Direct Secure Messaging

Communicating in the Healthcare World Andy Nieto, Health IT Strategist, DataMotion

Agenda

• Email and Direct in healthcare, a little history

• So what is Direct, really

– Certificates

– PKI

• Two forms of Direct

– Provider to provider

– Provider to patient

• Controls in place

• Direct ecosystem

• Integrating with Direct

• A look forward

2

Evolution of healthcare IT

3

1972 First EHR Introduced

1996 HIPAA

2001 EHR system usage at 18%

2003 HIPAA Security Rule

Feb 2009 HITECH - ARRA

2013 Meaningful Use 2 Rules included Direct

2011 Meaningful Use Stage 1 attestation begins

Jan 2013 Final HIPAA Omnibus ruling

2014 attestation for Meaningful Use 2 begins

1971 first email sent

Email in healthcare - 2008

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they

apply reasonable safeguards when doing so” (http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology)

2013 refinement of HIPAA

• Privacy concerns

• Security concerns

• BAA – who is liable

5

Looks like email, acts like email – but ONLY for healthcare

6

You may end up with multiple Direct addresses.

So what’s the difference: Standard Email versus Direct

7

Standard Email

Standard message protocol

Internet delivery

Direct

Standard message protocol

Internet delivery

Identity validation

Secure encryption

End-to-end trust & liability

What is Direct Secure Messaging

8

Sender

Direct (SMTP/SMIME)

Identity Validation

Secure Messages & Files

Recipient Receiving HISP Sending HISP Mobile Device

EHR System

The KEY - X.509 Digital Certificate

• Registration Authority (RA) confirms identity

• Certificate Authority (CA) issues certificate

• Healthcare Information Service Provider (HISP) manages certificate

9

What is PKI or public key infrastructure

Let’s say your safe deposit box is the information to be encrypted.

• Public key (bank’s key to safe deposit box)

• Private key (your key to safe deposit box)

Both are required to open and close the box, allowing you to see what is inside.

PKI with Direct

• Sender and receiver trust validated (identity confirmed with certificate)

• Message encrypted with receiver's public key

• Encrypted message sent via Internet to recipient

• Receiver’s private key used to decrypt

2 types of Direct

• Provider to Provider

• Provider to Patient

12

Between providers

13

DrBob@direct.hospital.net (Has been identity vetted, has X.509 Digital certificate bound to address.)

DrSusan@direct.cardiology.com (Has been identity vetted, has X.509 Digital certificate bound to address.)

EHR EHR

encryption

identity validation

Between provider and patient via PHR or portal

14

DrBob@direct.hospital.net (Has been identity vetted, has X.509 Digital certificate bound to address.)

Pt.Dave@direct.MyPHR.com (Has been identity vetted, has X.509 Digital certificate bound to address.)

encryption

identity validation

EHR PHR

Blue Button®

health record retrieval system

15

‘Blue Button’, the slogan, ‘Download My Data’ the Blue Button Logo, and the Blue Button Combined Logo” are registered Service Marks of the U.S. Department of Health and Human Services

Who is in charge

16

ONC’s view of Direct

17

Focus view

18

HISP

Integration

Integration pathways for Direct

XD* interface

Email client

Web portal

Web service

19

POP & SMTP

APIs

HTTPS://

Typically to an EHR or HIE

Not directly to a user

Typically to an EHR or HIE

Not directly to a user

Is there a Provider Directory

• Multiple addresses per provider

– EHR

– HIE

– Hospital

– Association

• XD connections don’t require mailboxes

• No universal directory format

• Cellphone directory? Email directory?

How do I know it was delivered

• Message Disposition Notification (MDN)

– Dispatched

– Processed

The success view

22

Direct

Messaging

Certification

Direct today

• 44 States have adopted Direct

• Major Growth*

*as reported by the Direct Trust May, 2014

Who is Using Direct

What does the future hold

• Standard for healthcare communication and dialog

– EHR, HIE and Public Health Integration

• Patient engagement

– Self-reporting

– Syndromic surveillance support

• Product integration

• eSigning – Digital Certificate as Identity

25

Thanks

Andy Nieto

Healthcare IT Strategist

andyn@datamotion.com

973-455-1245 x240

26