DirectTrust recently submitted comments to the Registered Coordinating Entity (RCE) on the Draft TEFCA Facilitated FHIR Implementation Guide. As an organization dedicated to instilling trust in health data exchange, we have special interest, knowledge, and experience in certificate issuance.
We worked with our membership to craft the following comments in response to the Draft TEFCA Facilitated FHIR Implementation Guide. Due to the length of our comments, the full comment letter may provide the best reading experience and is linked at the end of this post. A summary of our general thoughts around the Draft TEFCA Facilitated FHIR Implementation Guide, including background on our unique position to respond to request for comment, is included below.
Summary
The TEFCA FHIR Implementation Guide proposes a model for technical trust which we feel will not provide adequate security for healthcare data exchange. We suggest an alternate model that both scales securely and enforces best practices by leveraging DirectTrust as an existing Trust Framework that supports both Direct Secure Messaging and query-based data exchange (QBDE) for all healthcare information exchange.
DirectTrust and our community of certified Certificate Authorities (CAs) have been serving Carequality for nearly two years. We’ve proven our community can provide digital certificates for the TEFCA FHIR ecosystem through our accredited Registration and Certificate Authorities utilizing our current Trust Framework. We recognize the scale required by the FHIR ecosystem will require us to refine the current process utilized for QBDE. We recommend the RCE leverage the DirectTrust Trust Framework and governance to support QHINs in their certificate registration and issuance processes, rather than build a new infrastructure with new policies, new governance, and new CAs operated by QHINs.
Background
Historically, Carequality and eHealth Exchange managed much of the process of issuing certificates to implementers and participants internally and ensured that only community members received certificates. A single Certificate Authority played the role of issuing the TLS certificates that secured communication among all parties. Each Participant needing a certificate would be introduced to the CA in a warm hand-off by email.
In 2020, Sequoia and DirectTrust signed an agreement where multiple CAs could service the needs of the Carequality and eHealth Exchange communities with DirectTrust playing a certificate policy enforcement and accreditation role. DirectTrust also coordinated the hand-off process and technical support, which are duties that DirectTrust doesn’t typically take on in other environments due to the propensity of these activities to cause a bottleneck. The rationale underpinning DirectTrust’s current role in support of Carequality was to maintain as similar a process as possible to what was previously being carried out by Carequality. The hand-off process between Sequoia and DirectTrust remains the mechanism by which the subscribing organization’s participation with one of the initiatives is verified. DirectTrust then introduces the subscribing organization’s representative to the CA that then takes the process to its completion. The sub-contracted CAs do most of the typical commercial Registration Authority and Certificate Authority activities for the issuance of certificates, including but not limited to: ensuring the individual identity of the subscriber (at NIST IAL2), ensuring that the organization is licensed to operate in its jurisdiction, ensuring that the subscriber has control of the domain/machine where the certificate will be installed.
In 2021, all the certificates that had been issued by Carequality’s previous CA were transitioned to the new DirectTrust-enabled model.
Since Query Based Data Exchange (QBDE) is secured between IHE Document repository gateways using TLS certificates, the total number of certificates required for this model is relatively small. For example, CommonWell Health Alliance is a Carequality Implementer with many participants and thousands of sub-participants, but only one certificate is used to secure the connection between CommonWell as broker and the other Carequality implementers. Some implementers stand up separate gateways and certificates for all their sub-participants, but most do not. This approach has scaled reasonably well for the number of certificates and participants required.
Within the IHE profiles there is an additional security mechanism beyond TLS certificates. TLS is supplemented by SAML assertions that communicate organizational identity through initiating and responding gateways from the sender to the receiver. These two mechanisms together are thought to establish adequate technical trust in the current environment and this model has had broad adoption.
Serving Business to Business Query Utilizing RESTful Exchange via FHIR
As Carequality, and by extension the RCE and TEFCA deploy FHIR at scale, there will be several substantial changes from the IHE model. First, most FHIR transactions will be communicated without gateways or brokers, thus initiators will need to perform authentication and authorization directly with receivers. The technical means to accomplish this is different under FHIR and these differences change the security and technical trust landscape in a substantial way. Rather than SAML, FHIR transactions will utilize TLS, OpenID Connect (OIDC) and OAuth 2.0 to communicate identity assurance via digital certificates. Rather than relatively few gateway connections needing to be established, these “broker-less” connections will be made between the thousands of FHIR endpoints to communicate trust and information exchange bidirectionally. This ecosystem is not only large, but also dynamic. A Participant of an implementer, or of a QHIN under TEFCA, will be onboarding new Subparticipant healthcare organizations constantly and need the flexibility to onboard these organizations and Users with minimum friction.
It is precisely the scale of this ecosystem that makes reliable credentials for connections so important. Several trust infrastructures have demonstrated such ecosystems at scale successfully, including The International Civil Aviation Organisation (ICAO) supporting international passports, the CA/Browser Forum (CA/B) supporting the internet, the electronic Identification, Authentication and trust Services (eIDAS) supporting trust across EU nation states, and the Federal PKI. All of these groups ensure that organizations who issue end-entity certificates are accredited and impose strict governance policies to ensure interoperability at scale among all participants.
Additional and Full Comments
Members of the DirectTrust community contributed to our full commentary and responding to the various questions the RCE specifically asked. The responses to each of those sections is linked in our full comment letter below.