Notes from Best Practices WG
Date: September 30, 2010
Time: 1:00pm - 2:00pm EST
Attendees:
Nageshwara Bashyam, Greg Chittim, Gary Christensen, Tim Crowmell, Rich Elmore, John Feikema , Michael Firriolo, Don Jorgenson, Jack Kemery , David Kibbe, David McCallie, Patrick Pyette, Mark Stine, John Williams, Arien Malec, Uvinie Hettiaratchy, Jas Singh, Caitlin Ryan

Actions

Actions for This Week

#
Date
Action
Status
Owner
Due Date
7
9/30/2010
Send high priority best practices items to David McCallie, Arien Malec.
Open
Best Practices WG members
10/7/10
8
9/30/2010
Read and comment on Certificate Pilot Recommendations Discussion.
Open
Best Practices WG members
10/7/10
9
9/30/2010
Start developing language around minimum policy requirements.
Open
Arien Malec and others with HIO experience
10/7/10
10
9/30/2010
Incorporate proposed edits in next draft:
-Create a preamble about trust, what is implied and what is not implied, referencing Security and Trust Overview document.
- Develop additional best practices around what an organization is.
- Clarify middle paragraph of Question #3, about minimal policy requirements for a community.
-Add clarification about no automatic renewal of certificates.
-Reflect the need to discourage competition across HISPs in terms of identity and integrity.
Open
David McCallie, Sean Nolan (absent)
10/7/10


Actions from Last Week

#
Date
Action
Status
Owner
Due Date
3
09/23/10
Add “priority” column to Open Questions Tracker.
Closed
Uvinie Hettiaratchy
09/30/10
4
09/23/10
Include all questions (from Open Questions Tracker and Policy Questions for Implementations) in one table to easily prioritize.
Open
Direct Team
09/30/10
5
09/23/10
Review Open Questions Tracker in preparation for next Best Practices WG meeting (2010-09-30)
Open
Best Practices WG members
09/30/10
6
09/23/10
Reach out to Security and Trust WG to form an ad hoc subcommittee to discuss certification management.
Closed
Uvinie Hettiaratchy
09/30/10

Agenda


Arien Malec
  • First order of business is to nominate a Best Practices WG lead.
  • Next, review Sean Nolan’s draft of recommendations for certificate management.
  • Third item, look at other key considerations that came from implementation geographies as high priority orders of business.
  • Fourth, discussing the best process for addressing questions from implementation geographies.
  • Arien has a process in mind he’d like to share.
  • He missed the last meeting, so he encouraged others to introduce other items of business.

Uvinie Hettiaratchy

Notes
David Kibbe
  • Nominated David McCallie as WG lead.

Arien Malec
  • Seconded nomination.
  • Asked if David McCalllie is willing to serve as lead.


David McCallie

  • Is happy to walk through Sean Nolan’s certificate management proposal at today’s meeting, but his availability will be very limited in the coming weeks.
  • Wondered if someone more directly involved with an implementation community might do a better job in the role of lead.

Arien Malec
  • Suggested going forward with David McCallie in the role of WG lead for now, and then revisiting if it doesn’t work out.

David McCallie
  • Introduced Sean Nolan’s document on certificate management.
  • Noted that Sean put in a tremendous amount of work and produced a strong set of recommendations.
  • Sean was unable to make the meeting today.

Comment
  • Where is the document?

David McCallie

Greg Chittim
  • Can find in Discussion tab off of Best Practices WG page.

Rich Elmore
  • Added under Works in Progress on Best Practices WG page.

David McCallie
  • Document is 3-4 pages long.
  • Requires some reading and thinking for detailed discussion, but for this meeting he will provide a high-level summary.
  • The document takes into account the work being done on Java and CSharp sides, and the capabilities of the security agents that can do the encryption into the S/MIME format, and asks a starting point would be for guidance on certificate management.
  • The document is Sean’s initial response to the question and recommendations on what would be a reasonable approach to certificate management, given the constraints.
  • Important to note that this is not the only way that one can participate in Direct.
  • Decided in this proposal to focus on implementations that use the agent software.

Comment
  • What are the implications of deployment?
  • Talking about a specific kind of client?

David McCallie
  • Thinks (not normatively speaking, just his interpretation) that this would be a HISP-style model, where an entity manages the agent on behalf of users.
  • User would not be required to manage certificates on their own desktop, would outsource that responsibility to the HISP.
  • HISP could be local HIE, vendor, etc.
  • Essentially the HISP takes the burden off of the local provider to have to issue certificates.

