HISP-to-HISP Discussion May 13, 2013. HISP Definition What is a HISP? An organization that provides security and transport services for directed exchange.

Slides:

Advertisements

Similar presentations

Georgia Department of Community Health

Advertisements

California Trust Framework Pilot Request for Funding Informational Webinar 24 June 2013.

Contracting for HISP Services Session 7 April 13, 2010.

Proposed Technical Architecture for California HIE Services Walter Sujansky Sujansky & Associates, LLC Presentation to NHIN-Direct Security and Trust Work.

New Hampshire Health Information Organization Healthcare Provider Directory Please note that all participants are MUTED upon entry to the audio portion.

Interoperability Kevin Schmidt Director, Clinical Network.

S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.

Connecticut Ave NW, Washington, DC Direct Exchange from Provider to Patient/Consumer ….and Back! David C. Kibbe, MD MBA.

HITPC Information Exchange Workgroup Discussion of Governance RFI May 16,

What IHE Delivers 1 Business models - sustainability IHE Australia Worhshop – July 2011 Peter MacIsaac & Paul Clarke.

Discussion on the Western States Consortium and Inter-State Exchange Robert Cothren, California Health eQuality Institute for Population Health Improvement.

Direct Project Scalable Trust and Trust Bundles. 12/06/10 Overview What is Scalable Trust State of Trust Trust Issues Trust Solutions Trust Bundle Demo.

OASIS Reference Model for Service Oriented Architecture 1.0

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Centers for Disease Control and Prevention Office of the Associate Director for Communication Electronic Health Records/Meaningful Use and Public Health.

CS 268: Future Internet Architectures Ion Stoica May 1, 2006.

Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.

Understanding and Leveraging MU2 Optional Transports Paul M. Tuten, PhD Senior Consultant, ONC Leader, Implementation Geographies Workgroup, Direct Project.

Meaningful Use Personal Pace Education Module: Transitions of Care.

ONC HIT Policy Committee Interoperability and HIE Workgroup Panel 3: State/Federal Perspectives August 22, 2014 Jennifer Fritz, MPH Deputy Director Office.

DPROV Pilot RAIN Live Oak Network California Inter-HIE DPROV Pilot S&I Framework Date: 08/05/2015.

Connecticut Ave NW, Washington, DC Direct Exchange An Introduction for Providers Engaged in Stage 2 Meaningful Use David.

HIE Implementation in Michigan for Improved Health As approved by the Michigan Health Information Technology Commission on March 4, 2009.

SWITCHaai Team Federated Identity Management.

What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.

Collaborative Direct-- Status Update December 6, 2013 Don Jorgenson Inpriva, Inc.

NHIN Direct Project Communications Work Group Messages for Physicians August 24, 2010.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Tussel in Cyberspace Based on Slides by I. Stoica.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Exchange: The Central Feature of Meaningful Use Stage Meaningful Use and Health Care Innovation Conference Craig Brammer Office of the National.

July 20, 2007 Healthcare Information Technology Standards Panel Principles for Proper Use of HITSP Interoperability Specifications And Proposal for Proper.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

S&I Framework Architecture Refinement & Management (ARM) 01/07/2013.

Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.

Finalized Solution Plan July 1 st, Solution Planning Work Group Approach 1. Overlay standards currently in general use per transaction - focus on.

State HIE Program Chris Muir Program Manager for Western/Mid-western States.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

SWIM-SUIT Information Models & Services

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

AIMS’99 Workshop Heidelberg, May 1999 P805: Internet Roaming Giuseppe Sisto - Telecom Italia / CSELT Project participants:

February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.

Organizational and Legal Issues -- Developing organization and governance models for HIE Day 2 -Track 5 – SECOND SESSION – PRIVACY AND SECURITY CONNECTING.

HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 18,

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

S&I Provider Directories Initiative Revisions to Initiative Charter July 1, 2011.

Privacy and Security Solutions For Interoperable Health Information Exchange Presented by Linda Dimitropoulos, PhD RTI International Presented at AHRQ.

HIT Standards Committee Technical Review of The Direct Project Dixie Baker December 17, 2010.

Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.

Scalable Trust Community Framework STCF (01/07/2013)

Mariann Yeager, NHIN Policy and Governance Lead (Contractor) Office of the National Coordinator for Health IT David Riley, CONNECT Lead (Contractor) Federal.

