Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Sunday, January 31, 2010

The Reality of a Fully Operational HI Service is Years Away. Let’s Stop The Spin and See the Actual Implementation Plan!

The following appeared a few days ago.

Thursday, 28 January 2010

e-Health: something's rotten in the State of Kevin


"The End User Security Reviews clearly found that there are instances in which particular users may share user credentials (whether they be passwords or tokens) to facilitate their obligation to patient care.

In situations such as a hectic Emergency Department or a large onsite trauma situation, the adherence to business processes which promote unique identification and authentication of users of the HI Service may not be practically possible.

The security controls and awareness levels found in these assessments have been varied."

{NEHTA - HI Service Security and Access Framework 13/11/09 PUBLIC}

For the rest of the blog drop in here:

http://northcoastvoices.blogspot.com/2010/01/e-health-somethings-rotten-in-state-of.html

This got me to start thinking just where the Nation Authentication Service for Health (NASH) was up to, as it is needed for the HI Service.

I found this page:

http://www.nehta.gov.au/component/docman/cat_view/49-publications/48-connecting-australia/54-nash

NASH

As significant amounts of sensitive and personal information is being sent electronically around the globe, there is a need to guarantee the authenticity and validity of the information that is being exchanged. In the case of your personal medical information, there is an even greater imperative to ensure that information is collected and securely electronically exchanged only by those authorised to do so.

The National Authentication Service for Health (NASH) project will deliver the first nationwide secure and authenticated service for healthcare organisations and personnel to exchange e-health information.

Together with clinical terminology, messaging standards and unique health identifiers, NASH will provide one of the fundamental building blocks for a national e-health system.

Categories

Nash Fact Sheets

Information Specification, Content & Requirements

However no joy. Both these are empty of any information at all!

The article referenced in the blog does provide some small help and raises more than one issue!.

See here:

http://www.nehta.gov.au/component/docman/doc_download/877-security-and-access-framework

For those who missed the release of the document initially there are some interesting things said.

This provides the first interesting section:

“2.2 End User Access - Threat and Risk Assessment

The potential user base of the HI Service is diverse. Once fully operational, it is expected that upwards of 500,000 Healthcare Provider Individuals (HPI-I’s) will participate in the HI Service. In addition, large numbers of HI Service Users will require access to the service to facilitate the delivery of healthcare services. The end user security assessment has allowed NEHTA to ascertain security vulnerabilities, risks and threats that an end user presents at a ‘typical’ healthcare setting, and gain an understanding of current security practices and awareness levels.

In order to obtain a cross section of the healthcare community in a diverse array of healthcare settings, a range of private and public health organisations were visited. Numerous staff members were interviewed, and practices and processes reviewed and evaluated.

The End User Security Reviews assessed the following:

  • • A large city public hospital
  • • A children’s public hospital
  • • A private pathology and radiology service
  • • A private hospital
  • • A rural public hospital

The End User Security Reviews clearly found that there are instances in which particular users may share user credentials (whether they be passwords or tokens) to facilitate their obligation to patient care. In situations such as a hectic Emergency Department or a large onsite trauma situation, the adherence to business processes which promote unique identification and authentication of users of the HI Service may not be practically possible.

The security controls and awareness levels found in these assessments have been varied. These findings are invaluable as they provide a solid ‘real world’ understanding of security in a variety of healthcare settings. They will give primary input into appropriate baseline security controls that will need to be included in Participation Agreements, and security considerations that will need to be included in the design of third party health systems (such as Patient Administration Systems).

These reviews have ultimately assisted in designing and developing effective and usable controls for the HI Service.”

Now I am not sure how you read this, but what it says to me is the chance of having trustworthy provider identification – to reassure the public their records are secure – is not high at all. Too many people and too many situations where ID technology will get in the way – exactly as has been discovered with the provider smartcards in the UK!

I think you will find NEHTA has no clue about how to handle emergent and high volume situations - especially with many providers all needing computer access. Some explanation of how this was to be handled would have been good.

I could have told them had they asked!

This is also very interesting:

3.3.2.2 Healthcare Provider Individuals

Healthcare provider individuals (possessors of HPI-Is) will be identified through their professional registration process or other approved processes. Access will be either by identifying themselves to an HI Service officer by phone, person, fax or mail or by using a PKI certificate to electronically access the HI Service. Certificates will be available upon request using the National Authentication Service for Health (NASH).

