Thursday, March 22, 2012

NEHTA Provides A Final Report On E-Signatures - Useful To Know It Exists.

The following pair of documents popped up a few days ago:
Here is their description of the release.

Release Notification

Final Recommendations - Electronic Signatures



NEHTA is pleased to announce its Final Recommendations for Electronic Signatures on an initial set of clinical document types.
Following research and consultation with stakeholders in 2011, NEHTA’s Electronic Signatures initiative reached national consensus on well-defined mechanisms for clinicians to apply personal electronic signatures to attest to the content of clinical documentation within an eHealth context.


The purpose of this document is to present the agreed recommendations for the signing of clinical documents. The recommendations are intended to be used as a basis for the development of technical specifications, software systems, legislative instruments, and local policies.


The recommendations apply to clinical documents where the sender and the receiver are in separate and independent healthcare organisations. Different risk profiles (e.g. associated senders and receivers) imply different approaches, which are discussed in detail.
The document contains specific recommendations for the following clinical document types:
  • Prescriptions
  • Dispense records
  • Referrals
  • Specialist letters
  • Diagnostic imaging requests and reports
  • Discharge summaries.

Next Steps

NEHTA has already built support for the recommendations into current technical specifications and will be moving to produce implementation guidance. NEHTA has also commenced work with Commonwealth, state and territory governments to facilitate regulatory approvals in support of the recommendations where appropriate.
NEHTA expects to expand the recommendations to cover other clinical document types as the eHealth programme evolves.


NEHTA welcomes feedback on the document, which can be emailed to Kieron.McGuire at as can any related questions. Priority areas for feedback include errors of omission or commission, and potential issues affecting patient outcomes or choice.
----- End Announcement.
I have browsed through the associated documents and it seems reasonably clear what is intended.
Basically for most documents in the list above - other than prescriptions and medication records - the level of risk and the need for authentication beyond the use of individual log-on and use of an organisation or personal certificate is seen as adequate.
With medications the risk is assessed as moderate in some circumstances related to prescribed medicines and drugs or abuse or addiction.
Here a NASH Token, time expiring PIN and PKI are recommended.
At first blush I wonder if the approach to minimal / low risk might be a trifle lax and that repeated entry of PINs as well as token use might not be rather frustrating an annoying for the prescribing / dispensing functions.
Time will tell how this works in practice.
On another issue, why is it a Version 1.0 FINAL document? Given that has had no field implementation why is the term FINAL used. Surely Draft for Trial Use and Review would be more sensible. After 2-3 years if it all works out as hoped for Version 2.0 can be Final.
I just don’t get this approach to documentation, especially when comments are sought!
Pretending to be God like and to speak 'ex-cathedra' is not what we should be seeing from such a clearly fallible organisation - think recent pause etc..


Anonymous said...

I wonder what status my signature will have on these documents? Right now some my signature is not legally binding but purely informative to the reader. Prescriptions would be a notable exception where my signature means that I am saying the patient needs the medication and I can not revoke that opinion. Seems like a lot of hassle to implement something like electronic signatures for all those document types when only certain ones will actually be legally binding?

Anonymous said...

Documents like this really never are final - they can only be the *current* version. One has to allow for possible changes or improvements in the future.

Anonymous said...

"Final" means finally past the NEHTA process. Nothing to do with actual implementation.

The prescriptions signature is not about whether the prescriber can revoke their opinion. Of course they can change their mind. Ideally it would prevent them denying they ever had that opinion, but non-repudiation is not achievable for a variety of reasons. In practice, the signature is to prevent tampering of the prescription to get access to illicit medications.

Though you'd have to be a pretty clever hacker to penetrate a prescription exchange service. If you're that clever, why are you mucking around with chicken feed single prescription item? Just order a ton of the stuff for free trom the supplier...

Anonymous said...

eSignatures on prescriptions. Sounds great. But how are NeHTA et al going to address the different state and territory requirements for computer generated prescriptions that, for example in at least one state, require, that S8 prescriptions also be handwritten!!!

