Most people in healthcare informatics are aware that FHIR is a new standard that defines a web application programming interface (API) and related specifications for health data exchange. One question about FHIR is how to build trust networks for sharing data between FHIR servers across organizations. During a May 21 webinar, members of DirectTrust workgroups discussed their efforts to allow for the exchange of FHIR resources using its certificate-based trust framework.
Operational since 2013, the Direct Network has 1.67 million trusted Direct addresses involving 112,000 healthcare organizations. "It has both the technology and policy to enable a trust system for providers to work together," said Calvin Beebe, board chair of HL7 and a technical specialist at Mayo Clinic. "Because there is such expenditure involved in planning, setting up and maintaining trusted distribution networks, there is strong incentive to leverage existing networks as much as possible."
Addressing FHIR, the DirectTrust community has addressed two use cases, and has presented on them at recent FHIR Connect-a-thons. The first involves sending FHIR resources in a Direct message as an attachment. “This turns out to be not that difficult,” Beebe said. “It allows you to send FHIR resources as a payload from one Direct site to another or to send a query and receive back information using Direct messaging capability.”
The second use case involves using Direct’s X.509 certificates with the FHIR RESTful API to enable trust relationships to scale up. “We looked at how to take FHIR servers and establish trust between them directly,” Beebe said. “One scenario is sending attachments and the other is improving the FHIR resources so they can be trustworthy.”
Bruce Schreiber is chief technology officer of MaxMD, a health information service provider (HISP) and a board member of DirectTrust. He gave a brief demo of what Direct to FHIR for query-based exchange looks like.
MaxMD has developed a “Direct to FHIR” solution for both patients and providers to query medical records by sending a Direct message. MaxMD says it leverages the trust-in-identity assured by a Direct Address to provide authentication and authorization of an HL7 request to a FHIR API. The user receives a response in an inbox like an ordinary Direct message.
Schreiber noted that the two use cases described are complementary approaches. “What we showed in example one is that Direct can be used as a transport layer, as a single onramp to transmit a FHIR payload,” he explained. “In scenario two, we showed the trust framework developed by DirectTrust can be used for authentication and authorization, and there are a number of ways this can be scaled.”
Luis Maas, chief technology officer of another HISP, EMR Direct, chairs the DirectTrust Security and Trust Compliance Workgroup. He said these two scenarios are part of a body of work that has been ongoing since 2014, when talk about open APIs in healthcare started to gain steam.
“Several of us in the DirectTrust community were already looking ahead at the issues of trust and scalability and how a certificate-based framework like DirectTrust could be used to jumpstart these open API networks,” Maas said. “At DirectTrust we asked ourselves what benefits of using a certificate-based trust framework we could inject into the open API ecosystem and really jumpstart that and scale trust.”
Among the benefits he described:
• Validated network identity, certificate management, policy
• Confidence in exchange across organizations that might not otherwise communicate with each other.
• Scales more easily than one-off key exchange with every counter party
• Single on-ramp model
DirectTrust was able to create scalable tools for Direct messaging, Maas noted, which allowed for rapid and flexible scaling in a trustworthy way. “FHIR is in need of the same thing now, so that providers can enroll once and use the same type of approach for open APIs. It goes toward the single onramp idea.”
One question is how well DirectTrust’s efforts with HL7 FHIR dovetail with the TEFCA framework being developed by the Office of the National Coordinator for Health IT.