The “Direct Project” Reference Implementation Architecture 1
The “Direct Project” Reference Implementation Architecture
1
NwHIN Direct Approach
2
Develop specifications for a secure, scalable, standards-based way to establish universal health addressing and transport for participants
Send encrypted health information directly to known, trusted recipients over the Internet (Push Model)
Participants include providers, laboratories, hospitals, pharmacies and patients
Standards and service descriptions designed to address the key Stage 1 requirements for Meaningful Use
http://wiki.directproject.org/home
Direct Reference Implementation
3
Open-source reference implementation and associated libraries implementing the Direct Project specification
Implementations in Java and in C Sharp(.Net)
Actually implemented and used in several pilot projects. New York Hudson Valley and Rhode Island have hooked their pilots together (HISP to HISP)
Multiple EHRs vendors in the pilots
http://wiki.directproject.org/Reference+Implementation+Workgroup
4
HISP Security Domain
ConfigurationService
SMTP Service(Gateway )
Apache Mailet API
Security Agent
SQL
Configuration Web UI
“Real” SMTPServer
XDR Source(Sending System)
JAVA REFERENCE IMPLEMENTATION PLUS DIRECTORY SERVICES
XD* SOAP SERVICE
Apache Mailet API
XD* Agent
Internal Email Client
XDR Service(Receiving System)
POP/SMTP
Provider Directory Services
CertificateDirectoryServices
External Direct Health
Information Services (HISPS)
SMTP(SMIME)
EHR to EHR
5
cmp EHR to EHR
XDR Source (Sending System) HISP/HIE Direct XD* Serv ice XDR Serv ice (Receiv ing
System)
Configuration Serv iceProv ider Directory Serv ice
ProvideAndRegister
Mutual Authentication
Get Local Endpoint
ProvideAndRegister
Mutual Authentication
Search For Provider
Search For Entity
EHR to EHR Sequence
6
sd EHR to EHRSequence
XDR Source (Sending
System)
Provider Directory
Service
HISP/HIE Direct XD*
Service
Configuration Service XDR Service (Receiving
System)
SearchForProvider(SearchForProviderRequest)
:SearchForProviderResponse
MutualAuthentication()
ProvideAndRegister(ProvideAndRegisterRequest)
GetLocalEndpoint(DirectAddress)
ProvideAndRegister(ProvideAndRegisterRequest)
:ProvideAndRegisterResponse
:ProvideAndRegisterResponse
Why the SMTP Backbone ?
Allows for the inclusion of providers without EHRs in the Direct model
Allows for a security model that does not rely on a strong federation
Strongly federated security with dictated CA structure, like the “Federal Bridge”, seem to be difficult to implement
Without strong federation, unanticipated push between two random TLS based SOAP systems is not simple (possible?)
Using the Direct “Certificate Directory” model allows for unanticipated SMIME with “dynamic certificate exchange”
7
8
HISP Security Domain
ConfigurationService
SMTP Service(Gateway )
Apache Mailet API
Security Agent
SQL
Configuration Web UI
“Real” SMTPServer
XDR Source(Sending System)
THE MAILET, ENABLING SECURE SMTP BASED SERVICES
XD* SOAP SERVICE
Apache Mailet API
XD* Agent
Internal Email Client
XDR Service(Receiving System)
POP/SMTP
Provider Directory Services
CertificateDirectoryServices
External Direct Health
Information Services (HISPS)
SMTP(SMIME(XDM))
SMTP (XDM)
What Apache Mailets Get You
“In-flow” programmatic access to the (S)MIME message without cumbersome polling or queuing
Allows for dynamic certificate exchange, decryption and signature validation
Allows for dynamic conversion to more SOA friendly protocols
Extremely simple “injection” mechanism
Configuration based
9
SOAP to SMTP
10
cmp EHR toSMIME Out
XDR Source (Sending System) HISP/HIE Direct XD* Serv ice HISP/HIE Direct Mail Serv ice
Configuration Serv iceProv ider Directory Serv ice Certificate Repository Serv ice
External Direct SMTP Serv ices
Get Provider Private
Key (Sender, Sign)
SMIME(XDM) Over SMTP
Get Current Certificates
(Recipient, Encrypt)
XDM Over SMTP
Get Local Endpoint
ProvideAndRegister
Mutual Authentication
Search For Provider
Search For Entity
SOAP to SMTP Sequence
11
sd EHR to SMIME Out Sequence
XDR Source (Sending
System)
Provider Directory
Service
HISP/HIE Direct XD*
Service
Configuration Service Certificate Repository
Service
HISP/HIE Direct Mail
Service
External Direct SMTP
Services
SearchForProvider(SearchForProviderRequest)
:SearchForProverResponse
MutualAuthentication()
ProvideAndRegister(ProvideAndRegisterRequest)
GetLocalEndpoint(DirectAddress)
SMTP(XDM)
GetProviderPrivateKey()
GetCurrentCertificates()
SMIMEOverSMTP(XDM)
:Ack
:Ack
:ProvideAndRegisterResponse
12
HISP Security Domain
ConfigurationService
SMTP Service(Gateway )
Apache Mailet API
Security Agent
SQL
Configuration Web UI
“Real” SMTPServer
XDR Source(Sending System)
THE MAILET, ENABLING SECURE SMTP BASED SERVICES
XD* SOAP SERVICE
Apache Mailet API
XD* Agent
Internal Email Client
XDR Service(Receiving System)
POP/SMTP
Provider Directory Services
CertificateDirectoryServices
External Direct Health
Information Services (HISPS)
SMTP(SMIME)
XDR
SMTP to SOAP
13
cmp SMIME to EHR In
XDR Serv ice (Receiv ing
System)
HISP/HIE Direct XD* Serv iceHISP/HIE Direct Mail Serv ice
Configuration Serv ice
XD Step Up Serv ice
Certificate Repository Serv ice
External Direct SMTP Serv ices
Get Local Endpoint
ProvideAndRegister
Mutual Authentication
ProvideAndRegisterForwardMessage
Get Local Endpoint
Get Provider Private Key
(Recipient, Decrypt)
Get Current Certificates
(Sender, Validation)
SMIME Over SMTP
SMTP to SOAP Sequence
14
sd SMIME to EHR In Sequence
External Direct SMTP
Services
HISP/HIE Direct Mail
Service
Certificate Repository
Service
Configuration Service XD Step Up Service HISP/HIE Direct XD*
Service
XDR Service (Receiving
System)
SMIMEOverSMTP()
GetProviderPrivateKey()
GetCurrentCertificates()
GetLocalEndpoint()
ForwardMessage(Payload)
ProvideAndRegister(ProvideAndRegisterRequest)
MutualAuthentication()
ProvideAndRegister(ProvideAndRegisterRequest)
:ProvideAndRegisterResponse
:ProvideAndRegisterReponse
:Ack
:Ack
Conclusions and Questions ?
The Direct specification and reference implementation has been an incredible example of cooperative open source development
Multiple “connectathons” and extensive jUnit testing help make the implementation rock solid
Architecture seems as clean as possible with multiple protocols
Still firming up the Provider Directory detailed requirements
Certificate Directory now uses DNS, may or may not change
15