DirectTrust

DirectTrust is a collaborative non-profit association to support secure, interoperable health information exchange via Direct Message. DirectTrust has created a “trust framework” that extends use of Direct exchange to over a million Direct addresses/accounts.

David C. Kibbe, MD, MBA, President and CEO of DirectTrust joins us to discuss DirectTrust’s milestones, progress, and the challenges that face interoperable health information exchange. He emphasizes the importance of simplicity, security, collaboration, and the need for interoperability to be seen as advantageous from a business perspective.

DirectTrust is a health IT trade alliance dedicated to interoperability and trust, and has a membership of over 130 organizations including many of the best, well-known IT companies and brands in the U.S. It is thus natural for DirectTrust to collaborate with HIMSS, attend HIMSS Annual Conference regularly and participate in HIMSS Task Forces and Work Groups.

The most rewarding aspect of our HIMSS membership has been our own members' participation in the Interoperability Showcase and other events, forums and groups that promote Direct exchange and messaging as one of the tools healthcare provider organizations and patients can use for secure health information exchange. Participating in HIMSS’ surveys has also been important.

DirectTrust is an outgrowth of the Direct Project for secure, standards-based and interoperable health information exchange.

Milestones in our history include:  

  • May 2012: Establishment of DirectTrust as a non-profit trade alliance
  • February 2013: Launch of our Accreditation Programs for HISPs, Certificate Authorities and Registration Authorities in partnership with EHNAC
  • March 2013: Receipt of a two year Cooperative Agreement under the ONC/HHS Exemplar Health Information Exchange Governance Program
  • 2014: Reached 40 fully accredited HISPs in our Accredited Trust Anchor Bundle
  • 2015: Achieved agreement with the 23 federal agencies of the Federal Health Architecture, FHA, for the establishment of a DirectTrust Governmental Trust Anchor Bundle
  • 2016: Launch of the DirectTrust Governmental Trust Anchor Bundle
  • 2016: The DirectTrust network has reached 70,000 health care organizations via 350+ EHRs with 1.4 million endpoint Direct accounts and over 98 million Direct transactions

The most dramatic changes we have seen include the adoption of EHR technology by a great majority of providers and hospitals, along with the integration of Direct exchange and messaging into those EHRs through ONC certification requirements starting in 2014.

Additionally, the increased federal pressure on all parties to share clinical information and to make access and interoperable exchange mandatory through a combination of carrots and sticks is a significant change to the field.

Some might argue that the federal government has moved too forcefully and too quickly with the regulations regarding EHRs and their meaningful use. The entire health IT industry has indeed faced challenges of moving so quickly over the past decade and it has at times been exhausting. However, DirectTrust was established to scale trust relationships across the boundaries of different organizations and different EHR and IT systems, and we have persevered in that effort for over 5 years with good results. 

I expect the current suite of interoperability standards including eHealthExchange, XDR/M, the Direct standard, FHIR, C-CDA and perhaps innovative combinations thereof to continue to mature and find their way into most healthcare organizations large and small. We will also see EHRs improve their user interfaces, software features and functions for all of these, making them more usable.

I expect fax, mail, and courier services to be diminished significantly, as electronic health information exchange is much less expensive and represents a significant security and trust upgrade.

We are preparing for the growth in Direct and these other modes of interoperability by focusing on what we do best as an organization: to scale trust nationally via a Public Key Infrastructure, or PKI as it is usually abbreviated. We anticipate that, regardless of the technologies and standards used for sharing of health information, the requirement for trust and trust-in-identity will apply, and probably grow in importance as the incidence of data breaches approach epidemic proportions for healthcare organizations of every kind. 

One strategic activity that we are currently working on is that of becoming a Bridge Certification Authority for Healthcare. A Bridge Certification Authority (BCA) provides the means to leverage the capabilities of existing corporate or industry segment Public Key Infrastructures (PKIs) and to extend/scale trust across these segments in an efficient manner via interoperable identity credentials. The role of BCA for the health information exchange community within the healthcare industry is a logical extension of DirectTrust’s service offerings for scalable trust, as we already operate a very similar infrastructure of anchor certificate bundles based on a trust framework and policies for issuance and management of X.509 digital certificates.

