Please feel free to send any corrections to the recording of your words in the notes to nhindirect AT nhindirect.org or post these corrections to the wiki discussion tab.

Notes from the NHIN Direct Implementation Group


Date: June 11, 2010
Time: 9am-4pm
Attendees
: Richard Elmore (Allscripts),Ravi Madduri (Argonne National Laboratory), Russell von Blanck (Atlas Development), Lin Wan (Axolotl), Didi Davis (Carespark), David McCallie (Cerner), Rob Wilmot (Cerner), David Kibbe (American Academy of Family Physicians and Clinical Groupware Collaborative), Vidit Saxena (eClinicalWorks), Kris Olberg (Emdeon), Tony Calice (FEI), Wes Rishel (Gartner), John Moehrke (GE), Paul Saxman (Google), Jason Colquitt (Greenway Medical Technologies), Nageshwara Bashyam (Harris), Tim Andrews (High Pine Associates), Michael Berry (HLN), Karen Witting (IBM), Christopher Ferris (IBM), Jeff Cunningham (ICA), Don Jorgenson (Inpriva), Jeff Peacock (Kaiser), John Theisen (Kryptiq), Malcolm Costello (Kryptiq), Lee Jones (MedAllies), Eric Heflin (Medicity), Seonho Kim (MedNet), Mark Stine (Medplus/Quest), Sean Nolan (Microsoft), Umesh Madan (Microsoft), Gary Teichrow (Mirth), Wenzhi Li (MOSS), George Komatsoulis (NIH), Carol Robinson (Oregon’s Strategic Workgroup), John Hall (Oregon’s Strategic Workgroup), Will Ross (Redwood Mednet), Charles Curran (RelayHealth), Gary Christensen (Rhode Island Quality Institute), Dan Kazzaz (Secure Exchange Solutions), David Tao (Siemens), Martin Prahl (SSA), Chris Lomonico (Surescripts), Tim Cromwell (VA), Brett Peterson (Visionshare), Paul Tuten (Visionshare), Rich Kernan (ONC), Jackie Key (ONC), Arien Malec (ONC), Mariann Yeager (ONC), Ioana Singureanu (ONC), Claudia Williams (ONC), Brian Behlendorf (ONC), George Beckett (TN State HIE), Dan Russler (Oracle)
Actions from June 11th
#
Date
Action
Status
Owner
Due Date
3
6/11/10
Address the objections raised during today’s discussion for each implementation option
Open
Concrete Implementation Teams
6/17/10
Actions from June 10th
#
Date
Action
Status
Owner
Due Date
1
6/10/10
Provide any feedback on HITSC review process to Jackie Key or post on the discussion tab of the following wiki page:
http://nhindirect.org/Implementation+Group+Meeting+06102010+and+06112010

