Notes from the Concrete Implementation Workgroup

Date: May 25, 2010
Time: 12pm-1pm
Attendees: Steven Waldren, Ravi Madduri, Wesley Combs, Rob Wilmot, David McCallie, Vassil Peytchev, John Moehrke, Matt Potter, Jason Colquitt, Nageshwara Bashyam, Karen Witting, Eric Heflin, Sean Nolan, Umesh Madan, Chris Lomonico, Tony Mallia, Brett Peterson, Brian Hoffman, Grahm Evans, William Lusen, Brian Behlendorf, Arien Malec
Actions for this Week:

Actions from last Week:

Agenda

• Review consensus vote on the Implementation Capability Worksheet
• Each team to review their Capability Worksheet draft, lessons learned so far, and present plans for next two weeks.
  • REST Implementation Capabilities Worksheet and current status
  • IHE Concrete Implementation Capability Worksheet
  • XMPP Implementation Capability Worksheet and current status
  • SMTP Worksheet and current status
• Discuss Farzad's external review idea as seen here: [1]
• Planning for June 8th conference call and June 11th face-to-face meeting in Seattle.

Notes
· Request for votes from the remaining organizations that did not vote on the wiki thus far:
o AAFP – Has not yet had a chance to review the worksheet, but will look after the call today and note any issues
o Medicity – Needs more time to review the worksheet, but recommend that WG proceed forward without a yes/no vote from Medicity
o VLER – Needs more time to review the worksheet
o Epic – Will review the worksheet shortly
Comment from Sean Nolan
· Message to Implementation Group is that we feel confident about level of WG agreement on the worksheet
· As suggested, Sean will remove the two items from the worksheet
Feedback on the Capability Worksheet

Comment from Arien Malec
· Note that the rule for NHIN Direct voting is: Either say yes, abstain (which equals a yes), or say no with comments
Comment from Sean Nolan
· WG should continue discussion of worksheet on the wiki and post any major objections to the wiki before the 3:00 IG call
· WG has achieved milestone of having draft of capability worksheets from each implementation team ready by today
· Should we bring in independent review of the implementations?
Comment from Brian Behlendorf
· On June 8th we’ll have a longer conversation to compare the options
IHE/SOAP team update from Vassil Peytchev
· Status for IHE/SOAP team
o Capability worksheet is still in progress
o Approach for IHE/SOAP team is not just to provide an end-end implementation, but also explore combinations of edge protocols with an IHE backbone
o Looking at 4 cases for end-end exchange
o In the process of filling gaps with transformations
o Getting appropriate test scenarios and test data to do end-end testing
o Tracking lessons learned on the team page
· IHE cases are intended to cover the NHIN Direct user stories, each IHE case can be applied to several user stories
· NHIN Direct specification will be drafted this week
Comment from Ravi Madduri
· At Argonne, we’ve created a REST implementation that installs the use cases with a different security framework. Should we create a separate capability worksheet?
Comment from Arien Malec
· Just add to the capability worksheet and post any content to the wiki
· Ravi to create a wiki page describing the Argonne REST implementation and speak to the additional security in place
· Want to be able to talk about each implementation option in a unified way
· We now have three different REST security models, one for each of the three REST approaches
Comment from Ravi Madduri
· What happens on June 8th? (will be addressed as part of later agenda item)
XMPP team update from Nageshwara Bashyam
· Capability worksheet should be completed today
· Team has explored XMPP demonstrations
· Still working on encryption and security model between HISP-HISP
Question from Sean Nolan
· What would the XMPP demonstration look like in terms of clients?
o Nageshwara Bashyam – Team held an exploratory meeting to see what settings would be required and what policies would need to be in place before an implementation could be piloted. Team did not look into what the end user interface would look like.
· Sean Nolan - Using an IM user interface could be very interesting
· Nageshwara Bashyam to add a screenshot of the XMPP implementation to the wiki
SMTP team update from Sean Nolan
· Filling out the worksheet was a good exercise
· SMTP team’s approach is to use email, additional code, which is being called the NHIN Direct agent, will give an extra security layer
· Most code is off the shelf, some code around cert management will need to be written
· Enough code is done to be able to send emails, though currently this is for windows only, but will be integrated with java
· Plan to snap into Healthvault in next few days
· Most code has come from Cerner, Microsoft, and Secure Exchange Solutions
· Interesting lesson learned was how to manage responses and acks/nacks, as most SMTP errors are in form of bounces and postmaster replies
o Team has figured out how to encrypt these properly

· Note from Sean: As much as Sean believes in the SMTP approach, Microsoft is willing to implement the consensus regardless of the chosen approach
Comment from Umesh Madan
· Educational to actually write the code
Question from Brian Behlendorf
· Is there a Java based SMTP implementation?
o Sean Nolan – Cerner has built an implementation of the agent with java mail. The code for this is available on the wiki
· Brian Behlendorf - In the interest of cross team collaboration, other teams using java should make note of the fact that the SMTP code exists
REST team update from Brett Peterson
· Capability worksheet needs more work
· Would like to focus more on the NHIN Exchange integration piece
o Suspects that there may be a gap on this front from both the REST and SMTP teams, and so posted comment/question on SMPT page
· Have successfully done HISP-HISP transactions using mutually authenticated TLS
· Have used REST for edge and backbone
· Integrating other protocols as edges
· Need to finalize the security model to make sure the java and ruby implementations can speak to each other
REST team update from Arien Malec
· Getting resources up and running has been trivial, whereas agreeing on a security model has been more difficult
· Implemented mutual authentication over TLS, but is not confident that this will be the ultimate solution
· Has built a version of the SMIME agent end-end against a database cert store
o Also has enabled cert discovery using REST
· Dependent on the final security model , sees this as the biggest issue for the REST team
· Hopes to build a simple web client, but may not be able to get to this
REST team update from Ravi Madduri
· Created a scenario where they implemented three transactions using mutual authentication
· Able to issue patient username and password and have SAML assertion issued
· Created a web-based demo, want to make this widely available
· Next steps:
o Make Argonne REST team’s work public
o Determine how to interact with other NHIN Direct implementations
Comment from Brian Behlendorf
· Would like to hear input from WG on the Farzad’s idea for external review idea of the concrete implementations
· Suggest that the WG generate publicity around worksheets as appropriate
· Goal is to have fresh set of eyes look at the capability worksheet content
o Worksheet content must be self-explanatory
o Would be a high standard to say that the worksheets were peer reviewed
o Can have media publicize worksheets and channel interest into comments on wiki
Comment from Arien Malec
· Would it be valuable to have a formal structured review of the implementations with neutral parties that have awareness of technology and healthcare? (could include: Aneesh Chopra, John Halamka)
· Would this sort of independent review help us drive to consensus or add more confusion?
Feedback on External Review of Implementations