Arien Malec
  • Doesn’t make assumption that client is an email client.
  • Could be an EHR or EHR module, as long as it can send data in the required model.
  • A HISP is as a HISP does.
  • With agent model, it is possible to package agent local to IDN, local to a physician’s practice, but looking at a HISP in this case that is running for a community.

David McCallie
  • HISP doesn’t have to be on the desktop of the person using.

Comment
  • Sounds like a good way to do it.

David McCallie
  • Goal of this document was to find easiest way to get a large number of people participating in the pilot.
  • Might not the best way, but is the easiest.
  • Was one of the core principles from the very start.
  • Will go concept by concept through the document.

Certificate Pilot Recommendations Discussion
Question #1: Who is the Trust Anchor for the community?
  • Sean did some work on the difference between a community/organization/implementation/pilot.
  • Defines “community” as a group of organizations coming together to agree that they can participate in directed exchange, so they establish policies around trust, exchanging in pilot phase.
  • Might be desirable to do this at a national level, but pilots should be allowed region by region to make that decision, for now.
  • At a later date, will step back to reassess what is working well and what is not, and if there is a national baseline to establish certificate management going forward.

Greg Christensen
  • Wary of creating a situation where after a later reevaluation, there would have to be large changes.

David McCallie
  • Worst case scenario: existing certificates would have to be trashed if fundamental change makes them invalid.
  • Moving forward, will carry into discussion thread after call.
  • Sean organized the document into questions and pilot recommendations.
  • So communities set up certificates, and organizations sign certificates for their members or participating sub organizations.
  • Community creates root certificate, and the rest are managed from there.

Comment
  • Asked about a project that would have 2-3 HISPs.

David McCallie
  • If that community with multiple HISPs wants to participate, they would agree on a root certificate, and would use that root certificate to sign each other’s certificates.

Arien Malec
  • In the multiple HISPs model it would be appropriate for multiple HISPs to agree on policies they mutually trust.

David McCallie
  • Trust is mediated by which root certificates you have in your trust anchor store.
  • So this is different form saying you need a certificate from ONC or from Arien Malec’s personal PC certificate stamping tool.
  • Assumption in this document was that the easiest way for most participation is for the communities to create and manage root certificates themselves.

Comment
  • Is there consideration in this document about scale in the future?
  • May be ok to have 10-100 certificate anchors managed that way, but are 1,000 to 10,000 a problem?

Arien Malec
  • Holds a belief that eventually it will be just one or a few.
  • As a pragmatic approach, will start with one per community and work from there.

Comment
  • Equating community with pilot might not be accurate.
  • Probably depends on the use case.
  • Could be two different sets of participants.

David McCallie
  • Boils down to the pattern of exchange that is desired.
  • Exchange will not occur unless trust certificates are present.
  • If pilot wants exchange to occur in different organizations, easiest way to achieve that would be to have a common root certificate they all trust, but it is not a requirement to do that.

Comment
  • Doesn’t this also lead to the issue where you could have people who you don’t trust within your same community?

Arien Malec
  • Explained that the notion of trust is primarily around identities and not around what you’re going to do with the information.
  • Question is, “Do I have sufficient trust that when I send info to you, you are who you say you are, I am who I say I am, and that the data isn’t going somewhere in transit that I’m not aware of?”

Comment
  • Disagreed with notion about identity.
  • Agreement to a policy or set of policies establishes a community.

David McCallie
  • Agreed with Arien.
  • The policy that matters around interchange is around identity and integrity of message, not around other policies.
  • That second kind of trust is about who you choose to exchange with, not about trust certificates.
  • Organizations can make decisions to trust other organizations from a clinical or operational standpoint when choosing whether or not to exchange with them.
  • But for Direct trust certificates, need identity assurance.

Comment
  • How do we know standards line up from community to community?

Arien Malec
  • Other part of the document says, as an organization, I need to make a decision about which communities I participate in.
  • Sean Nolan wrote this document having been through a long discussion about the Security and Trust Overview document.
  • This document needs preamble pointing to that Security and Trust Overview document.

Comment
  • Is it one certificate issued to a given community by a CA?

Arien Malec
  • The current recommendation is that it is one per organization, rather than one per community.
  • Nelson Family Practice would get the Nelson Family Practice certificate, and Memorial hospital would get the Memorial Hospital certificate.

Comment
  • So that organization itself needs to provide identity proof?

Arien Malec
  • Has question on that topic about patients.

Comment
  • If it becomes an endpoint, have lost accountability.