Open
IG
6/17/10
2
6/1/10
Communicate to Dixie Baker John Moehrke’s feedback that HITSC review group should be sensitive as to how their recommendation is presented to other groups (such as the HITPC)
Open
Arien
6/17/10
Welcome and Agenda Overview from Arien Malec:
Security & Trust WG Update from Brian Behlendorf:
  • Our goal is to build a lightweight, secure messaging system
  • Trying to incorporate a IETF security review into our process
  • Concepts like trust and security mean different things to different people
  • The Security & Trust (S&T) WG came up with a consensus statement from the perspective of what attributes the final NHIN Direct solution should have
Walkthrough of S&T Recommendation provided by Brian
Section 1: Intent
  • Not dependent on having a single organization at the center of NHIN Direct
  • If two NHIN Direct users can trust each other, then they can configure a NHIN Direct solution to exchange information securely
  • NHIN Direct messaging handling policy is similar to the idea of Fedex
  • NHIN Direct users may have a variety of different message handling policies
  • NHIN Direct users should have the right to scale up or down the networks that they are involved in
  • There is not a single global, rooted trust - there may be multiple trust circles
Tim Andrews
  • Think it is a big mistake to think of NHIN Direct like Fedex
  • Arien Malec – This is an active topic of discussion within the Privacy and Security tiger team
    • There are a variety of levels of PHI exposure that a message handler may have
    • P&S tiger team is trying to define the best practices, policy rules of the road
    • We are saying that there is policy that governs the expectations that participants have and that participants should have the assurance that their message is being handled according to those message handling policies
  • Tim Andrews – Recommendation says that we’re not providing for different levels of security
  • Sean Nolan – We’re trying to distinguish between the policies of handling a message vs whether it is correct for providers to engage in exchange
Continued Walkthrough of S&T Recommendation provided by Brian
Section 2: Protocol Requirements
  • Most important technical decision was to use x509 certificates
  • Designed so that individual doctors don’t have to do key management, but can delegate this to other parties on their behalf
  • The NHIN Direct software must allow for the configuration of multiple certificate anchors, which allows participants to define which trust circles they are part of
  • We’re really just restating the case for using encryption
  • This is about using public key certificates in the way that they should be used, allowing for multiple circles of trust
Ravi Madduri
  • Do you have any standard in mind for credential delegation?
  • Brian Behlendorf – The SMTP and REST teams both use the NHIN Direct agent, where on the sending side a server can digitally sign and encrypt on your behalf, while on the receiving side a server can also decrypt and sign on your behalf
  • Arien Malec – Most predominant technique involves manual management of certificates
David Kibbe
  • How would HISPs be able to examine the implementation of the security requirements by other HISPs?
  • Arien Malec – For the purposes of the NHIN Direct early implementation activity, this will be done with a set of policy best practices (including certificate policy, privacy policy). Can’t speak to how industry participants will self-certify.
    • The model will likely move from self-attestation and mutual contracting to either an industry certification process or a level of Federal governance/certification.
Don Jorgenson
  • There are situations where the key is not necessary, such as with the use of SAML assertions. Is x509 the only way to make security assertions?
  • Brian Behlendorf – SAML is built on top of x509
  • John Moehrke – There are two different layers of authentication. We’re trying to address the network layer, how one system authenticates to another system. When you get to how a user identity is asserted, SAML is appropriate.
    • SAML assertions are generally signed using PKI, so generally this goes back to a PKI infrastructure
    • SAML assertions would be used to deal with the endpoints, could use this for end-end security in NHIN Direct
Vassil Peytchev
  • My understanding is that an intermediary can vouch that a source is who they say they are and the intermediary’s certificate can be provided to another party as a mechanism that the assertion is valid
  • Brian Behlendorf – That’s correct if we mean that the source is the source endpoint and the HISP is the source HISP
  • Arien Malec – This is allowed by technology, but may or may not be allowed by policy. Technology says that intermediaries with appropriate policy may manage trust on behalf of a source
  • Vassil Peytchev – So then there is no requirement to have the message and certificate come from the same place.
  • Arien Malec – Reliability needs to be defined by policy
Continued Walkthrough of S&T Recommendation provided by Brian
Section 3: Policy
  • It is our goal that NHIN Direct protocols can be used in many policy environments
  • Goal is facilitated by using x509 certs to proxy for policy adherence
  • HITPC/ONC is expected to issue policy guidance for a base level of policy
  • Similar to using browsers with root CAs, eventually there will likely be a common set of root nodes for healthcare exchange. However, we can’t decide this from the beginning
  • Policy committees will need to address the question of what level of identity assurance will be required for NHIN Direct participants
  • Intent is to ensure that whatever the policy outcomes are, NHIN Direct can enable them
Chris Lomonico
  • What are the ground rules for getting a certificate?
  • Brian Behlendorf – This is not within the scope of NHIN Direct
  • Arien Malec – These are policy issues that will need to be defined within the policy framework
  • Brian Behlendorf – What is relevant to the pilot phase in this?
  • Arien Malec – The private organizations participating in NHIN Direct will need to agree on a policy framework to govern the early activity for NHIN Direct. This initial policy framework will not be provided by ONC. For certain federal partners, there may also be contractual agreements.
  • Chris Lomonico – Will the CAs be responsible for managing certificate revocation?
  • Brian Behlendorf – This should be left up to the implementation/local policy
  • Arien Malec – We carefully designed a process and set of statements that did not address such policy considerations, we are leaving this question to the policy makers
  • Brian Behlendorf – We should explain this in terms that are sufficient for the implementations to move forward for the pilot and for any policy implications to be surfaced
Malcolm Costello
  • How would you regulate various types of messages from different sources, where some messages are less desired than others?
  • Arien Malec – The trust model incorporates different levels of trust expectations for different classes of participants. Having multiple anchors of trust accommodates this. Many systems may want to implement specific address yes/no lists to accommodate such different needs
  • Brian Behlendorf – One of the use cases we talked about is where entities may act as proxies for caregivers. NHIN Direct is about the transmission pipe, with local policies at the end points. In NHIN Direct overall, we’re leaving compliance with PHI and policy regulations up to the sender before they send a message.
Claudia Williams
  • There are many issues that have been teed up to the NHIN Workgroup and P&S Tiger Team. From a process perspective, how are we communicating such issues back to these teams?
  • Arien Malec – Dixie has surfaced many of the policy implications from the S&T recommendation back to the team
  • Claudia Williams– The fact that you can have local policy decisions is a policy decision, and this should be called out
  • Arien Malec – We’re trying to stay policy-neutral and yet we end up creating policy
  • Brian Behlendorf – We’ve created a canvas that can be refined as policies are defined
  • Claudia Williams– Sender needs to remember that they are responsible for that piece of the puzzle.
Concrete Implementation Team Presentations on Security & Trust:

XMPP – provided by Nageshwara Bashyam
  • For client to server communication, XMPP uses SASL authentication
  • There is also a TLS channel between the source and source HISP
  • Between a server-server, the channel is negotiated using certificates
  • Client certificates are distinct from server certificates
  • The root CA must be the same between two servers
    • XMPP foundation runs an intermediate CA to generate certificates for XMPP servers
  • Uses NHIN Direct security agent

REST - provided by Brett Petersen and Ravi Madduri
Brett Petersen
  • Ended up with three teams in the REST implementation
    • Two of these teams had a similar approach to S&T
    • Argonne National Laboratory (ANL) implementation came up with a different approach
  • Ruby on Rails/Java (Spring MVC) teams used the NHIN-D agent
    • Still some open questions around use of HISP-HISP TLS
  • Arien Malec – Primary S&T model is the S/MIME approach. As explained by Sean yesterday, this also applies to REST approach
Ravi Madduri
  • ANL is part of the group that developed the Globus Toolkit, which provides tools to organizations such as caBIG
  • Implemented all NHIN Direct transactions by leveraging work from Globus toolkit
  • Based implementation off of a scenario where a patient gives explicit consent for a provider to share information, using a SAML token
  • Used x509 certificates for all actors and services
  • Each entity can choose a set of CAs that they trust
  • Data is sent over SSL
  • Typical PKI, message signed by sender’s certificate and encrypted with recipient’s certificate
  • Primary objective was to show the capability of SAML to accomplish authorization model
  • Further enhancements could include notification, electronic patient consent, credential translation (high level services to perform these functions on the patient/provider’s behalf), automated trustroot provisioning, and HISP as a policy enforcer using XACML
  • Implemented much of this for caBIG
  • Decided to use REST to showcase a similar capability implemented using SOAP for caBIG
    • Surprisingly easy to do the REST implementation
    • Most of the work was in wrapping everything in a web portal
  • ANL, as an academic institution, needs to figure out best model for engagement in NHIN Direct going forward

