- ONC’s Trusted Exchange Framework and Common Agreement (TEFCA) draft has so far been met with industry support, with organizations lauding ONC in working to strengthen trust and support for nationwide interoperability while also considering data security.
Health data privacy and security needs are a key stakeholder considerations, with entities noting the need for addressing cybersecurity and authentication issues in particular.
The Electronic Healthcare Network Accreditation Commission (EHNAC) Executive Director Lee Barrett explained that federal support of healthcare’s current initiatives is critical. These initiatives are “in place to develop and enhance trust agreements and common exchange networks,” Barret stated.
“Healthcare stakeholders are leveraging de facto technology and standards,” Barrett said in a statement. “Now is the time for us to work together to identify areas for improvement, close privacy and security gaps across networks, address vulnerabilities across HIPAA compliance, cyber protection and ransomware prevention, address authentication issues, and assure the highest levels of stakeholder trust.”
DirectTrust and the Direct protocol, blockchain, (Empowering People with Privacy and Personalization) EP3 Foundation, Sequoia Project, and Carequality are just some of the important trust agreements and exchange networks, Barret pointed out.
He added that ONC’s draft shows the agency is continuing “to support the healthcare industry’s need to strengthen stakeholder trust and assure interoperability across the trust networks.”
DirectTrust President and CEO, David Kibbe, MD, MBA, had similar sentiments, but did observe that ONC had lofty goals and that the TEFCA time frame was ambitious.
“Under TEFCA, the status of an HIE would change to ‘qualified health information network’ (QHIN) upon signing of an agreement binding it to abide by certain principles, and to terms and conditions with respect to the use of technology and standards for access, interoperability, privacy and security set out in a ‘Trust Framework Agreement,’” Kibbe explained in an emailed statement. “The requirements for TEFCA, as released for draft, are lengthy and broad, and would almost certainly require HIEs to modify their current contractual relationships in the communities they now serve.
DirectTrust will take careful consideration of how TEFCA moves forward, Kibbe added. New requirements could potentially affect DirectTrust member contracts and operations.
“Specifically, we will be listening carefully to what modifications to existing participation agreements and trust frameworks they think will be necessary to support provisions such as the additional permitted disclosures of health information by the QHINs, and what additional resources they will need in their networks to make upgrades to meet new mandated IT capabilities and align to certain trust and security practices,” he explained. “It may take some time for these comments and questions from HIEs to take form publicly, as the nature of these issues is complex.”
Kibbe also pointed out TEFCA’s discussion of identity management, and how the draft included strong security and identity assurance controls described in Part B of the new rules.”
Identity proofing, authentication, access controls-authorization, policies for the issuance and management of digital X.509 certificates, encryption, private key protections, and explicit inclusion of controls for security and identity within the federal agencies and federal environment were all included in Part B discussions.
“Taken together, these policies and controls are known as a Public Key Infrastructure (PKI), which is generally defined as a set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates, and to manage public-key encryption,” he explained. “The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.”
DirectTrust operates its PKI as part of the Trust Framework, which has helped contribute to thousands of secure and interoperable relationships, Kibbe said. DirectTrust has also been collaborating with FHIR HL7 on how health information exchange can use this extra support and how such an approach can be successful in healthcare.
“We look forward to commenting in some detail on the security and identity controls of the PKI envisioned for the new TEFCA, and to supporting the work of the [Recognized Collaborating Entity] chosen by ONC,” he concluded.
Having a secure and trustworthy network for exchanging health information has been a key focal point for both EHNAC and DirectTrust for some time, and the two entities recently extended their accreditation agreement with one another.
DirectTrust extended its accreditation with EHANC in December 2017, saying the partnership also provides “significant flexibility to Direct Exchange Network participants.”
“In addition to managing the Privacy and Security requirements of these accreditation programs, EHNAC’s role as an Approved HITRUST CSF™ Assessor adds a new dimension to our relationship with DirectTrust, as we continue our partnership to support the secure and interoperable exchange of PHI for some of the highest respected brands in our industry,” Barrett said in an earlier statement.