Arien Malec
  • Should be a best practice that organizations should not mix functions.
  • If I’m a covered entity, I’m using data appropriate to the agreed upon methods.
  • If I’m doing other things with that data, I have a separate organization that is clearly marked as such and have separate policy for that.

David McCallie
  • Should avoid overloading those constraints onto directed messaging.
  • If directed address is a warranty for other behavior, slippery slope.

Arien Malec
  • Agreed.
  • Said he was wrong above.

David McCallie
  • For example, if I give you my business card, you don’t trust me because the card says “Cerner,” you trust me because you met me and it is me handing it to you.
  • Don’t want to overload the trust identity and integrity.

David Kibbe
  • Agreed strongly with David McCallie, partly because of the building competition up around this.

David McCallie
  • As a member of the Security and Trust Tiger Team, one of the reasons they were willing to carve out a special policy space for directed exchange, was because of the assumption that the two parties are known to each other, understand the purpose of their exchange, can meet HIPAA requirements that the exchange is encrypted.

Comment
  • Doesn’t that argue that we should be specific and consistent across Direct communities in terms of what kind of identity proof requirements?

David McCallie
  • Will come to that later in the document.

Certificate Pilot Recommendations Discussion
Question #2: Organization or end-user certificates or both?
  • “Organization” is defined as a small entity for which a group of providers work.
  • The model is designed so that either of these approaches can work, signing at an organization level or individual end-user level.
  • Reference implementation will be able to handle either one.
  • Sean Nolan recommended that even though in the long run we hope to have personal certificates, for the short-run, he is recommending that the pilots accept organization-based certificates, to be more realistic.
  • This decision is up to the pilot community, but this document is saying it is OK to use organization certificates.

Arien Malec
  • Would be useful to have more best practices around what an organization is.

David McCallie
  • Right, Sean’s examples of organizations are not exhaustive.

Comment
  • In trying to define “community”, it would be helpful to understand why the pilot project must choose one way or the other.

David McCallie
  • Thinks the assumption is that the overhead of actually generating and signing a certificate and getting into the DNS store is higher.
  • Have to do it for 100 entities rather than just for the organization itself.

Comment
  • Assumption right now is that if they are provisioning a manual certificate, it will be hard to do that at the individual level.
  • So it is an issue of the initial complexity of provisioning certificates.

Comment
  • So in order to roll out widely, there are many operational requirements.

David McCallie
  • Right, the spirit of the answer to Question 2 is to make it easy for participation to ramp up.
  • Instead of “strongly discouraging organizational certificates,” this will make it easier for organizations to get involved in the pilot phase.
  • There’s a subtle point buried in Question 2: some people already have digital signing certificates, because they may work for government entities that require them, for example.
  • Question is raised about reusing existing certificates.
  • Software model allows for reusing existing certificates.
  • It is also perfectly OK to have separate certificates for Direct even if you have existing certificates for other purposes.

Certificate Pilot Recommendations Discussion
Question #3: What should be minimum policy requirements for a community?
  • Policy with respect to identity management.
  • Basically trust that the HISP is a real entity, and that the members of that HISP have met some minimal level of ID verification, and go through a minimal level of authentication when they connect to their system.

Arien Malec
  • The recommendation is not fully developed yet.

David McCallie
  • Preference would be to establish to tie requirements to a specific NIST level.
  • Would suggest that for pilots, could be relatively open, not 0, but won’t require, for example, two-party authentication.

Arien Malec
  • Would like to contribute a start, get a review team working on these minimum policy requirements.
  • The organization he used to be a part of had standard policy.
  • Was similar to what other HIOs came out with.
  • Willing to write first take, and invited Gary Christensen, Didi Davis, and others involved in operational HIOs to work on it with him.
  • Will then get back to this WG with proposal.

Comment
  • Agrees with the intent that they should focus on identity.
  • But the middle paragraph seems to go above and beyond.

Arien Malec
  • Question about identity assurance of the patient.

David McCallie
  • Great point—that should be clarified in the document. Can tweak.
  • Currently is easy to misread.

Certificate Pilot Recommendations Discussion
Question #4: What should be the expiration policy for certificates?
  • Recommendation: 18 months, with assumption that after a year you’d start the process of refreshing them.
  • Can change at last minute if we need to.

Comment
  • On Open Tracker list there are questions about how to reestablish trust after a certificate has expired.
  • Consensus was that there should not be an automatic renewal.
  • Pat Pyette was working on this.

