Direct Project exchange can be completed using a number of different workflow tools: electronic health record systems, a web portal, or a common e-mail client. If you choose to use an e-mail client to facilitate exchange, you will need to configure it to communicate securely with a HISP or other Direct Project endpoints.

In order to use an e-mail client for Direct Project exchange, you can either rely on the services of a HISP in order to manage how information is securely delivered to your endpoints, or you can manage this yourself within your e-mail client. If you choose to use the former, you will be configuring your e-mail client to talk to the e-mail server hosted by the HISP in a manner that is secure. All other security is handled by your HISP. To configure your e-mail client, you will
  • Obtain the SMTP and POP3 or IMAP domains for your HISP. Configure your client to use these domains for sending and receiving e-mail.
  • Configure these domains to use SSL, for both incoming and outgoing messages. This will secure the information transmitted between your e-mail client and the HISP. This step is required to protect personal health information passed in your message from the point it leaves your computer to the point it reaches the HISP's e-mail servers.
  • If your HISP instructs you to do so, configure the internal and external port numbers to the value supplied by your HISP.

In the configuration above, the HISP is responsible for delivering information securely: a process which includes managing how your messages identify you as their author and how you trust your endpoints to identify themselves, as well as trusting how you will secure the information exchanged between you. Instead of relying on a HISP to manage how you trust the addresses to which you send data, you may choose to manage this trust from within your e-mail client itself. In order to properly configure your e-mail client to support this, you will
  • Obtain the SMTP and POP3 or IMAP domains for your HISP. Configure your client to use these domains for sending and receiving e-mail.
  • In this model, you are not required to use SSL for these domains, although you may choose to if such services are offered by your e-mail service provider.
  • Obtain and install a certificate authenticating you as a valid Direct Project endpoint. This certificate can be self-signed, but it is more likely that it will be issued by a Certificate Authority (also known as a "Trust Anchor") that is recommended or provided by your local, regional, or national health information exchange facilitator.
  • Configure your e-mail client so that it can access to the certificates of those to whom you wish to send or receive messages. You will use these certificates to encrypt your messages so they can only be decrypted by your intended destination. You can configure your e-mail client to use an LDAP directory that contains information about your destinations' certificates. Alternatively, you can obtain the certificate of each destination by exchanging empty signed e-mail messages with your potential endpoints.
Additionally, your e-mail client will receive e-mail from any sender who knows or can guess your Direct address. When you receive a message, you should verify that the message has been signed: unsigned messages could be from untrusted senders. Additionally, if the message is signed, you must verify that the certificate associated with the signature is one you trust.