IHE/SOAP - provided by John Moehrke
  • More detailed text can be found on the wiki around the IHE S&T approach
  • Term policy is being used for different things
    • Policies are decisions, ranging from architectural decisions to more high level choices
    • We’re aiming not restricting a policy makers to only one choice
    • IHE allows policy makers to make choices, but we must help to constrain the choices that can be made. We must choose a reasonable set of policy options for policy makers to choose from and address these choices.
  • IHE approach includes modular profiles, where you can specify a base and further constrain from that point onward
  • If policy requires that you have end-end security, IHE has modular profiles describing how to do this. There is no reason to reinvent the wheel.
  • In a push model, unclear where SAML assertions fit in. SAML assertions are more commonly used in a pull model.
  • IHE has a consent profile where a patient can specify the restricted use of their health information. IHE also has a profile for provider attestation of clinical accuracy.
  • Every approach has been able to meet the requirements of the security model

SMTP – provided by Sean Nolan
  • The security agent was the only piece of code written by the SMTP team for S&T
  • The agent is a piece of library code that if adopted, would be a part of the reference implementation
  • Idea behind the agent is to make the base layer, working around perceived deficiencies in TLS
    • Supports simultaneous use of multiple trust anchors
  • Three things need to come together for S&T
    • Private keys = Membership cards
    • Public certificates for each private key to allow exchange to happen
    • Anchor certificates
  • ONC may someday identify one single set of policies, one authority for all providers
  • Organization like Markle may do this for PHRs
  • If there are no national authorities available, for PHRs or providers, two entities could exchange certificates from separate trust anchors
  • There is a concern that DNS can be spoofed, but this is likely not a issue for us
    • Because we have a second layer of trust-checking, you could only be spoofed by someone that you trust
  • DNS scales well, the end tools available generally don’t support certificates
  • Walkthrough of how agent works for sending and receiving a message
George Komatsoulis
  • Relevant to all security models: From the standpoint of non-repudiation, we need to get down to the level of an individual within an organization. This impacts the granularity of the certificates. Is this a policy decision?
  • Arien Malec – This is a policy decision. We came up with motivating use cases for a organization address as opposed to an individual address
  • George Komatsoulis – At the end of the day, a document comes from somebody
  • Peter DeVault – A document could be automatically generated as the result of a workflow, with no individual involved
  • Arien Malec – A covered entity may not be an individual provider
Dan Kazzaz
  • When you sign something with your private key and your private key expires, what happens when you need to look back at a document?
  • Umesh Madan – What comes into the agent is an encrypted signed message, what comes out is plain text.
    • We can address this situation by signing with multiple certificates
  • Arien Malec – Would be good to keep the signature around
  • John Moehrke – Different signature policies are based on the intended use of the certificate. There are inherent management issues around the use of certificates.
  • Dan Kazzaz - A certificate can appear in many different forms, as a group we need to come up with a clear definition of what’s in a certificate and publish this as an implementation guide.
  • Arien Malec – You can point back to existing specifications, point to RFCs, etc.
Tim Andrews
  • Has anyone talked with a CA about the liability of doing this?
  • Arien Malec – We’ve never assumed that the root of trust would become one of the well-known roots. Likely that the CA would be a health-related entity.
  • Sean Nolan – We talked to some CAs and they seemed interested
  • Arien Malec – We would use a different CA than the CA used in your browser bundle
Vassil Peytchev
  • Could you address the threats entailed by the use of DNS to map NHIN Direct addresses and use of DNS in the agent?
  • Sean Nolan – Based on our analysis around these threats, we believe that the secondary check of the received certificate against configured anchors mitigates threats like spoofing
  • Arien Malec – In the REST implementation, if you ensure that the transaction occurs over TLS, you have an additional level of reassurance.
Michael Berry
  • Understand the benefit of using DNS, it has an already deployed infrastructure, reliability, and is distributed. But if we’re relying on ONC/a vendor contracted by ONC, what would be the impact of distributing certificates using LDAP?
  • Sean Nolan – Wouldn’t personally choose LDAP to distribute certs, but would use for a directory
  • Umesh Madan – Note that the agent code is not tied to DNS
Comprehensive HIE WG Update from Vassil:
  • Comprehensive HIE WG began by mapping IHE/NHIN Exchange transactions to the abstract model
  • User story group will work from the comprehensive HIE scenarios defined by the Comprehensive HIE WG
  • Overview of “Karen’s Cross” diagram
    • Identified clear points of interaction between NHIN Exchange and NHIN Direct that need to be addressed
    • When looking at different requirements for NHIN Exchange/NHIN Direct, there need to be certain conversions: transport, metadata, and trust/security (this is policy issue)
  • Defined key terms for comprehensive HIE exchanges
    • Full capabilities HIO – HIO that supports full set of NHIN Direct core user stories/services
    • Partial capabilities HIO – HIO that does not support full set of NHIN Direct core user stories/services
    • Notion of “belonging” to a full capabilities HIO – full HIO can refer to many types/sizes of organizations
  • Goal of comprehensive HIE interoperability is to not create two separate networks (NHIN Exchange and NHIN Direct) that seek to accomplish the same thing
  • Technical capabilities of NHIN Exchange can allow for interaction with a full HIO
  • Overview of conversions that are included in Karen’s cross
    • Step-up transform – NHIN Direct source to a destination within a comprehensive HIE
    • Step-down transform – Source within a comprehensive HIE to a NHIN Direct destination
  • In the scenario where a full capability HIO sends to a destination without a full capability HIO, if there is no conversion, there is no interoperability
  • Step-up conversion may occur where there is a NHIN Direct source sending through a source HISP, which performs the conversion, to a NHIN node.
    • Could also occur where a NHIN Direct source sends to a NHIN node, which performs the conversion.
    • NHIN node may not necessarily need to perform conversion
  • Step-down conversion may occur where a source within a NHIN node, which performs the conversion, sends to a NHIN Direct destination.
    • Could also occur where a source within a NHIN node sends to a destination HISP, which performs the conversion, sends to a NHIN Direct destination.
Arien Malec
  • As Vassil pointed out, the definition of a full capability HIO states that all of the NHIN Direct use cases are fully satisfied within that organization. This could be DoD, VA, Kaiser, etc.
    • These use cases are satisfied within a workflow in the organization.
Eric Heflin
  • NHIN Exchange exists and is in use today. You must implement the IHE protocol to interact within NHIN Exchange. Our decision is really are we choosing one protocol (IHE) or two (IHE and something else)
Rich Kernan
  • Not all transactions for NHIN Exchange/NHIN Direct will be used by all groups
  • Many services that could be used for NHIN Direct have not yet been added to NHIN Exchange
Brett Peterson
  • The diagram seems to show that the NHIN node is exposing itself to NHIN Direct using the full HIO
  • Vassil Peytchev – Should clarify diagram to show that the NHIN node is not part of the full HIO
Lee Jones
  • Every time I hear someone speak about NHIN Direct who is not part of this group, they believe that it’s exclusively point-point and that NHIN Exchange is separate. Are people expecting a us to produce a solution for how Karen’s cross can be accomplished?
  • Arien Malec – A number of federal partners are demanding that NHIN Direct and NHIN Exchange work together due to the investment they’ve already committed to NHIN Exchange.
    • State HIEs also want clarity on how the two will interoperate.
      • We want to make sure that 1) we’re not creating a divergence/alternate path and 2) we define how record locator services may work with direct push
  • Lee Jones – So we don’t need to have a solution for how to solve Karen’s cross?
  • Arien Malec – As a federal partner, you don’t want two ways for messages to be sent to your providers.
David Tao
  • Is there a significant difference between the step-up/step-down shown here vs what the IHE team described yesterday for their implementation?
  • Vassil Peytchev – NHIN Exchange uses XDR, like the IHE implementation. If we are stepping up/down to XDR, that part is the same. The question is the level of metadata being exchanged.
  • Arien Malec – This relates to each organization’s policy. Each organization may have different in-bound message handling policies describing how much step up/down is required.
David McCallie
  • If a core goal of NHIN Direct is to create simple and easy universal addressing, I suspect that this may happen more rapidly than the widespread roll-out of HIEs.
  • We shouldn’t have data-sharing capabilities be a requirement for participation in NHIN Direct.
  • There are sharing models that don’t use NHIN Exchange protocols. These organizations will have to support a NHIN Direct entry into their system.
  • I see NHIN Exchange and NHIN Direct as parallel worlds. The interoperability between these two should be seen as an optional value-add, but isn’t necessary to the core mission of direct exchange.
  • Vassil Peytchev – To address the first question of HIEs that don’t use IHE protocols, they will have to do custom matching.
    • To address the second question of parallel worlds, we will still have to figure out how a full capability HIO would be able to share with a NHIN Direct destination.
  • David McCallie – Would envision that NHIN Direct services could be used for this
  • Vassil Peytchev – There shouldn’t be a separation at the workflow level between Direct/Exchange transactions
  • Arien Malec – We’re more concerned about meeting provider expectations about having a single workflow, regardless of information source
  • David McCallie – There are separate decisions between sharing outside of a HIE and publishing within a HIE
  • Arien Malec – Vassil is saying that within the walls of a HIE, they can have whatever policies they want, but they shouldn’t have to use a different workflow than their existing workflow to send via NHIN Direct
Concrete Implementation Team Presentations on Comprehensive HIE:

SMTP – provided by David McCallie
  • I see NHIN Direct and Exchange as parallel protocols, with both being necessary for HIE
  • NHIN Direct should be used for side-effect free, private messaging, whether a provider is part of a HIE or not
    • There are situations where a provider may have no connections to a HIE or a provider may have connections multiple HIEs
  • There could be interaction between Direct and Exchange in certain scenarios. XDM provides a good mechanism to bridge the two.

REST - provided by Brett Peterson
  • Axiom 1: A large majority of push-based communication will not need to involve a NHIN Exchange endpoint
  • Axiom 2: Critical use cases do involve interaction with NHIN Exchange (ex: CMS)
  • REST team designed for Axiom 1 to avoid the complexity of Axiom 2
  • Need to a figure out how to perform this interaction
  • Arien Malec – The IHE team prototyped these transactions
  • Brett Peterson - A NHIN Exchange node would expose itself as a HISP & a NHIN Direct address
    • Addressability piece is a critical part of the puzzle

XMPP – provided by Nageshwara Bashyam
  • In use cases where NHIN Exchange interactions would occur, there would need to be step up/down services to support different potential endpoints

IHE/SOAP - provided by Janet Campbell
  • We should focus on the importance of NHIN Exchange/Direct interoperability
  • If we do believe this is important, we should just do the work once and minimize the conversion points by choosing XDR for the backbone
    • The work to perform a transaction between NHIN Direct and Exchange would already be done if XDR was chosen as the backbone
  • Should consider other architectural concerns, including phonebooks, trust anchors, and people
  • When we talk about the IHE implementation, SOAP is the protocol and XDR is the profile.
  • IHE already has a documented process, testing, language accommodation, implementation guides etc
  • It’s easier to take what’s already been done, and only use what’s needed, then later add more as needed