Arien Malec
  • The reference implementation checks the certificate at the time the message was sent validity to ensure that the certificate was valid at the time of signature.
  • Should be impossible to see if the certificate is currently valid.
  • In general, this means that sending should work or should completely fail.
  • Should not be able send to someone with expired certificate and not know it.

Comment
  • Would fail or hold for some time, before seeing if certificate is refreshed.

David McCallie
  • Noting to add clarification: should not be automatic renewal.

Comment
  • Has something written up already, will circulate.


Certificate Pilot Recommendations Discussion
Question #1: Should our organization participate in a given community?
David McCallie
  • Should be in preamble: should an organization participate in a given community?
  • Identity/integrity.

Gary Christensen
  • When organizations need to make decisions when they have multiple HISPs to choose from, how they assert certificate management is a differentiator.

David McCallie
  • Would hope in the long run that competition around HISPs is around value added, not differences in identity and integrity management.
  • Hopes they all meet minimal requirements for identity.

Gary Christensen
  • Yet there are some quality issues related to HISP operation.

Arien Malec
  • Believes the quality of security practices is part of message handling policies.
  • Should insist that HISPs not compete in this field.

Gary Christensen
  • Agrees, but might require some effort to influence the market to be that way.

Arien Malec
  • At the Governance hearing, someone who managed these policies for VISA gave a testimony.
  • In the financial sector, they’ve made competition in identity assurance a non-issue because the barrier is very high.

David McCallie
  • Preamble could reflect the need to discourage competition.


Certificate Pilot Recommendations Discussion
Question #2: How should I format Direct addresses for my organization?
  • Recommendation: So long as addresses conform to the Direct address specification (in effect they are “normal” email addresses), there is no additional requirement on how endpoint names are chosen or domains associated with organizations.
  • Reason: if you start to impute meaning to the layout of something that is a screen, someone will get burned when that meaning doesn’t match what is implemented.
  • “Direct” implies it is compliant, but no such recommendation will be made to include “Direct” in the title.
  • For practical purposes, the way you reflect and create a new address may be easier if you use a new domain rather than a sub-domain, but even that is not a requirement, just a suggestion.

Greg Chittim
  • What is the point of view about whether “NHIN” should show up in an address?

Arien Malec
  • Strongly suggested best practice that the acronym NHIN should not be used.
  • Should also never imply sanctioned or endorsed by ONC or the federal government.

David McCallie
  • Will make sure to get points reflected in the next draft of the document.
  • In the end we better have a system that is secure enough so that if such a name were used, it would not be a problem because it would be secure enough.
  • Understands issue of avoiding implicit endorsement.

Certificate Pilot Recommendations Discussion
Question #3: Can we re-use existing email addresses for Direct messaging?
  • Technically yes but it is strongly recommended to not do so.
  • Should instead allocate a new address rather than mixing channels where some messages are secure and some are not secured within the same inbox.

Arien Malec
  • Should you use the same client for both?

David McCallie
  • It is recommended to use different email clients, but this factor should not affect an organization’s decision to participate or not.
  • Mistakes are less likely to occur when emails are kept separate.
  • If someone used an ordinary email to try to send to a Direct address, the message would get rejected.
  • Direct was designed to keep risk of security failure at minimum.

Rich Elmore
  • Out of band assurance: is there some other kind of level of assurance that only healthcare stakeholders will get certificates?

Arien Malec
  • This ties back to your trust in the trust anchor.
  • Software will check that it is issued to the certificate you are sending to, and signed by the trust anchor that you trust.
  • If you chose a certificate authority that is handing out certificates without proper identity assurance, you don’t have assurance.
Best Practices WG Work Process
  • Proposed that the approach used for the Certificate Pilot Recommendations Discussion is the correct approach, with small team drafting language then the larger team reviews the draft.
  • We’re better off reviewing and amending than we are drafting things as a large group.

John Feikema
  • Agreed with working process.

Gary Christensen
  • Agreed with approach because a lot of the best practices questions require expertise WG members don’t all share.

David McCallie
Assignments for the week:
  • Arien will contribute language to minimal policy requirements based on his previous experience.
  • With Sean Nolan, David McCallie will create a preamble about trust, what is implied and what is not implied?
  • Some important points were raised during discussion; he will discuss with Sean Nolan and work with him to have them reflected in the next draft of the document.
  • Please read and comment on the document, Certificate Pilot Recommendations Discussion.

Arien Malec
  • Send high priority items for future weeks to David McCallie, Arien Malec.

Greg Christensen
  • How do you print off of the wiki?

Arien Malec
  • Select PDF option by going to tab at the top of the page.