Oh, we didn’t think of that!!

Andrew Patterson said...

Anonymous @ 5:43

Why do you think your signature on a paper prescription is not legally binding? I'm sure it has _some_ legal affect i.e. non-repudiation?

Anonymous @ 8:44

I'd think the signature is the exact opposite of what you said - surely it has quite good non-repudiation value but almost no ability to prevent tampering of scripts?

Anonymous @ 9:21

I'm pretty sure they do know about the S8 handwritten requirements. I certainly read some NEHTA/DoHA document from a few years ago that went and listed every statutory clause that was incompatible with e-prescriptions. But I think the feeling was that until there was a plausible 'replacement' electronic mechanism that some of the requirements would not change (especially around S8). But I think it would be wrong to say they haven't thought of it.

(sorry for the many responses but I am a non-involved, but interested observer in all the e signature stuff)

Anonymous said...

> Oh, we didn’t think of that!!

Actually, it's rather likely that they did. Consulting with the jurisdictions is something that NEHTA is good at. But unfortunately, since employees are not allowed to post here, the situation cannot be clarified. Nor can the actual outcome of considerations (remarkably, sometimes it's good to go with what you can get without waiting to solove everything. When orgnisations other than NEHTA do this, it's known as not letting the perfect get in the way of the good)

Anonymous said...

I said,

"non-repudiation is not achievable for a variety of reasons"

Andrew said:

"I'd think the signature is the exact opposite of what you said - surely it has quite good non-repudiation value but almost no ability to prevent tampering of scripts?"

umm, a digital signature is the context of this discussion. For an overview of the issues associated with non-repudation, see Schneier, Advanced Cyptography, or Ross Anderson, Security Engineering, or wikipedia hints at the issues:

*If* you can reliably source the certificate, then you can can detect tampering of the script. There's some issues around reliably sourcing the certificate, but that doesn't equate to "almost no ability to prevent tampering".

In particular, non-repudiation is essentially a legal question, and therefore needs a higher standard of confidence, that an anti-tampering mechanism which can mostly achieve it's goal by introducing uncertainty.

Andrew McIntyre said...

Well there is already a standard for Digital signatures in V2 messages that has been proven to work, but we couldn't possibly use anything that was proven and not xml based.

Anonymous said...

> that has been proven to work

you can excahnge it with yourself, but users can't verify that the what was signed matches what they got?

This is called "proven to work"?

Patto (was Andrew Patterson but too many Andrew's!) said...

Anonymous @ 11:30

Yes, sorry - you are right if talking about digital signatures. The original anonymous was talking about 'right now' so I was presuming they were talking about paper prescriptions and handwritten signatures - and was thinking your response was also talking in part about the paper world.


Sure, that's fantastic that even V2 has somewhere to stick the bytes that make up a digital signature - and good work to the authors for handrolling a canonicalization algorithm for each V2 message type - unlike those nasty XML people that just have a couple of standard one that works out of the box. But keep fighting the fight.

But also that's not really the hard bit about e-signatures, nor indeed the topic of the e-signature report so I'm not sure it's particularly relevant.

It's much more about establishing legal frameworks, and signature devices/dongles/process etc that meet the non-repudiation / identity etc levels that you require for different scenarios. I actually think the NEHTA report is quite good - it's not a 'solution' by any means but it is the kind of analysis that probably needs to be done to get to a solution.

Andrew McIntyre said...

Its amusing that there is doubt that its proven to work, given that it had the most scrutiny of any standard in years.

It uses Medicare PKI Tokens, which are available and out there now, so the infrastructure exists.

I am amazed at the denial of reality. We have had it working in referral for 5 years+.

Anonymous said...

What an enormous waste of time for NEHTA to spend on this. Didn't someone amongst their hierarchy say (and I paraphrase) "we are taking the lessons learned and 'best practices' from around the world so we don't go recreating stuff that has already been done"????

If so, why the heck are they recreating what has already been done? Idiots.