Direct: 5 Years Of Simplifying Health Information Exchange

Five years ago today, Gartner Group HIT expert Wes Rishel posted a guest article on his blog entitled "Simplifying Interop," written by David McCallie, Jr., MD.

In his introduction, Rishel said, "I am advocating a layered approach to standards that cherry-picks the easy cases and approaches them using Internet standards that are widely used and, if necessary, easily adapted." He identified Dr. McCallie as a co-conspirator. I interviewed McCallie to recognize the key result of that post exactly five years ago: Direct, the first example of health information exchange using current Internet standards.

McCallie joined Cerner in 1991 and now serves as the company's senior vice president of medical informatics. He is responsible for a research and development team focused on developing innovations at the intersection of computer science and clinical medicine. His current work targets applications of semantic content extracted from the clinical record using natural language parsing techniques. He currently is a member of the Office of the National Coordinator's HIT Standards Committee, where he serves on numerous workgroups, including the JASON Task Force (co-chair); the Architecture, Services, and API WG (co-chair); the Privacy and Security WG; and the Interoperability and HIE WG.

[Nurturing a standard: DirectTrust Delivers Interoperable Messaging To Healthcare.]

Prior to joining Cerner, McCallie was director of research computing at Children's Hospital in Boston, where SMART on FHIR was developed. He earned a bachelor's degree in electrical engineering at Duke University and an MD at Harvard Medical School. He has published numerous articles and presents frequently on the subject of healthcare informatics.

Mark Braunstein: David, I'm afraid it is not as widely known as it should be that you were one of the innovative thinkers behind Direct. Can you explain how you came to see the need for a simpler, secure email-based means of sharing health information?

David McCallie, Jr.: We (the ONC HIT Standards Committee, or HITSC) were just getting started selecting the standards for Meaningful Use, and I was concerned that we didn't have a national standard for simple encrypted email-like exchange between providers. It occurred to me that starting with a simple "push" model of exchange would greatly simplify the governance and policy decisions necessary for what we wanted -- universal exchange -- as ubiquitous as the fax machine.

At that time, there were numerous proprietary secure messaging systems, but nothing that could be used for national-scale exchange. I pointed this out to Wes Rishel one evening before an upcoming standards committee meeting. Wes agreed with me and asked me to write about it on his Gartner blog. Clearly a lot of other people had been thinking about this problem, and so we had terrific response to the proposal, leading to numerous experts from around the country volunteering to help design and build a secure email system, based on existing Internet standards (SMTP, S/MIME.)

Eventually, due in large part to the ONC-sponsored coordinating work of Arien Malec and the volunteer efforts of dozens of experts (including Sean Nolan, Greg Meyers, Brett Peterson, Umesh Madan, Nagesh Bashyam, Paul Tuten, Janet Campbell, Rich Elmore, Mike Davis, and many others), the Direct standard emerged.

MB: For readers not familiar with the specifics of Direct, can you briefly explain what it is and how it works?

DM: Sure. Direct is a specific set of profiles on how to use Internet email (SMTP) and standard message encryption (S/MIME) to send secure messages from one provider to another.

Direct leverages well-known open source standards but adopts them for healthcare specific uses. The main thing that Arien's team did was to specify exactly how to manage the complex S/MIME encryption algorithms such that implementation challenges would be minimized, while still guaranteeing that the messages would be securely transmitted. Direct is managed on a local or regional basis by a special service provider called a Health ISP, or HISP. Among other things, providers are registered in the HISP after a verification process to establish "trust" -- that they are who they say they are -- and are issued special email addresses for use only for sending/receiving Direct messages.

MB: Today, of course, Direct is being increasingly used. Are you satisfied with Direct adoption levels?

DM: I am glad to see the rapidly growing availability of Direct users, but I am frankly surprised at how hard it has been to get close to our original notion of universal connectivity. It turns out that building a national-scale "trust framework" is harder than we had anticipated. We didn't think we could force Direct on everyone via a top-down government mandate, so we settled on a federated trust model: Each HISP would have to determine which other HISPs to trust. This has been slower and harder than expected, but we are now seeing lots of progress.

MB: What things do you see that still need to be done to increase Direct adoption and ease of use by providers?

DM: I see two major challenges. The first is the establishment of the trust framework that I mentioned before. The work of DirectTrust has been very important in addressing the creation of such a national-scale trust framework. The second major challenge is for EHR vendors to do a better job of integrating Direct-based secure messages into the clinical workflow. Meaningful Use Stage 2 has perhaps an overly specific use case for Direct, and ironically, that over-specification may have slowed overall adoption.