Q&A
Lin Wan
  • Content is more important than transport for many vendors. Metadata is important for system processing. Manual management of different types of messages (healthcare vs non-healthcare purposes) increases cost.
  • Arien Malec – Metadata transformations are harder than transport transformations
    • Not all unstructured messages are irrelevant to healthcare, there are valid situations where these messages may be transmitted for healthcare purposes.
    • There are cases where there are small providers whose systems cannot produce metadata.
  • Lin Wan – In many of the scenarios we’ve looked at, the source produces the package. An EHR can do this. Is the case Arien described a case we really must accommodate if MU is moving toward EHR adoption?
  • Arien Malec – There is an assumption that at least one participant in the exchange is trying to achieve MU, but it’s not necessarily true that both participants in exchange have a system that is certified to perform these transactions.
Tim McNamar
  • Need to have one common address, as with Surescripts.
  • Arien Malec – Let’s table this question, as it is not relevant to the discussion.
Claudia Williams
  • As we’re thinking about the HITSC requirements, we need to keep in mind the importance of simplicity
  • There’s a reason that we pursued NHIN Direct, not everyone is ready for more complex exchange
  • There will be heterogeneity between how people do things but there needs to be a way to bridge between these
Jeff Peacock (via Live Meeting)
  • Hear, hear! Also, those of us with EMR's are reluctant to fall back to unstructured data because it becomes much less useful for patient care. Even pdf's and images should be sent as part of a structured CCD message.
Karen Witting
  • We really want one NHIN. NHIN Exchange refers to what already exists in NHIN Exchange, which is SOAP and web services.
  • Federal partners will want communication using SOAP and web services. There will need to be a transformation to this if a different protocol is chosen.
  • The existing NHIN Exchange has adopted a XDM metadata model. If you choose a different metadata model, you will need to be able to convert to this.
  • NHIN Exchange uses XDR for push transactions.
  • There is confusion about the need to do things in two separate ways. If there is no way to transform between Exchange and Direct, then at least one side of a transaction will need to be able to support both.
  • If we don’t want choose XDR, we will need to do conversions.
  • There is a lot of support for NHIN Exchange, as it has been adopted by many organizations already.
Eric Heflin
  • Many states have created architectures based on NHIN Exchange and are wondering about the impact of NHIN Direct.
Chris Ferris
  • Many of the presentations are focused on the protocol, but the real issue is what you’re pushing, the interoperability of the payload
  • How is a HIE supposed to do something meaningful with unstructured documents?
  • Suggest that we focus on starting a base amount of metadata to promote interoperability
  • Arien Malec – Transport is important because most providers use fax today, even those who have EHRs, because there isn’t an obvious, standard way to exchange electronically
    • There is a tension between the need to optimize for small provider participation and also to have rich, structured data that allow for semantic interoperability
    • One side says don’t do it if you can’t do it right, while the other says just get the exchange set up and progress toward more complexity as providers demand more
John Moehrke
  • The IHE group is not saying, you have to XDR anyway, we’re just saying start small. Know that NHIN Exchange exists and let’s head in that direction.
  • For clarification, it should be noted that NHIN Exchange has multiple modes for exchange, but there is no XDS except within edge systems.
  • We’re focusing on the small provider to small provider scenario, but we must recognize that this small provider may be sending or receiving with a larger partner
David Kibbe
  • Feels bullied by IHE group – do it our way, or don’t do it at all
  • In the real world, there are different ways to do things and to accommodate these different ways
  • Arien Malec – We should assume good intentions. I interpret the IHE team as giving a value statement for choosing XDR. We should think about teams’ statements in terms of stating such values.
Concrete Implementation Discussion and Decision:
Arien Malec
  • We should be able to agree that we all share the same values, though we may prioritize these differently
Brian Behlendorf
  • We want to get to a scenario where the majority of doctors use sophisticated EHR technology
  • NHIN Direct is proposing something broad-based that will eventually get us toward this vision
  • Both NHIN Exchange and NHIN Direct are providing ways to move us in that direction
  • We need to give enough to the implementation team to get the pilots underway
Nageshwara Bashyam
  • All of the teams have done a good job, all of the protocols could work
  • XMPP may be a bit ahead of its time for what we’re trying to accomplish today
  • Rather than have the group discuss XMPP further today, we’ll try to advance XMPP outside of this project in the industry
  • Brian Behlendorf – The CONNECT team is experimenting with XMPP
  • Arien Malec – Perhaps 10 years from now we’ll have presence, asynchronous and synchronous communications built in every EHR
Brian Behlendorf
  • Required a lot of heavy-lifting to get CONNECT to where it is
  • Acknowledge that it is a challenging software to use
  • We’re trying to pick the proposal that we can feel comfortable with and acknowledge
Arien Malec
  • Everyone should put on the table their willingness/unwillingness to support each proposal and if they are unwilling to support a particular proposal, what fixes are needed in order for them to support it
  • Round the room for each organization
Allscripts – Richard Elmore
  • There are two vitally important goals for NHIN Direct
    • Email exchange nationally
    • Automated exchange with EHRs
  • Can’t choose one over the other, we need to meet providers where they are today and also acknowledge that we want to move toward EHR use
  • IHE/SOAP – First choice, XDR backbone seems like the best way to get to automated exchange with EHRs
  • SMTP – Second choice because it would enable email exchange nationally
  • Arien Malec – Are there any approaches you’re not prepared to support?
  • Allscripts - REST – Not best suited to achieve these goals. Not convinced that REST can achieve rapid email adoption.
  • Arien Malec - If the REST team can show widespread access to participants with email clients, would Allscripts be able to support REST?
  • Allscripts - Yes, and if they can also support interaction with IHE
American Academy of Family Physicians – David Kibbe
  • Willing to support SMTP or REST, but not IHE
  • Don’t want to have to fix IHE
  • NHIN Exchange will exist in the ecosystem, but would like to see them accept a simpler form of communication
  • Arien Malec - Sounds like you value simplicity. If they can address the issue of simplicity, would you be prepared to accept IHE?
  • AAFP – Don’t think we could, the IHE protocol is the least broadly accepted in comparison to REST/SMTP
  • Arien Malec - What aspect of simplicity do you feel IHE does not portray and what would need to be fixed?
  • AAFP – Need to address complexity at the HISP level, only very large organizations could use IHE. A HISP needs to meet customers’ needs where they are now while offering a path to more sophisticated data services.
  • Brian Behlendorf – Would you be willing to participate in a process that would try to define what a HISP-in-a-box that could enable simplicity would look like?
  • AAFP – Not sure. The organization would look at any such proposal with open eyes.
  • Arien Malec – Will note that lowering the cost of HISP implementation and deployment as key thing for IHE team to fix
  • Steve Waldren for AAFP – Wants to see IHE address the separation of metadata issue
  • Veto for IHE (David Kibbe vocalized this separately after the discussion)
Argonne National Laboratory – Ravi Madduri
  • Willing to support IHE or REST
  • Don’t understand SMTP’s ability to meet security requirements
  • Arien Malec – Will note that you want SMTP to address the full security model in a way that gives confidence
Axolotl – Lin Wan
  • Willing to support all protocols
  • All implementations have some issues that need to be addressed
  • Concerned about having good content and metadata
    • SMTP may the simplest/quickest way to get us there, but it sets the bar too low for data and may not address error handling comprehensively
    • Need to understand how REST handles error, retry
    • IHE needs to address patient-specific nature of XDR
  • Also concerned about delivery of content
Carespark – Didi Davis
  • First preference is IHE because it has clearly defined ways to connect our current business associates, we would be able to roll this out the fastest
  • Also support SMTP and REST, if step up/down procedures for interaction with NHIN Exchange are clearly defined
Cautious Patient- Fred Trotter
  • (via Live Meeting chat) We are only discussing the core exchange protocol and we want lots of variance in the Node/HISP to user connection. We have a strong preference for generalized messaging. We actually think XMPP is a better protocol because of the presence thing, but SMTP gets our vote. SMTP will get the fastest adoption. IHE is too complex. However, the IHE team has made its case that lack of a pathway to and/or lack of compatibility with NHIN Exchange could create significant balkanization. The "solution" for IHE is to partner with NHIN CONNECT to make a bridge reference project. So to "fix" IHE we just move it out of the "core". We feel that REST is a development protocol and not a messaging protocol. The hidden cost of REST is that you have to build a messaging protocol out of it. The security implications of that are staggering. You could fix REST by borrowing heavily from SMTP/XMPP for operational design, which is already happening to a certain degree. I actually do not think XMPP needs fixing at all, it is a better messaging protocol than SMTP and is easier to strongly secure. We place it in second place, only because it is not as widely understood by business IT as SMTP. Fixing it can only happen by making it more popular, it would be made more popular by NHIN Direct choosing it ;) . There is no protocol choice that NHIN Direct that could cause Cautious Patient to not participate.
  • Strong preference for protocols that have messaging built in
  • Overall, would prefer SMTP or XMPP, then REST, but there is no protocol we would not support
Cerner- David McCallie
  • Wouldn’t rule out any approach and would support anything
  • See SMTP as the fastest way to get us where we want to be
  • Second choice is IHE, given that it is based on a proven code base
    • IHE should address simplicity issues around metadata and implementation
  • REST is appealing in terms of simplicity, but concerned about reliability of the delivery model
Clinical Groupware Collaborative- David Kibbe
  • Feel strongly that REST is the best protocol because it would be best suited to web services development over time
    • Writing new code is not necessarily a bad thing and might be a way to quickly innovate
  • Willing to accept whatever the market accepts
  • Veto for IHE (David Kibbe vocalized this separately after the discussion)
eClinicalWorks – Vidit Saxena
  • Most strongly support IHE, but would implement the consensus decision
  • Agree with Axolotl on concerns
Emdeon – Kris Olberg
  • Will support the consensus
Epic- Peter DeVault
  • Prefer the IHE approach for the backbone and would support other protocols on edge
