Thursday, September 06, 2012

I Think This Makes It Clear NASH Won’t Happen Anytime Soon. The Have A Long Term Interim In Place!

I was wondering just what was going on with NASH, given the deep silence that seems to surround the topic.
It all became clear when I found this page:

eHealth Record PKI Certificate

The Department of Human Services (DHS) has developed an Interim Authentication Solution to support the launch of the Personally Controlled Electronic Health Record (eHealth Record) system on 1 July 2012.
The interim solution is a modified Department of Human Services PKI Certificate leveraged from the existing DHS issued PKI solution which is Gatekeeper Accredited, and as such has adequate protection capabilities to enable trusted connections to the eHealth Record System. This certificate can be used for the initial registration and setup stages of the eHealth Record.
The interim solution at this stage has been developed to meet the expected scale of the early adoption of the eHealth Record, and has not been developed to be used beyond PCEHR. Software vendors and providers, who choose to, can start using the interim solution for connection to the eHealth Record and replace it with a NASH PKI Certificate when it becomes available.
The interim solution has been made available to support the eHealth sites and software vendors that wish to continue to develop and gain experience with early adoption of the eHealth Record.
The interim solution will require healthcare providers, wanting to have early connection to the eHealth Record, to apply for a Department of Human Services eHealth Record PKI Certificate. The certificate can only be used to connect to the eHealth Record system. The certificate cannot be used to connect to the HI Service or the Department’s online claiming channels.
Healthcare Providers
Healthcare Providers who require a Department of Human Services eHealth Record PKI Certificate can apply by completing the appropriate form below. Individual healthcare providers (HPI-Is) can request a 'Department of Human Services eHealth Record Individual PKI Certificate' and healthcare provider organisations (HPI-Os) can request a 'Department of Human Services eHealth Record Organisation PKI Certificate'.
Short description of form
For individual healthcare providers to apply for an eHealth Record PKI certificate.
For healthcare organisations to apply for an eHealth Record PKI certificate.
For further information about participating with the eHealth Record visit the eHealth website.
Software vendors
The eHealth Record Test PKI Certificate kit for software vendors developing for the eHealth Record can be obtained by contacting the Department of Human Services Online Technical Support (OTS) Liaison Team on by emailing
Your email should contain a request for the eHealth Record Test PKI Certificate kit and your contact details. An application will be sent by OTS for you to complete. Once your application is processed an eHealth Record Test PKI Certificate kit will be mailed to you.
Any further questions can be directed to DHS's OTS Liaison Team on 1300 550 115 or
The full page is here:
My only question is just why was the NASH Project pushed on with rather than adapt and modify what had already been built and seemed to be working?
A coherent answer would be great!


Anonymous said...

Good old Human Services! They seem to be building all the tricky risky bits for the NEHRS that have failed elsewhere. They have the HI Service (modified now to allow for the NEHRS), and now they have saved the day with the interim NASH. I think they also run the national Health Service Provider Directory. And they do the identity proof when consumers register for their PCEHRs.
Why didn't we get Human Services to build the whole NEHRS system then?

Anonymous said...

It is ironic that DHS was overlooked for NASH functionality in the first place (even though it had a lot of it already in place) because its certificate model was not considered "adequate" (whatever that meant). Not good enough to be selected to do the job but good enough for a bail out!

Anonymous said...

There is one problem David ... the interim PCEHR PKI solution does not support Contracted Service Providers, leaving one part of the health sector without access to the PCEHR.

Anonymous said...

The model in place does support contracted service providers. They are not supported through NASH - but they weren't in the original NASH design either. There are certificates and policies in place to permit secure CSP connectivity using other certificates.

Bernard Robertson-Dunn said...

Anon said:

"...the interim PCEHR PKI solution does not support Contracted Service Providers, leaving one part of the health sector without access to the PCEHR."

So in what way has the PCEHR been full delivered?

Isn't this a bit like the Yes Minister hospital being complete, except for patients? It's been delivered but can't be properly used.

Anonymous said...

Anonymous from 8.26 AM is talking through his hat.

The NASH issued test CSP certificates and had undertaken to provide production CSP certificates - before it disappeared from view.

I would like the author of this comment to describe in this blog exactly how a CSP can connect to the PCEHR and view and submit documents using "certificates and policies in place".

Anonymous said...

"Yes Bernard"!!!


Keith said...

I'm surprised that David has just one question - this development raises several questions in my mind.

1. Where does this leave eHealth in this country? Forget the PCEHR. What about Secure Messaging? What about Electronic Transfer of Prescriptions? I'm fed up with the way that fixation on the PCE-bloody-HR is sucking the life out of every eHealth initiative that could actually make a difference to patient outcomes and practitioner workload.

2.For which purposes is the "interim NASH" safe and appropriate to use? On NEHTA's website is a useful document called "Certificates and Secure Messaging". Although it is two years old and written in the context of SMD the document contains useful information about what a certificate contains, the different types of certificates and what they can and cannot do, and the different purposes for which various certificates are applicable. I'd like to see a similar document written for the PCEHR and its security solutions both interim and permanent.

3.One would expect that every aspect of NASH would be subject to the closest scrutiny and the highest levels of accreditation before going into service. Have the same standards been applied to the interim solution? "Interim NASH" is likely to be an outgrowth of a service provided for the lead sites, and may not have been subject to the same standards as a service designed from scratch for production purposes.

4.NASH is now about three months overdue. (We don't know when was the original date in the contract, but as NASH is a prerequisite for NEHRS, the date had to be BEFORE 1st July.) What is the revised delivery schedule? As sponsors of this costly exercise the public is entitled to know.

Anonymous said...

"how a CSP can connect to the pcehr...using certificates and policies"
Connecting or participating in the pcehr is a separate thing to using a certificate to sign a message or transaction. For example, a Csp may act on behalf of a health care organization to post a Document to the pcehr- the document may be signed with the certificate of the health care org, and the transaction to post may be signed with the certificate of the Csp. A Csp must have authority from a health care org to connect and transact on their behalf. So why is it not possible to use the interim NASH for both reasons?