Planning the Future of CDC Secure Public Health Transactions and Public Health Information Network Messaging System (PHINMS) Jennifer McGehee, Tim Morris, Charlie Peng, John W. Loonsk The findings and conclusions in this presentation are those of the authors and do not necessarily represent the views of the Centers for Disease Control and Prevention. Value of Public Health Shared, Secure Transaction Standards and Tools • Ensure that all public health participants have the ability to exchange secure transactions • Minimize integration costs of non-standard transaction approaches – Technical integration and security costs – Identity proofing management – Authentication management • Opportunity to leverage clinical care efforts and other public health program efforts to share maintenance, advance robust security, and minimize costs Public Health Information Network Messaging System (PHINMS) • Effort begun in 2002 to advance standards-based, secure, reliable data messaging among public health agencies and trading partners • CDC-produced PHINMS software as an implementation of the standards the agency defined around public health transactions • A related digital certificate authority and service was established to support encryption and non-repudiation • Support for “route not read” and “behind the firewall” services • Led to commercial product implementations PHINMS at CDC – Payloads Received 1200000 Number of Payloads 1000000 800000 600000 400000 200000 0 2010 2011 2012 Fiscal Year 2013 PHINMS at CDC – Message Size 50000 Megabytes 40000 30000 20000 10000 0 2010 2011 2012 Fiscal Year 2013 PHINMS State Example – Georgia* • Supporting the Georgia Registry of Immunization Transactions and Services (GRITS) state internal system • Currently 262 installations in hospitals and the Health Department • ~22,500 transactions per day • ~450,000 transactions per month *Source: André K. Wilson, HP Enterprise Services, Contractor to the State of Georgia National Secure Transactions Landscape • Over 22 billion dollars invested in Electronic Health Records (EHRs) – New focus on EHR connectivity – Opportunity for public health to leverage this investment • Nationwide Health Information Network – Exchange – SOAP (Simple Object Access Protocol) – CONNECT Federal government-developed software solution • DIRECT initiative – Mostly SMTP (Simple Mail Transfer Protocol, i.e., email) • RESTful web services – Identified as future direction in S & I Framework, Health IT Standards Committee Public Health Transaction Needs • Multiple transaction types – Push (e.g. lab result reporting to health department) – Pull (e.g. query of HD for immunization decision support) – Pull / query of EHR (e.g. public health investigation) – Publish / subscribe (e.g. code set distribution) • Reliable messaging • Synchronous and store-and-forward • Each approach involves multiple standards applied together, which we refer to as a “stack” The PHINMS Standards Stack Common Name PHINMS Major Standards SOAP, WS Stack, ebXML Transactions Push, Store and Forward Synchronous No Vocabulary and Code Sets Agnostic Query / Content Structure Typically HL7 messages Reliable Messaging Yes Queuing Included Security HTTPS, two-factor authentication (digital certificates) • ebXML is fading • Not aligned with ONC efforts • Only supports "push" The NwHIN Exchange Standards Stack Common Name NwHIN / SOAP Major Standards SOAP, WS Stack Transactions Push, Pull, Pub/Sub, Store and Forward Synchronous Yes Vocabulary and Code Sets Agnostic Query / Content Structure Focus on CCD Reliable Messaging Possible Queuing Not included Security HTTPS, SAML, XACML • Advanced by HealtheWay and Care Connectivity Consortium • No longer supported by ONC • SOAP still strong in health care The DIRECT Standards Stack Common Name DIRECT Major Standards SMTP Transactions Push, Store and Forward Synchronous No Vocabulary and Code Sets Agnostic Query / Content Structure Typically HL7 messages Reliable Messaging No Queuing Mail server-based Security S/MIME • Major push by previous National Coordinator • “Push” only and store-and-forward • Immunization Information Systems report did not recommend The SFTP Standards Stack Common Name SFTP Major Standards SFTP Transactions Upload/Download Synchronous Yes Vocabulary and Code Sets Agnostic Query / Content Structure No structure Reliable Messaging No Queuing Not included Security X-FTP • Mostly used for manual data transfer vs. system to system exchange • Does not support multi-factor authentication The RESTful Standards Stack Common Name REST Major Standards RESTful, oAuth, OpenID Transactions Push, Pull, Pub/Sub, Store and Forward Synchronous Both Vocabulary and Code Sets Agnostic Query / Content Structure Typically HL7 messages Reliable Messaging Yes Queuing Included Security HTTPS, two factor (dig certs) • Identified as future direction by HIT Standards Committee and S & I Framework • Limited health care implementation, but strong Internet use • Supports HL7 FHIR initiative Conclusions • A multi-protocol public health and clinical care transaction world will be the reality for some time • PHINMS legacy standards and system should be updated to take advantage of new and emerging standards, but with time and coordination • Alignment with standards being utilized in health care could potentially allow CDC to reduce support costs for software development and improve transactions between clinical care and health departments • DIRECT transactions are not suitable to fully support public health needs, but they will need to be supported and handled in some contexts • REST can offer a suitable and improved public health transaction platform in time Recommendations • CDC should plan, communicate, and pursue a path forward for secure transactions • Public health should engage in stack specification for REST development • CDC should consider enabling transport translation and routing services Questions and Comments? Contact Jennifer McGehee PHINMS CDC Project Lead ake0@cdc.gov (404) 498-2411