  • Preference in order: IHE, REST, SMTP
  • From the perspective of Epic’s many clients, there is a lower implementation cost to use IHE as the backbone and REST is also preferred
  • Will support whatever decision is demanded by customers
  • Feel that Epic’s customers will be disappointed if messages do not have enough metadata to be integrated into their existing workflows
  • Even if REST/SMTP is chosen, these teams should ensure that there is a path to having useful metadata
FEI – Tony Calice
  • Like the idea of XDR as a backbone and believe that providers would support SMTP
  • Willing to support anything that gets rolled out
Gartner – Wes Rishel
  • If we choose NHIN Exchange [IHE], would it be the complete suite of services?
  • Arien Malec – No, it’s what’s described in the IHE capability worksheet, just XDR
  • Gartner - So it is a SOAP push model
    • Would be willing to support all three options
    • There needs to be capability to stand-up a baseline HISP without HISP access to PHI
  • Arien Malec – XDR does require access to some patient-specific metadata
    • Personally confused by the level to which it’s required within IHE to have access to patient data
  • Gartner – The base level HISP should not have access to protected health information. Does the baseline have to provide NHIN step up/down? If so, then it would have to have access to PHI.
  • John Moehrke – When you’re asking this question, are you asking it in the context of a pure XDR environment or an environment where there are different edge protocols? If you choose XDR end-end, there is no need for HISPs.
  • Gartner - If the proposal says that step up/down is a value-added service that a HISP may provide with a business associate agreement, then I’m fine with it. Don’t want every HISP to have to have business associate agreements with every organization it communicates with.
    • Of the three proposals, SMTP will get us there the quickest
    • Many of the security solutions are identical, so it choosing SMTP wouldn’t preclude us from building security for other protocols in the future
  • Don’t have a sense of the relative skillset needed to build a HISP with SOAP, IHE team should address this
GE - John Moehrke
  • Clearly would prefer IHE, but recognize that this would require small docs to have a EHR
    • We shouldn’t be driving this decision, we should give small docs choices
  • Between SMTP and REST, both have promise and problems. Believe that all of these issues can be solved.
    • Would like to see the use of XDM model
    • Suggest to SMTP group that they support S/MIME
Greenway Medical Technologies - Jason Colquitt
  • Easiest path for Greenway would be IHE
  • Next order of preference would be REST, SMTP
Harris- Nageshwara Bashyam
  • Will support any implementation that is picked
High Pine Associates- Tim Andrews
  • Mostly here to represent states
  • Will support whichever protocol, but would prefer IHE based on fact that this is what the industry is using
  • Biggest issue is when will products be available - we need to have products ready fast (in 6-9 months)
    • There are IHE products available today
    • Don’t believe this would be achievable for REST/SMTP
  • Arien Malec – It would be interesting to ask this question to the EHR vendors in the group
HLN – Michael Berry
  • Also involved in advising state HIEs
  • Wouldn’t want to see a future with less metadata and more human labor, but acknowledge that IHE is complex
  • Will support any of the protocols, but believe that SMTP best meets needs of simplicity and speed
    • SMTP should look at use of LDAP
  • Also concerned that we need to have a product available fast
IBM- Karen Witting
  • All of these protocols will work, it’s a matter of preference
  • I have been fighting for one NHIN, we should have only one way to do one thing
  • For all protocols, want to see a mapping between NHIN Exchange/Direct, metadata, flexibility for security and privacy, and speed of getting to a product
  • Do not value simplicity because definition of simplicity is murky
  • SMTP - concerns about message only going where it is designed to go and security vulnerabilities
  • REST – overall spec needs work, especially around security and reliability, time to market will be slow
  • IHE – need to work on minimal metadata and be more accessible on the edge
  • Would support anything that can be rolled out quickly and support metadata in an extendable way
    • If we support SMTP, need to look at use of XDM package
    • Concerned with REST, but would be willing to support it
ICA- Jeff Cunningham(via email)
  • REST is acceptable - about as simple as SMTP but much more extensible
  • IHE/SOAP is acceptable - already established and can reasonably work with simpler protocols
  • SMTP is not acceptable - simple but not extensible enough to serve as backbone protocol
  • XMPP is not acceptable - great edge protocol, but not implemented enough in the current vendor base to serve as the backbone. Also, I think at scale more adaptors and implementation standards protocols would need to be established to make this work.
Inpriva- Don Jorgenson
  • If we look at SOAP, rather than IHE, SOAP has a good security model for healthcare
  • Will support any protocol
Kaiser- Jeff Peacock
  • We need to support structured data and define a pathway for using this structured data
  • Don’t think we should look for an easy on-ramp that doesn’t go anywhere
  • Willing to support all, but SMTP seen as the weakest
Kryptiq- John Theisen
  • Would support all, preference for REST
MedAllies- Lee Jones
  • Personally think about term the simplicity as referring to expediency
  • Technical simplicity and technical implementation are the gateway factor for widespread adoption
  • Concerned that NHIN Direct is a great opportunity to move the needle and if we focus too much on the lower-ability providers, we risk vendors taking their own path
  • NHIN Direct needs an organization to maintain specifications, test bed, etc – IHE already has this
  • For expediency’s sake, we endorse IHE, with the caveats that have been mentioned previously
  • Worst situation would be for the country to stall
  • Want to see HISPs commit to being part of the network and having IHE and other protocols supported by HISPs
  • Would only support the other protocols if IHE was also supported as the backbone
Medicity- Eric Heflin
  • NHIN Direct shouldn’t create a solution that is a parallel effort to NHIN Exchange
  • Interoperability is our key value and IHE is the best way to achieve this
  • Preferences are IHE then REST, cannot support SMTP
    • REST is too simple - should address reliability, lack of metadata, testability
    • Cannot support SMTP because there is a workflow danger for providers and don’t like the need to install the security agent
MedNET – Seonho Kim
  • Would endorse all four protocols, with preference for IHE, then REST, then SMTP, then XMPP
  • Reservations with SMTP around security and metadata
Medplus/Quest- Tom Wagner/Mark Stine
  • Would endorse XDR, a single protocol makes sense
  • Share concerns about IHE regarding metadata and as well as with ATNA
  • Would like to see REST/SMTP on the edge
Visionshare – Brett Peterson
  • Will support all three protocols
  • Need speed to get to wide implementation
  • Large organizations are already well served by IHE, we now need to address small providers
  • Order of preference: SMTP, REST, then IHE
    • Would like to see NHIN Exchange interaction addressed by SMTP/REST
    • Would like IHE to address complexity of implementation by potential HISP developers, need better documentation
Microsoft- Sean Nolan
  • Would be difficult for Microsoft to move forward with IHE. To support IHE, would need to see how:
    • IHE could support multiple circles of trust
    • IHE could provide sufficient services to providers in a commercially sustainable way by 2011
  • Strongly support SMTP and would also support REST
    • REST problems could be fairly easily addressed
Mirth- (Arien speaking on behalf of Mirth)
  • Mirth has expressed that they will build anything
MOSS - Wenzhi Li
  • The HISP-HISP protocol should be sophisticated enough to support interaction with NHIN Exchange
  • Believe that all four protocols should be provided as an option on the edge
  • Would support all, with a preference for XDR as the backbone and SMTP on the edge
Surescripts - Chris Lomonico
  • Primary choice is REST, but would support all
  • Neutral on any needed fixes
NIH - George Komatsoulis
  • Preference for REST or IHE
  • Would support all
Oracle – Dan Russler
  • Already support all protocols
RelayHealth- Charles Curran
  • Willing to support all, preference for IHE
Oregon - John Hall
  • Would prefer REST, for the reasons Sean outlined, but could support all
Redwood MedNet – Will Ross
  • Can support all
  • Would like IHE to acknowledge that if they could already support small providers, there wouldn’t be a NHIN Direct
Rhode Island Quality Institute- Gary Christensen
  • Will support all
  • Most important criteria is ease of integration into EHR processing
Secure Exchange Solutions- Dan Kazzaz
  • Prefer SMTP, because it is the cheapest, easiest to deploy, and easiest to integrate in the workflow
    • For those who do not have EMRs, SMTP is the easiest to use
    • Important to be payload-agnostic, SMTP is good for both backbone and edge
  • To fix IHE, would ask them to come closer to X12 and HL7
  • Would support both REST and IHE
Siemens- David Tao
  • Both IHE and SMTP have strong merits, IHE is first choice
    • IHE is the best upward bridge, but we cannot do IHE alone
    • There is a need for SMTP
  • Would support IHE as backbone and SMTP as the edge protocol
  • Would also support pure SMTP on both backbone and edge
  • Could support REST but this would be a lower preference
    • Some of the simplicity of REST may be lost since we’d have to build so much onto REST for healthcare
  • SOAP has already addressed healthcare needs to a large extent
SSA- Martin Prahl
  • Would be willing to support all protocols
TN State HIE – George Beckett
  • All the protocols have issues
  • See NHIN Direct, a one-to-one push, as slowing down the state HIE’s goal to allow for query transactions across the state
  • Would prefer IHE, but also would support SMTP
  • Would not support REST simply by process of elimination
VA- Tim Cromwell
  • Will support all three
  • Should consider changing term “doctors” to “clinicians”
Arien Malec
  • IHE teams should address:
    • Documentation, skinny it down so that a developer can pick it up and implement it
    • Need to identify a minimal set of metadata that is required for routing and to separate this from the content package
    • Currently, only way step up/down works involves a peek at the content metadata
  • SMTP should address:
    • Email clients need to be locked down due to concerns around the risk of having secure and non-secure addresses used from the same client
Brian Behlendorf
  • Even though there was a majority support for XDR at the backbone, it also produced a great deal of vetoes
  • If IHE were chosen, the IHE community would be on the hook to make implementation easy for a HISP
  • Proposed strawman:
    • XDR at backbone, carrying XDM, with a minimum set of tools
    • When REST was discussed, the majority of arguments tended to be in favor of REST on the edge
  • When it comes time to building the pilots, let’s focus on building REST at the edges
  • Propose to also have a team build an optional SMTP plug-in for HISPs that could connect with other NHIN Direct nodes
Arien Malec
  • Don’t know if we could use XDR as it is currently profiled, but perhaps a new SOAP-based profile that has the ability to get from A-B without overly complex packaging would work
  • There are enough vetoes on XDR to make this path difficult for many to swallow

