Trust is not Global

I have been lax in acknowledging another awesome idea to emerge from recent discussions about how to accelerate progress around data exchange. Just before Thanksgiving (and my daughter's 16th birthday!), Wes Rishel wrote a post in which he proposed that we might short-circuit the daunting and messy current requirement of full transitive trust for participation in the NHIN:

"This approach relies on an assumption: that the business trust between organizations that use EHRs and the organizations that receive data from them or send it to them can be addressed without the full formal architecture of transitive organizational trust that complicates the HIE+NHIN approach.

Organizations that exchange data would use the postulated simple Internet mechanism to exchange information with other organizations which they had independently determined to trust."

This - is - an - AWESOME - simplfying - approach.

The idea that we can create some kind of fully-trusted space for health data exchange is really, let's be honest, nuts. Not to mention incredibly dangerous. And as far as I know, it doesn't match any other heterogeneous ecosystem in the world.

Participation in "the NHIN" should simply be a matter of implementing the right protocols and having sockets open on the Internet. Anybody should be able to plug in, just like they can plug a web server into the web. That doesn't mean that anyone will trust them to exchange data, but that's just a separate issue.

Point-to-point trust will actually get us a long way. State health authorities could certainly register public keys for all of the healthcare entities in their region to accept reporting data. Affiliated organizations could flip the switch to talk to each other. Consumers could choose to connect with individual facilities they work with. It's really pretty powerful.

But --- it has limitations too. For example, the state might really want to trust "any Washington-state certified provider" when accepting metrics, or consumers might want to trust "any JCHAO-certified hospital worldwide" when sharing emergency PHR information.

Well, as it turns out, we already have a technical model that supports the range of scopes of trust - the certificate authority hierarchy model that drives commerce on the Internet today. Why not allow any self-proclaimed authority to issue certificates to healthcare entities, and have those entities present them on the NHIN? This allows for a full and complete range of trust, with different authorities representing different certifications, obligations, promises, and expectations - just like the real world.

By using standard certificate models from the get-go, we can start with point-to-point trust, and expand into more and more powerful use cases as authorities emerge (I would love for HHS to stand up the first of these). We get the best of all worlds --- exchange now, with a path to make it better over time.

This just feels right... and easy. Next!

Comments (3)

  1. Shane Taylor says:


    You have great thoughts on this.  I wanted to make sure you read some of the comments on Wes’s other posting.  If you haven’t, I think you will be interested in the content.  I am especially curious to see someone comment on Liam Davis-Mead’s comment.

  2. Don Rule says:

    The tricky part about this is that Trust implies both Authentication AND Authorization. Certs handle the trust hierarcy pretty well but you probably also want to restrict the radiologist to the relevant portion of your record. Certs work well for the authentication hierarchy and although there is a very flexible way to express authorization in ASN.1 there haven’t been sufficient standards to make them usable – the military went down that road but had trouble when it came to security levels across services (e.g. if it is produced by the Marines then the navy can edit but airforce can only read and the army gets the redacted copy).

    This has been an issue for digital rights and XrML turned out to be infinitely flexible but the complexity held back adoption. HealthVault does this internally so I’d be interested to know how you configure it in federated scenarios.

  3. Shane Taylor says:

    A very good conversation is happening here that I want to make sure you know about:

    I have even reposted Liam’s comment as I think its relevance is high for this thread.

Skip to main content