Draft Provider Directory Recommendations Begin Deliberations re Query for Patient Record NwHIN Power Team July 10, 2014.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Information Exchange Workgroup June 14, IE WG Presentation to HITPC (draft) IE WG Workplan Query exchange recommendations Provider directory.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.

Provider Directories Tasking, Review and Mod Spec Presentation NwHIN Power Team April 17, 2014.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

360Exchange (360X) Project Provider Directory Workgroup 09/14/2012.

360Exchange (360X) Project 12/06/12. Reminders / announcements 360X Update CEHRT 2014 / MU2 Transition of Care Requirements 1 Agenda.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Securing Access to Data Using IPsec Josh Jones Cosc352.

1 David C. Kibbe, MD MBA DirectTrust Collaborating to Build the Security and Trust Framework for Direct Exchange June 20, 2013.

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

Connecticut Ave NW, Washington, DC DirectTrust Collaborating to Build the Security and Trust Framework for Direct Exchange.

Healthcare Information Technology Standards Panel

HIE Landscape in California

Health Information Exchange for Eligible Clinicians 2019

Presentation transcript:

HISP-to-HISP Discussion May 13, 2013

HISP Definition What is a HISP? An organization that provides security and transport services for directed exchange based on the Direct protocol The term HISP does not have any authoritative meaning outside of the directed exchange protocol described in the Applicability Statement for Secure Health Transport (July 2012)Applicability Statement for Secure Health Transport (July 2012) 2014 Certification Standards cover EHRs, not HISPs What does a HISP do? Assurance -Provide assurance of identity of participant (entities and individuals) and justification for participation in the trust community -Issue and maintain Direct addresses to participants (entities and individuals) Security -Associate each address with at least one security certificate and assure Direct-compliant payload encryption as specified by each addressee -Maintain a keystore of public keys discoverable to other HISPs through industry-standard protocols (e.g., DNS, LDAP, other) Standards -Process Direct-compliant messages to and from assigned addressees using SMTP/SMIME (and optionally, XDR/SOAP), signed and encrypted using X509 certificates

Breakdown in the HISP model A key goal of the Direct Project was to have federated, scalable trust whereby each HISP maintains a trust fabric through contracts within the HISP, but requires no further trust fabric formalities between HISPs: Core HISP functions should be well-understood and transparent Inter-HISP trust not needed due to end-to-end encryption Applies only to directed exchange functions – not defined for other functions such as query Relies on end-users’ trust across HISPs (i.e., end-users in one HISP accept trust established to end- users in other HISPs) Services integration (provider directory, certificate exchange, etc) does not require complex business and technical agreements Yet, in reality, we have encountered a number of operational issues that weren’t fully recognized at the time that Direct was specified There is no statutory or regulatory oversight of HISPs – standards apply to EHRs, NOT to HISPs Wide variety of models claiming to be HISPs – non-compliance with Direct specifications as well as allowable variations within the Direct-project specification Inconsistent trust fabric requirements – wide variety of within-HISP trust models that at a minimum require diligence before enabling cross-HISP exchange Scope of HISP activities – some HISPs perform more functions than just directed exchange, such as query-based transactions Technical integration – provider directory integration is not standardized, requiring detailed and ad hoc integration approaches

The original HIway HISP concept trust integration HISP trust integration trust integration Massachusetts providers connecting directly through their EHRs Other Regional and State HISPs National-level HISPs (eg, Healtheway)

Need for HISP-to-HISP policies Original HISP concept envisioned HISPs as facilitators that would not require any type of HISP-to-HISP contracts “there should be no need for HISPs to require contractual relationships as a precondition for exchange using Direct Project compliant implementations” In practice, HISP-to-HISP contracts are proliferating The proliferation of HISP models wouldn’t be as big an issue EXCEPT for the fact that many Massachusetts providers may only be able to connect to the HIway via HISP-HISP arrangements Some will be forced to by their EHR vendors (eg, eCW, Cerner) Others may choose to through local HIEs and nationwide networks (eg, Surescripts) This adds policy, contract, and technical complexity to the HIway model Trust/assurance approach Revenue model Service model (e.g., provider directory robustness and completeness, uniform Direct address domains, etc)

Need to define policy and technical approaches to variety of HISP models that exist in the market HIway trust HIway integration HIway trust HIway integration HISP HISP trust HISP integration HISP-HISP trust HISP-HISP integration Vendor Integrators HIway Participants Non-HIway HISP participants HIway HISP Participants HIway integration

Many types of organizations that HIway needs to consider

Key areas to address in policy, contract, and technical requirements