direct Project amounts to a secure messaging system for simple "push" transactions that requires the use of authentication and encryption. The Direct Project open source standards are now in pilot tests. The standards can be used, for example, when a primary care physician sends patient information to a specialist after a referral.
- Outlines how the more complex transactions using the Nationwide Health Information Network standards require those making a query to present their credentials and then "it's the receiving organization's prerogative as to whether they will accept those credentials." For example, a hospital treating a patient in its emergency department might query other organizations to find out if they have electronic health records available for the patient. (Note: NHIN Exchange is a group of organizations testing the standards; NHIN Connect is the open source software involved.)
- Describes the upcoming NHIN Governance Rule, now in development, which will "describe conditions of participation" for those organizations that want to use the NHIN standards, including guidelines for privacy and security.
- Explains that the Privacy & Security Tiger Team's recommendations likely will be used in the NHIN governance rule as well as other regulations that ONC is developing in the months ahead. He points out, for example, that the Direct Project's encryption requirement is a result of the team's recommendation that steps be taken to ensure an intermediary routing a transaction cannot access patient-identifiable information.
- Outlines why it's too soon to tell how the President's Council of Advisors on Science and Technology's report calling for a universal exchange language might affect ONC's various projects. He points out that a workgroup is reviewing the report and comments received about it, and devising suggested alternatives for "how we might move forward and incorporate the PCAST recommendations into our ongoing work."
The HITECH Act, which funded the electronic health record incentive program as well as development of statewide health information exchanges, also called for the NHIN governance rule. ONC envisions the Direct Project and NHIN paving the way for the eventual national exchange of clinical information used in making treatment decisions.
Before joining ONC as director of interoperability and standards, Fridsma was on the teaching staff in the Department of Biomedical Informatics at Arizona State University and had a clinical practice at Mayo Clinic Scottsdale. In addition to a medical degree from University of Michigan, he has a Ph.D in biomedical informatics from Stanford University.
HOWARD ANDERSON: You are involved in two major health information exchange projects, the Nationwide Health Information Network and the Direct Project. Briefly describe each project and update us on the status of each.
DOUG FRIDSMA: So we can start with the Direct Project. That is the most recent initiative. The Direct Project was an initiative that we launched at HIMSS last year and very rapidly had community engagement, including the development of a couple of prototypes for how information should be exchanged and consensus around one approach using a secure e-mail transaction. In fact, just in the last couple of weeks, we've had production exchanges (pilots) using those specifications.
Comparing HIE Projects
ANDERSON: The Direct Project is for simpler one-on-one exchange?
FRIDSMA: It's for the simpler kind of secure e-mail way of exchanging information. The NHIN Exchange Project has been around much longer. That was started before David Blumenthal joined the Office of the National Coordinator for Health IT. It really has been focused on more complex and sophisticated ways of exchanging information. So rather than just having simple directed communication, the exchange works on a query.
So if you have a patient who is in an emergency room or is being seen in a doctor's office, the Nationwide Health Information Network has the specifications that allow you to query other hospitals and say, "Do you have any information about this particular patient," and then return this information. Both the Direct Project and NHIN have substantial security and privacy protections in place, but they handle things a lot differently.
ANDERSON: Can healthcare organizations now use the standards for NHIN or the Direct Project?
FRIDSMA: All of the specifications and even the code that was developed through the NHIN Connect Project is freely accessible. It is in the open source community. People can download it and use it. We have some organizations that will use NHIN Connect, but they aren't part of the NHIN Exchange. You have people that are part of the exchange who use NHIN Connect, and we have people who are part of the exchange that have built their own gateways to the specifications that we have. All of those things are public and accessible.
The same is true with the Direct Project. The specifications are free and easily accessible, and the code is available in both Java and in .Net that people can download and implement.
ANDERSON: There are ongoing tests of the Direct Project and NHIN, and the specifications are continually being refined, right?
FRIDSMA: Oh yes, absolutely. We always have to be certain that we've gotten things right and that if we've missed something we try to include that.
The Direct Project is based on a lot of existing standards that were developed through IETF (Internet Engineering Task Force), and so we didn't so much create a new standard as leverage an old one. ... With NHIN Connect, we continue to make sure that we've got our specifications right. We are developing testing infrastructure to make sure that people can assure that they are conformant to the specifications. ...
Privacy, Security Issues
ANDERSON: Compare and contrast for us the privacy and security provisions of the Direct Project versus NHIN.