As an individual healthcare provider they will be able to access their own provider information. However, they must provide evidence, either to a body acting as a Trusted Data Source to the HI Service, or directly to the HI Service Operator, that they are employed by a healthcare provider organisation, before being permitted to access the core HI Service. The core HI Service includes IHIs and associated healthcare individual information, and the healthcare provider directory services (which include the details of healthcare provider organisations and consenting healthcare provider individuals).”

I am not sure if I read this correctly, but it sounds like solo GPs and specialists who work for themselves are not going to have access without a lot of work and signing all sorts of documents – see below!

The other issue, of course, is that the National Registration System is not planned to start until mid 2010 – so there is not going to be much time to get providers into the system, issue all the PKI certificates and so on with the current planned live date of the HI service being the same! (July 2010)

Even more remarkable is this:

“4.3 Participation Agreements

Participation Agreements will be a necessary requirement for healthcare provider organisations to actively participate in HI Service. A Participation Agreement will be executed as part of an overall registration process. The Participation Agreement will form an integral part of the security framework, providing the foundation for best practice security. Participation Agreements will include enforceable terms and conditions, underpinned by legislation, and will address a broad range of fundamental areas of responsibility.

In order to access the HI Service, healthcare provider organisations will be required to address the following areas in relation to security:

Comply to minimum baseline security requirements (including areas such as account creation, unique identification of users in interfacing systems to the HI Service, password management strategies, firewalls, anti-malware, audit trails);

Participating organisations will be required to maintain any computer and other ancillary electronic equipment to meet a minimum standard of being technologically adequate for the purposes of the IHI and HPI services;

Have mechanisms in place to manage risks and liabilities;

Have policy and procedures that address information security and privacy; and

  • Provide education and training to all HI Service authorised users so that they are aware of their responsibilities.”

Continued.

Showing characteristic understanding of the sector they seem to imagine all the providers are going to rush to take on all these extra-obligations, at their cost, to suit NEHTA. Just why would anyone bother?

They are clearly dreaming and have not thought through and worked out how to distinguish the perfect from the possible and then how they are going to even get to the possible.

The whole document also seems to identify a range of problems for which it has no answers – and this document is released about 2 months ago! What has changed I wonder?

Of course all this makes a joke of all the claims of how all access to the HI will have full reliable audit trails etc. They are really dreaming I believe.

The following provides the FAQ for healthcare providers.

http://www.nehta.gov.au/images/flipbooks/HI-Brochure-Providers-FAQs-NEH050/index.html

The one big question it does not answer is the obvious one. Why would I go to all this trouble and if I do what can you show is really in it for my patients and me?

Finally, it is clear from the FAQ that allocation of provider identifiers will be staged over who know how long – so I wonder if all the other issues are addressed just how long it will be before the actual HI Service is really operational nationwide. Let’s face it – it will be years!

As I have said before – let’s see a realistic implementation plan. As it is now we are all in the dark!

David.

15 comments:

Anonymous said...

I find it difficult to believe that NEHTA and DOHA are just going it alone. Surely they must have the backing and support of the peak medical bodies who represent the health professionals. Don't they?

Dr David G More MB PhD said...

And when they discover what is involved..if they were keen..how long will it last?

David

Anonymous said...

David, it is probably quite unlikely the peak medical bodies will actually ever really discover what is involved. Some of the reasons for this are they are too gullible and want to believe what NEHTA is telling them, they have no depth of expertise to know what is and what is not practicable, they are too hide bound in a raft of other complex political issues to give anything more than limited passing interest to ehealth issues.

But most important of all they have no cohesive voice due to the fragmented nature of the many craft groups which represent the diversity of specialised medical professionals ranging from GPs to perhaps 30 or so specialist bodies. Few, if any would let the top of the pyramid - the AMA - speak for them on ehealth issues even if it did have the expertise to do so which is not readily evident.

What this in effect means is that the doctor groups are so fragmented by virtue of the way they are, of necessity, structured as to be impotent in having any real effect on the direction of ehealth. The best they can do is sit on committees in the hope they might glean some insight into what is going down, but in the end they are unable to impact the outcomes.