Google – Paul Saxman (late vote via email)
  • In the near-term, Google would be willing to support the REST and Email implementations, with a preference for REST. All three implementations have their strengths and shortcomings that would need to be addressed within the next year, but it's Google's belief that the simplest solution, which allows for easy integration into the network without sacrificing security or functionality, is the best. The IHE implementation would make integration considerably more difficult without providing additional end-to-end capabilities per the NHIN-D user stories.
Lee Jones
  • For the purpose of proving this out, we may want to consider multiple protocols, though we’d thereby create a more complicated HISP
Janet Campbell
  • To address the concern expressed about doing step-up without revealing PHI, note that the IHE team did a step-up demonstration where PHI was not revealed
Eric Heflin
  • There is interest in IHE to make things easier, quickly
  • This could be accomplished by creating implementation guides, having self-contained documents, architectural overviews
Wes Rishel
  • Many different points of view have been stated today
  • Must be able to both facilitate EHR adoption and also support simple exchange between providers
John Moehrke
  • Should be noted that NHIN Exchange is a SOAP exchange, with a security model and metadata model
  • I can acknowledge that if XDR is not meeting our needs, then we need to go to the beginning and ask what we want to accomplish and build from there
  • There is a theoretical purity expectation, reality is that you have to have both pull and push
Gary Christensen
  • We’ve been focusing on HISPs, but what are the ramifications for what happens in doctor’s offices?
  • Arien Malec – Fastest path if I’m going to delay buying a EHR is to use a web browser or an email client.
    • Fastest path if I have an EHR is using XDS.b with some modifications.
    • Fastest way to get to middle ground is unclear
  • Peter DeVault – Agree that if there are people who don’t have EHRs, email/web browser is easiest. But, we need to keep in mind that they may be communicating with people who do have more sophisticated technology. Our goal for the pilot is to build a HISP-in-a-box to demonstrate that this can be done.
    • Also should be noted that we didn’t propose that the end-end solution should be XDR, we showed that a lower-technology solution should be on the edge.
Arien Malec
  • Note that Brian’s strawman proposal is a first suggestion. If IHE could produce a SOAP-based protocol that is similar to XDR, but much simpler, and implemented SMTP or REST on the edge, would this switch a no to a yes vote?