FRIDSMA: Well there are a couple of things that are different about them. There is a lot that is the same. The Direct Project basically uses a secure messaging specification. What that means is that if you wanted to send a message to a provider, you would take your clinical document and attach it like you would you attach a Word document to that e-mail. But the specification says that when you do that, you have to encrypt it. Even if it goes through an intermediary or it gets routed in a particular way, the Direct Project specifications assure that the person receiving the information knows it came from the person who sent it so there is no spoofing or pretending to be someone who you are not. It assures that the person on the receiving end knows the person that they got it from, and it also assures the person who is sending it that it will only be able to be opened by the person who is supposed to receive it.
So it is sort of like a handshake on both sides. The person sending it and the person receiving it have to be those individuals or those organizations, or otherwise you can't open the package.
ANDERSON: And how does it work with NHIN?
FRIDSMA: NHIN has a principle called "local autonomy." What it says is that when you issue a query to retrieve information back, accompanying the query is what's called a SAML, or Security and Authentication Markup Language, assertion.
When you query for information, you present your credentials at that time. Those credentials could be a certificate that has got some authentication. It could be that you said, "I signed on to my electronic medical record with my ID and password." It may say "I used my card to go in to the computer, and then I put in my password. ... But when you send the query, that query is accompanied with your credentials. It is the receiving organization's prerogative as to whether they will accept those credentials or not.
The Direct Project encrypts on both ends, and you need to decrypt -- you need to have that handshake to undo it. In NHIN, before information is sent you have to present your credentials. Then, of course, the information when it is received or when it is sent is encrypted as well, but it isn't that kind of handshake on either end. It is more that they are presenting the credentials that you have, and that is what unlocks your ability to access that information.
ANDERSON: The Office of the National Coordinator for Health IT is working on an NHIN governance rule. Can you describe for us the purpose of that rule, its potential privacy and security provisions, and when it is likely to come out?
FRIDSMA: Well there was one line in the HITECH Act that said that the National Coordinator shall establish governance over the Nationwide Health Information Network. That one sentence is what is driving the governance rule at this point.
We need to be able to describe: What are the conditions of participation? What are the things that we expect people to do if they are going to exchange information using the Nationwide Health Information Network standards? We don't want people to say, "I'm on the Nationwide Health Information Network," and have them pretend to be (compliant) even though they have not gone through the processes.
So the governance rule is an effort to create the rules of engagement or the conditions for participation. And those really break down into two areas. There are conditions of trust: We have to be assured that people are following good security procedures and that they are not leaving vulnerabilities in their system. Then we also have conditions of inoperability, which include following the specifications and their inoperability (standards). ... So the governance rule really is going to focus on what are the conditions of participation within the NHIN and how those break down into conditions of trust and conditions of inoperability.
Privacy, Security Tiger Team
ANDERSON: The Privacy and Security Tiger Team made a number of recommendations regarding health information exchange. Are those going to show up in the NHIN governance rule or the HITECH Act EHR incentive program requirements, or the pending HIPAA modifications, or all of them?
FRIDSMA: We are just now going over a lot of the recommendations. Obviously, privacy and security are such fundamental pieces of what it is that we are trying to do within the Office of National Coordinator. If you take the recommendations in their totality, they probably impact just about every program that we've got in the office. ... We certainly have used the Privacy and Security Tiger Team recommendations in the Direct Project. ... We've incorporated their suggestions into how privacy and security is handled. One of the team's big concerns was to make sure that there wasn't the ability to have intermediaries see patient-identifiable information. So the need to have the entire package encrypted was an important component there.
And we anticipate that as we go through the rest of their recommendations as well, we'll include those in the various programs that we've got.
ANDERSON: So it could show up in multiple places?
FRIDSMA: Yes I think so. ... Within NHIN governance, it's a condition of trust, and it may be a condition of inoperability if we have to use particular kinds of technology to satisfy the recommendations of the tiger team. So it's going to show up in a lot of different places as we work through their recommendations.
ANDERSON: What about the role of the President's Council of Advisors on Science and Technology's recommendation for a universal exchange language. How does that fit into all these various projects?
FRIDSMA: As you know we launched a PCAST initiative within the HIT Policy and Standards committees. We have always tried to emphasize openness and transparency, and we use our federal advisory committees to help us when we're trying to struggle with some of the challenging things in front of us. So the PCAST workgroup is now going through the PCAST recommendations and will give us some synthesis of what people are saying out there in order to help us understand the impact of the PCAST approach on our various programs. The workgroup will provide us some alternatives in how we might move forward and incorporate the PCAST recommendations into the ongoing work within the office. So we anticipate that those will likely come out in the course of the next couple of months, and then we'll be able to incorporate those into the programs that we have within the office.
ANDERSON: So it is too soon to tell just how that will play out?
FRIDSMA: Yes I think it is. We really have to give our advisory committees an opportunity to do the deliberation and the analysis and help us understand the impact and what alternative paths we might take in incorporating those PCAST recommendations, and how we can meet the timelines and the suggestions into the programs that we've got.