Announcing the Trust Anchor Bundle

DirectTrust Anchor Certificate Services

October 25, 2014

It is with great pleasure that we announce that DirectTrust has launched our permanent trust anchor bundle, comprised of trust anchor digital certificates from HISPs and their associated CAs and RAs who have completed the EHNAC-DirectTrust accreditation and audit program.  Inclusion in the new Accredited Trust Anchor Bundle signifies that the HISP and associated CA/RA have met or exceeded the rigorous and widely recognized industry “gold standard” for controls for privacy, security, and trust in identity established by DirectTrust’s policies and assessed and audited by EHNAC.

That there is real economic value to EHNAC-DirectTrust accreditation is beyond doubt; most RFPs and contracts between HISPs and their customers now make EHNAC-DirectTrust DTAAP accreditation a requirement for submission and signing.  The market is clearly indicating its preference for HISPs that have met or exceeded the DirectTrust accreditation and audit criteria for privacy, security, and trust in identity controls.

If you, or any of your colleagues, have questions regarding application and approval for inclusion in the Accredited Trust Anchor Bundle, I invite you to email me at David.Kibbe@DirectTrust.org so that we can discuss your issues.

Definitions

Trust Communities

Trust Communities are formed by organizations voluntarily electing to follow a common set of standards, policies, and processes related to health information exchange. Examples of these policies include identity proofing policies, certificate management policies, and HIPAA compliance processes.  DirectTrust is one of largest trust communities for health information exchange in the country, with approximately 35 HISPs serving over 50 HIEs and 300 certified EHR and PHR technologies, in 40,000+ health care organizations, with over 750,000 Direct addresses and accounts (as of May, 2015).

Trust Community Profile
Trust Community Profile is a specific set of requirements to be followed by selected organizations that wish to voluntarily conform to them, all of which is transparent and open to public view. The DirectTrust community has agreed on a Security and Trust Framework to guide  the community’s use of Direct exchange among providers and between providers and  patients/consumers.  Adherence to this Framework’s policies and practices is asserted when a community member’s trust anchor is accepted into a DirectTrust anchor bundle.

 

Trust Bundle

Trust Bundle is a collection of trust anchors (those high level digital certificates utilized to establish initial trust during Direct exchange, as opposed to end-entity Direct certificates) that meet a common set of minimum requirements expressed in a Trust Community Profile.

The value of these Trust Bundles is that relying parties may include the trust anchors contained in the bundle into their STA implementations (trust stores) with the confidence that it is a secure source to obtain these trust anchors, along with providing a transparent view of each trust anchor’s adherence to the Trust Community Profile in order to help you make informed trust decisions.

Value Proposition

for DirectTrust Anchor Certificate Services

As long as a HISP and its associated CA/RA are considered to be in good standing with the DirectTrust community, its subscribers/addressees can participate in Direct exchange with all other members of the community through the vehicle of trust anchor exchange utilizing the DirectTrust Anchor Certificate Services, without any need for additional legal contracts or peer-to-peer agreements.  This situation is what is often referred to as “scalable” trust, because each new connection between HISPs and their subscribers grows the network of Direct exchange participants at an exponential, rather than linear, rate.

The benefits gained by having a central and neutral agency operate a single source for the collection, review, management, and distribution of trust anchors are significant.  The DirectTrust Anchor Certificate Service provides value through network benefits, risk mitigation, convenience and cost savings, and insurance against delays and interruptions for customers.

Risk Mitigation

DirectTrust anchor certificates assert a “gold standard” of accreditation for privacy, security and trust-in-identity has been met by HISPs, CAs, and RAs included in DirectTrust bundles. DirectTrust bundles openly and transparently define a community of service providers who are trustworthy and can be relied up to meet and uphold a high level of security and identity controls.

Convenience and Cost Savings

DirectTrust takes the cost, worry, and hassle out of managing certificate additions, refreshes, and revocation for participating HISPs and CAs. Centralized and secure “one stop” access to current, up-to-date anchor certificates mitigates the time and cost HISPs would otherwise expend gathering each others’ certificates.  Having these certificates available “on demand” 24-7-365 means that HISPs can update their trust certificate stores whenever it suits them and without depending on counterparties or their schedules.

Insurance Against Service Delays and Interruptions for Customers

Meticulous attention to detail in reviewing trust anchor certificates will avoid “downstream” errors, delays, and interruptions in Direct exchange between HISPs’ and their subscribers.

Network Benefits

DirectTrust anchor certificate bundles define a “network of networks” over which  Direct exchange messages and attachments can flow without impediment or barriers. HISPs and CAs that display the EHNAC-DirectTrust trust mark and have been accepted into a DirectTrust anchor bundle don’t have to worry about additional one-off connections or contracts to establish interoperability.  Inclusion in one or more DirectTrust anchor certificate bundles is an investment in the future, because as the network grows so does the value of being an early member.