  • Sean Nolan – Would want to see a profile of who will purchase and run the HISP-in-a-box
    • Need to specify the requirements for a HISP in a box
    • Look at who serves small businesses today, it’s not Microsoft, Epic, or Cerner
    • Only can think of 3 constituents: state HIEs, existing ISPs, and ?
    • We need to outline these capabilities and see if we’re serving their needs
    • Microsoft cannot support IHE today, we would not move forward with the pilot process
  • Arien Malec - Also many practices are supported by VARS which support their practice management vendor
  • Sean Nolan – This boils down to a ISP
Arien Malec
  • Each organization should type up a list of objections for each concrete implementation team and each team should seek to address these
Tim Andrews
  • There is a business model of selling to some small docs
  • Sean Nolan – But there are many docs for whom this is not working
David Kibbe
  • I think that we’re building toward NHIN Exchange light, not NHIN Direct. This would be good for large organizations and the consulting firms that work with them. Would not be good for small providers who do not have EHR technology
  • AAFP will not participate in the NHIN Direct pilot under current circumstances if IHE is chosen
  • Real need is to provide a connectivity solution for small-medium practices in the very short term
Arien Malec
  • Each team should take the list of objections and address them
  • Disappointed that we have two proposals that each could go forward with 90% support, but that each has a strong 10% opposed
Brian Behlendorf
  • Some objections that have been stated are not factual, but are value-based or incorrect
  • Consensus does not mean uniform agreement
  • Understand concern that we’ve over-anchored around one suggestion and that we are putting the IHE team on the hook
  • The crowd that supports SMTP can build an alternative SMTP-based approach
Claudia Williams
  • We set a goal and assumed the best of intentions
  • We’re at a point where we need to take a step back to reflect and do analysis
  • Confident that we’ll find a path forward

End of notes, though meeting continued after this point