MB: I note with interest that the first response to your Gartner blog post was by Dr. David Kibbe, who now leads DirectTrust, the organization you just mentioned. Can you explain the need for that effort?

DM: David Kibbe has been a major advocate of Direct from the very earliest discussions. Trust, from a national perspective, is the ability of HISPs to be comfortable that other HISPs have properly vetted everyone who is assigned a special Direct email address to ensure they are who they say they are and that they are managing their encryption keys properly. David and some of his colleagues stepped up to the challenge of building a national trust framework by founding DirectTrust a few years ago, when they realized that federated trust models don't just spontaneously emerge.

DirectTrust works by allowing participating HISPs to undergo a rigorous certification process that proves to the other HISPs that security is being handled according to industry best practice standards. Once a HISP has passed the certification and is added to the DirectTrust "trust bundle," then all of the other participating HISPs can immediately trust the new member. This process is now scaling rapidly, since most of the major HISPs are participating in DirectTrust.

MB: Previously, I've discussed the JASON Report and the recent advice on adopting it that was provided by the JASON Task Force (JTF) convened by CMS and ONC. You co-chaired that task force, so what can you tell us about the likely future of the JASON recommendations?

DM: The original JASON report called for (among other things) the establishment of a "public API" that would be deployed by all major participants in the HIT infrastructure. The JTF agreed with that JASON recommendation and fleshed out some specific suggestions for how the HIT industry could indeed deploy the "public API."

The key is to understand that the public API consists of two things. The first is a standards-based API (likely HL7's FHIR) that all participants could implement, and the second is an expectation that everyone would deploy the API in a fair and non-discriminatory way.

We wrestled with the question of the government's role in ensuring adoption of the public API and settled on a recommendation that, once the public API is piloted and well tested, it should become part of the ONC EHR Certification program (CEHRT). We also suggested that ONC could speed the readiness of the vendor community to implement the public API by simplifying some of the proposed Meaningful Use Stage 3 (MU3) recommendations. In other words, trade off some of the current MU3 complexity for the increased power of a generic API.

We are now awaiting the release of the ONC Interoperability Roadmap, due out very soon, and we'll see how they have responded to these recommendations.

MB: Cerner has become a strong advocate for FHIR, another Internet-based technology that is rapidly receiving attention. I've interviewed Graham Grieve previously, but I'm sure our readers would be interested in getting a perspective on FHIR from a major vendor. What might we see from Cerner in the coming years in the way of FHIR support, for example?

DM: We believe that FHIR is the best candidate for becoming the public API that I mentioned earlier. FHIR is very well-designed, and it leverages many of the design principles (such as HTTPS) that have led to the success of the Internet. Cerner believes that many EHR vendors will come to see themselves as "platform" vendors more than just as product vendors.

The idea of a platform is that your customers can access the API to extend the product on their own -- to add in capabilities that the vendor might not have addressed. This could also lead to an ecosystem of "app developers" who utilize the public API to create "plug-in" apps much like we take for granted in our smartphones, etc. Cerner is working closely with the SMART on FHIR group (from Boston Children's) to create the open standards and specifications to make this vision a reality. Our early pilots in this space have been very well-received. We plan to deploy production versions of SMART and FHIR later into 2015.

MB: Interoperability has been for decades arguably the grand challenge facing health informatics. We've both been in the field for most -- in my case, nearly all -- of that time. I never thought I'd see the level of attention to the problem we're seeing now, nor did I feel I'd see an actual potential solution with a real chance of succeeding. Are you optimistic that we'll achieve interoperability, and can you take out your crystal ball and tell us how you think things may unfold over the coming years?

DM: As an engineer by training, I am always optimistic, but I agree that movement in the last year or so bodes very well for future improvements in interoperability. As you might expect, I think FHIR and specifications like SMART on FHIR will go a long way towards radically increasing the options we have to get our systems to have smarter interactions.

The use of a generic API like FHIR opens the door to innovative new interactions -- the kind that were not possible with the static, "bespoke" interface standards of the past. For example, FHIR will enable us to move past the reliance on document exchange via the complicated CDA approach and allow just the needed clinical data to be requested and received. This should lead to more satisfying interactions for the clinicians who use our systems.

This transition will take years to play out, but I am optimistic that we are indeed at a turning point in the industry's approach to interoperability.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.