Use direct sender to securely send medical records through e-mail in a medical IT system

In almost all other industries, cloud computing has been a revolutionary force in promoting system interoperability and reducing it costs, but it is hard to adopt a cloud model for healthcare it. Today, medical IT in the cloud is largely limited to small applications of managed electronic medical records (EHR) providers, such as Eclinicalworks and practicefusion. Instead of focusing on data exchange, these providers focus on managed data and services (software as a service or SaaS model). The large hospital system has not yet adopted cloud computing in any meaningful way.

The potential cost savings of cloud computing could be a huge temptation for healthcare providers to move to a more efficient and open data infrastructure. The ability to safely share medical data across the health care system has improved the patient's medical reliability. And for software developers, medical IT represents a new area of innovation and discovery.

In this article, I'll introduce a sensitive data interchange protocol, Direct Project, with a broad perspective, developed and replicated by the U.S. federal government. First, IT outlines the requirements for Open data exchange and the limitations of common protocols in medical IT. It then describes how Direct Project can fill the security and infrastructure gaps that have hindered the medical system from adopting a more open Data interchange protocol so far. Finally, I will provide a simple programming example using direct Sender, direct Sender is an open source, java-based client that implements the direct protocol.

Medical IT and Open data exchange

Hospitals and doctors are notorious for providing online access to patient data. Even today in 2012, when you go to a typical American hospital to get your medical records, hospital staff simply print them out and charge you a certain copy fee. When your doctor needs to recommend you to another medical provider, he or she is likely to send a fax or telephone contact to the provider. Such unreliable data management can lead to huge waste and even medical errors.

For many reasons, medical IT has been slow to use internet technology. This is partly due to the economic incentives that are off track, the highly fragmented Electronic medical records (EHR) market, the vendor lock-in created by EHR providers, the privacy regime, and the loose and fragmented data exchange standards. Thanks to these impediments, cloud computing has so far had little effect in the healthcare IT sector. Even in healthcare providers with EHR implementations, it is often internal to host data and try to avoid external access.

Development history of Direct Project

The United States federal government initially developed the Medical information exchange network to connect the DoD (DoD) and VA (VA) hospitals so that wounded soldiers can receive more effective treatment across hospitals. The system is called the National Health Information Network (Tiyatien information receptacle, NHIN). The system was subsequently taken over and transformed into an open source project by Office of national coordinator of Tiyatien IT (ONC) as a medical information exchange template for the entire United States. ONC renamed the item to Nationwide tiyatien information receptacle (Nwhin) and then renamed EHealth Exchange.

The core of the federal HIE Network is a service-oriented architecture (SOA) system called CONNECT, which is based on a Java ESB. Medical providers in the network can plug their systems into the bus. CONNECT networks can be organized in a layered way. In practice, however, the maintenance and expansion of such a system is complex.

Recognizing the limitations of Connect, ONC next developed a scaled-down version of the HIE infrastructure called Direct. Unlike the Connect,direct design, it is a peer-to-peer structure. Medical providers who are accustomed to sending messages back and forth are familiar with the open, Peer-to-peer data exchange model of direct, so direct is more likely to be used.

e-mail security and medical IT

Patient data stored in the medical IT system must comply with strict privacy and security regulations, such as the health Insurance Circulation and Accountability Act (HIPAA) and the Medical Information technology promotion Economic and Clinical Health Act (HITECH). These regulations combine to define how data should be stored and transmitted, and who should be responsible for data disclosure.

E-mail is the most widely used tool in the process of exchanging documents over the Internet. Although e-mail is ubiquitous, it is not safe enough to send sensitive data, such as medical records and referral information. e-mail addresses may be phishing, and e-mail content is passed through multiple Third-party mail servers on the Internet in clear text before reaching the recipient's inbox. These facts contradict HIPAA and HiTech security rules.

But since the first discovery in the financial industry, the universality of e-mail has proved to be a big attraction. Long before medical IT was born, the financial industry had been the first to develop secure e-mail to share sensitive financial information with online banking users. The IETF RFC 3851 (Secure/Multipurpose Internet Mail Extensions (S/MIME) message specification) defines a way to encrypt e-mail attachments using a public key infrastructure (PKI) protocol. According to RFC 3851, the S/MIME attachment can contain a full e-mail message that is then sent over the public Internet.

Although PKI is a widely accepted Internet security standard, there are some significant impediments to using PKI-based secure e-mail messages:

The

PKI requires that both the sender and the recipient have a digital certificate issued by an established authority. This digital certificate provides an encryption and decryption key for a shared e-mail message. More importantly, it establishes the identity of the sender and the recipient so that no one can counterfeit the message. Getting a person's certificate is often a lengthy and costly process. Once the sender and the recipient receive their digital certificates, they need to advertise the certificates on the Internet because the sender and the recipient must exchange certificates before they can send each other e-mail. This issue has been partially resolved by creating a new DNS standard that stores e-mail certificates on the DNS server, which can be publicly discovered. However, most DNS services on the Internet do not implement this feature. Both the sender and the recipient must use an e-mail client that supports S/MIME encryption and DNS certificate discovery.

The combination of these impediments has greatly hampered the user's adoption of secure e-mail. Nevertheless, the Direct protocol is a good solution for specific use cases of secure document exchange between healthcare providers and patients.