HISP Rules of the Road Meeting - May 6
- Introduce and review the changes made to the consensus statement (more below). Do a round for comment.
- Discuss a deadline for our work. The HIT policy committee privacy and security tiger team is looking to make recommendations in this area in very early June. We should target a "good enough" consensus statement by May 27th.
- Discuss an operating model going forward for rapid progress. The suggestion is to create multiple discussion threads on the wiki addressing specific topics in the consensus statement and use the Friday phone calls to review progress for the week.
Revision 3 of the Direct Rules of the Road Consensus Statement is in place (). Changes include:
1. Combining the CA and RA roles into a single Health Identity Provider (HIDP) role.
2. Updating the "Rules of the Road for HIDPs" section with more specific material for discussion.
3. Changed the "Granularity of Trust" to recommend use of root certs in truststores when feasible.
4. Inserted a specific idea for the responsibilities of a governance entity in the Governance and Oversight section.
· Brett Peterson (ABILITY) co-chair
· Brian Ahier
· John Williams
· Gary Christensen
· Don Jorgenson (Inpriva)
· Boris Shur (Secure Exchange Solutions)
· Noam Arzt
· Arthur Hedge
· John Odden
· Will Ross
· David McCallie (Cerner)
· Andy Heeren
· Mark Stine
· Dan Kazzaz (Secure Exchange Solutions)
· Sri Koka
· Sean Nolan
· Mark Gingrich
· Ryan Rubino (RIQI)
· David Kibbe (AAFP) co-chair
· Steven Waldren (AAFP)
· Pat Pyette (Inpriva)
· Pete Palmer (for Mark Gingrich)
· Umesh Madan
· Greg Chittim
Meeting Notes· Action Item – item
o Create distribution list
o Include method for people to get added to list
o Participants could email Ryan or Greg if they would like to proactively reach out to be added to the distribution list
· Brett – introduced updated rules of the road consensus statement
o This should provide input to ONC process
o Changes were made – Brett reviewed the 4 changes noted above
o Round of feedback
· Basically agree
· May want to rethink acronym (HIDP)
· Have question on black section of HISPs
o In definition it talks about how HISP role may be played by various parties and this should potentially be changed
o Brett to change document to say will
· Comment about:
o “Bob’s direct address will be tied to an organizational certificate, individual certificate, or possibly both”
o Bob’s address would be tied to organization or individual but not both?
o Conclusion of both should come out of HISP section
§ Brett will take this out
· #2 – who’s on the hook if something goes wrong?
o Who’s going to get sued?
o Brett - Will be discussed in second or third round
· A HISP “should” publish certificates?
o Brett – this is still up for discussion
o If they are not published you will have to distribute by hand
o Gary – being non-discoverable would not be in the spirit of Direct. These should be discoverable.
· Granularity – how can we make it easy to reconcile cert policies?
· Can we have common terminology and expressions?
o Brett – this is an open topic
o Boris – there is currently a standard out there that could be used
· In Direct
o There could not be two intermediaries for a Direct connection
o This could make things complicated
o How do you prove that you own a particular email address?
o How to separate CA function and HISP function?
§ Brett – there could be potential friction depending on how provisioning is done
· Identify proofing causes friction in general
o This is not necessarily PKI trust and works different on different platforms so ability to trust may be specific to windows for example. Macs could be different.
o When you say trust you implicitly trust the CA not the end user certificate.
§ John Odden
· Use case
o Critical access hospital and Redwood MedNet
§ Community physicians are using Office 365
§ Need governance. Not a big problem for big hospital but could make Direct not viable for a smaller Redwood MedNet
· Would like to move back to DirectTrust.org discussion
§ David M
· Comfortable with Brett’s changes
· Concerned about unknown from DC coming in next few weeks
o NHIN governance should say something about organizations that want to participate – what they need to do.
§ This could make self-attestation approach difficult to do
o Brett – would like to push progress so feedback can be provided to ONC
o David M - Process will be that there is a proposed rule and then they will take feedback and eventually develop a final rule
· Fed advisory committee – tiger team
o Agreed last week to take on set of questions that may be relevant
§ Recommendations to policy committee/ONC on what it takes to be qualified to be a cert authority
§ What standards have to be met?
§ Not policy yet
§ They have also issued prior recommendations
· David M will cut and paste prior recommendations on the Wiki
· If we make these things too restrictive we could cause problems
o Potentially with medical suppliers in mind
o Keep this open for many different industries
· Talked about individual certs
o How about a system cert (EHR for Direct.org)
o Brett – is this provisioned by an ACO or something of the sort?
§ This should be associated with the actual organization
· Gary – this will be set up for individual doctors
o David – RIQI could be the HISP
o Brett – RIQI could issue RIQI.org
· A lot of questions about must and should language in the document is important
o Trying to create trust circle but not trying to create the one and only set of recommendations
o If we develop a brand this may bridge the gap of what we need
· Rules of the Road
o Value in calling out desire for a HIDP to be able to delegate signing authority to others
o What if RIQI wanted to allow a large health organization to provide access for their doctors
§ This could be valuable from a market perspective
o Need to find balance
o Anyone that self attests needs to be able to provide a letter upon request to show their credentials – this could be an option
· Would like to make a significant amount of progress over the next few weeks
· Would like to go back to Direct in the early days
· Calls are not as useful
· Would like to use the wiki
· Put on the discussions tab the rules of the road document
· We should have active conversations in the wiki and make sure someone in your organization reviews the material
· People should add during the week and Brett can create an agenda for Friday towards the end of the day on Thursday