Businesses deploy PKIs for a variety of reasons, such as to support internal business processes, implement virtual private networks for exchange of information, secure corporate assets and assure identity for access to networks. In addition, most businesses have partnerships with other business segments for economic reasons with whom trust is an important factor. Examples of specific uses of PKI securing computer systems include:

  • Client and server authentication: Ensuring systems and devices are authorized to connect to a private network including mobile and IoT (Internet of Things) devices.
  • Ensuring data privacy: Encrypting both internal and external network traffic, securing email and VPNs
  • Digital signing: Ensuring message integrity for network communications, documents and data

DirectTrust currently has published a Request for Proposal and Quote in order to explore how best to partner with established certificate authorities to operate a Healthcare Bridge CA. This is a priority for DirectTrust because it may allow us to more easily offer our trust framework and Certificate Policy to support additional information technologies, such as FHIR and blockchain, for interoperable health information exchange. This is strategic because it does not make economic sense for these communities of interest to re-invent a scalable trust framework or build out their own PKI when we have that capability already built.

I’ve already mentioned that DirectTrust is an outgrowth of the federal efforts of the Direct Project, and that we worked under a Cooperative Agreement with ONC for two years. This was a formational period during which we were charged with and met a number of aspirational goals, including: creation of the Accreditation Programs, engaging the FHA and federal agencies for their uses of Direct, and building a national Trust Anchor Bundle infrastructure with 40 HISPs.

We continue to liaison with ONC regularly, and to work with them on the evolution of the Direct standard specifications.

DirectTrust has had over 40 Health Information Exchanges as members, and currently supports twice that number using Direct exchange and messaging on local, community, or state bases. We work collaboratively with just about everyone in the healthcare industry who supplies Direct exchange services or is involved in using these services. We also work collaboratively with vendors who have their own systems for sharing health data, organizations that support these forms of exchange technology and organizations like HIMSS, who have a broad educational and marketing interest in healthcare IT and interoperability. Our informal motto is “collaborate or die.”

One of the greatest challenges we have overcome was working with the 23 federal agencies of the Federal Health Architecture to meet or exceed their very stringent privacy, security, and trust-in-identity controls. Also, to incorporate these controls into our Governmental Trust Anchor Bundle such that federal agencies like the VA, Indian Health Service and CMS can use Direct exchange to transport and exchange health information between the private sector and the federal space.

One of the lessons we have learned is that despite the enormous benefits of electronic health information exchange over the use of paper-based mail, fax and couriers services, the federal agencies can move slowly. We have learned to be patient and have faith that innovations that save lives and save costs will ultimately be adopted.

David Brailer, the first head of ONC, stated this about obstacles to interoperability a few years ago, "There just isn’t a business case for interoperability in fee-for-service healthcare." That is still the biggest obstacle that providers, their organizations, patients and consumers face. There has to be a business reason for any technology to be adopted at scale.

It is now true that value-based healthcare payments are starting to change the reluctance that many healthcare provider organizations have had to sharing health information on “their” patients with other organizations who might be competitors. They are starting to put in place care coordination programs and population management programs where interoperability is a must-have for the workflows involved to manage the risk. If you share patients, you need to share information about the patients. DirectTrust and our members have grown steadily, with numbers of transactions doubling every year since 2013 despite the slow inroads being made by value-based payment.

We are also starting to see provider organizations focus on another business case for Direct interoperability that is somewhat less influenced by payment methodology: the economic case for replacing paper-based mail and fax with Direct messaging. It is electronic, secure and ubiquitous, saving money on paper, personnel and equipment costs. It is better, cheaper, more secure and faster than mail or fax. If that means faster payment to the provider, it is worth the change.

The best advice I been given is to “keep it simple.”  It is not as easy as it sounds given the complexity of standards for transport, content, security, identity, vocabularies and interfaces, all of which have to be combined like an orchestral score to make interoperability work in the real world.

However, Direct exchange is a comparatively simple means of exchanging health data and information via a “push” model that is a lot like e-mail. If it can be made simple for the end-user to set up and deploy (quite a challenge that we have not quite mastered for everyone just yet), then it will be successful.