Are there any parts of this synopsis don’t you agree with?

Dr David G More MB PhD said...

I think you might be selling the AMA a little short. They are pretty good at looking out for their members. Other than that pretty close to what I think.

However, without positive help and support from these groups I don't believe the HI Service will ever be a success. Their 'benign neglect' will be a major block to its success.

David.

Anonymous said...

You might be right about the AMA - let's hope so. They certainly are the best politically aligned body to speak on behalf of all their members. Also, I agree, you are right when you say that unless the doctor groups support the HI service it will never happen. However, although support is one thing, probably far more impartant is the AMAs ability to exercise some real influence and have a strong voice around the issues of what is and what is not acceptable. Unless they do that they are beholden to the whims and wishes of the bureaucrats and we have all seen what happens when the bureaucrats are permitted to exercise carte blanche control over ehealth.

Anonymous said...

That's all well and good but what eveidence do you have that the AMA been able to influence anything to do with ehealth to-date?

Anonymous said...

I would like to paraphrase that last question to ask two more equally pertinent questions - what evidence does anyone have that shows:
- firstly that NEHTA's clinical leads have been able to influence any of the professional medical bodies, and

- secondly, that NEHTA's clinical leads have been able to influence NEHTA in any useful way?

Where would we find that 'evidence'?

Dr David G More MB PhD said...

Loath though I am to say it I would suggest the 'clinical leads' would appear to have been a bi-directional failure delivering pretty much no influence on either the NEHTA direction or the overall shape of what Government plans to do with e-Health.

Can anyone provide evidence to support a contrary view. I always saw the 'clinical lead program' as a NEHTA policy fig-leaf but that is probably my cynicism showing through. The outcomes of the SRF meetings seem to support the fig-leaf view.

David.

Anonymous said...

"a NEHTA policy fig-leaf" seems like a perfect description. Would a pithy factual statement from NEHTA or from Dr Haikerwal satisfy the skeptics and doubters?

Anonymous said...

The HI Service by itself does nothing for anyone. It will be useless until HL7 messages start to include these numbers. Once that is done then matching patients, providers, etc may be a bit more reliable. Everyone who currently deals with HL7 messages already has ways of doing this matching. The HI Service will just add another way. No one will commit to using it until it is proven reliable.

None of the software that produces or consumes HL7 messages will be modified to start using HIs until it is a fairly sure bet. This will not happen until the legislation is passed.

That is, it is unlikely that many people will want to use the HI service on day 1, and probably not until one or two software development cycles after it starts.

Further, you need to ask who is actually going to use the HI Service? I doubt that it will be doctors. In a GP practice it will be the receptionist. In a hospital it will be the admissions clerk, or the PMI will do a batch query. And if they don't use HIs? There is no big loss in the short term. Maybe by 2013ish we will need to ensure it is widespread.

So who has access to the HI Service is irrelevant on day 1.

Dr David G More MB PhD said...

So why all the hoopla about 1 July 2010?

As I have argued we need to see an real credible implementation plan so all can plan what they need to do and by when - given the NEHTA role is only part of the story at best.

David.

Anonymous said...

There is an implementation plan for the HI Service. It is 1 July 2010, if the legislation is passed.

You, and many many others, keep confusing the HI Service with the IEHR (or whatever it is called today). The HI Service will contain no health information. It is merely a useful stepping stone.

Dr David G More MB PhD said...

No one I know is confused. I am certain I am not and I am not talking about the IEHR. I am talking about the HI Service which does not have an implementation plan I have seen - unless you think a single date is a plan. I don't.

David.

Anonymous said...

There were many dates presented at the HI Service Launch in Canberra last year. These do not seem to have made it to the NEHTA website.

Not that they have met many of those dates. (Maybe that is why they haven't published them.)

Anonymous said...

The ehealth software vendors who stand to win in the face of a major reform of the entire health system (which is well on the cards) will be twofold.

First will be the large well resourced vendors who already secured a widely dispersed customer base will be able to further strengthen their already dominant position.

Second will be the smaller highly specialised vendors who have sufficient tenacity and discipline to contain their immediate sphere of activity to specific niche sectors - where they can develop locally and ready themselves to subsequently expand nationally as chaos and panic sets in across multiple jurisdictions leading to opportunities ripe for exploitation.