Tuesday, May 14, 2013

Building a Trust Fabric in Massachusetts

Yesterday, several Massachusetts HIE stakeholders discussed how best to create a trust fabric among the array of vendors, organizations, and regional subnetworks that will exchange transfer of care summaries using the Meaningful Use Stage 2 standards.    Here's the presentation we used to facilitate our discussion.

Initially our state HIE, the MassHIWay, presumed it would be the certificate authority/registration authority for all state stakeholders, creating a trust fabric through a single set of processes and agreements.    As often occurs in life, theory and the practice differ.  

eClinicalWorks users are likely to use the eCW HISP to send and receive transactions from/to their EHRs, using SMTP/SMIME to connect to users of the MassHIWay.

Cerner users are likely to use Cerner's HISP are in the same way.

Epic users may use Surescripts' HISP similarly.

Meditech users will connect directly to the state's HISP via SOAP (XDR).

How do we knit together all of the HISPs into a trust fabric that authenticates our users, authorizes access for appropriate clinicians, and minimizes privacy risks?

It's clear that we must embrace technology and policies which enable HISP to HISP communications, not just a single HISP and certificate authority.

From a technology perspective there are a few options:
 - Use DirectTrust.org certificate bundles backed by processes that enable organizations to trust a common entity and thus transitively trust each other.
 - Create a Massachusetts specific process to trust the root certificates of each HISP that connects to the MassHIWay
 - Ask each provider in the state to sign a MassHIWay participant agreement regardless of the HISP they use, ensuring common policy and legal protections are in place.

We did not answer all these questions yesterday and we've assigned workgroups to finalize the policy and technology details.  We did accept the fact that there will be several HISPs connecting providers, payers, and patients in Massachusetts.  We'll need to trust other HISPs that have registration and certificate authority processes in place to identity proof/authenticate their senders and receivers.   The reality of Meaningful Use Stage 2 certified software is that sometimes the connections will be with the EHR directly, sometimes through the EHR vendor's cloud, and sometimes through third parties.  

Just as the internet itself is ultimately a network of networks, so will be healthcare information exchange in Massachusetts, the US, and the world.

2013 is the year we'll address the policy and technology barriers that have historically slowed adoption of large scale HIE.

No comments: