Tuesday, October 23, 2012

E-Health Gets Some Interesting Coverage From The Mainstream Press Again. Government Transparency Seems To Be Missing in Action.

The Australian has two related articles on e-Health in the IT Section today.
First we have:

No risk guarantee on e-health

THE Department of Health and Ageing has refused to guarantee that its much vaunted e-health record system is risk-free after more than 140 risks were identified before it went live on July 1.
The Gillard government's personally controlled e-health record system, developed by Accenture, contained a staggering 142 risks of which 32 were rated extreme, 77 high and 33 medium.
The detailed risk assessment study, obtained by The Australian, was prepared by the National E-Health Transition Authority (Nehta) and submitted to the Health Department and other relevant parties about two months before the July go-live date.
The department did not directly respond when asked to confirm that all the risks were resolved by July 1.
However, a spokeswoman said: "By July 1 we had safeguards in place to avoid those risks we identified from occurring.
"For example, to safeguard against security breaches, we have put in place strong encryption and firewalls and implemented all of the recommendations from (Defence's) information security manual," she said.
One severe risk cited in the report was individuals being granted access to health information they were not entitled to if the PCEHR registration process did not adequately authenticate a user.
The five consequences of such access included a user's safety being compromised or, worse, inappropriate medical treatment being given to an individual.
The report did not spell out that this could lead to death, but it is well known that people can pay a high price when they receive wrong medical advice or treatment. Another adverse result could be that an individual's privacy would be compromised.
The report also said that under these circumstances the Health Department could be exposed to legal action and penalties if deemed to be negligent.
Lots more here:
Second we have:

Medical agency blocks request for report's release

THE Department of Health and Ageing has refused to release details of a crucial risk-assessment study conducted by Ernst & Young on the personally controlled e-health record system.
The department's e-health division head, Matthew Corkhill, ruled that it was against the public interest to release the 21-page report, Assessment of PCEHR Information Security Threat and Risk Assessments, in response to a Freedom of Information request lodged by The Australian in July.
Mr Corkhill said the report, which recommends strategies to mitigate potential vulnerabilities in the PCEHR program, continued to inform the ongoing operation and management of the program.
He said it was prepared for the sole use of the department to provide advice and proposals in relation to information security risk-management processes for the PCEHR system.
More here:
Dealing with the second report first it seems to me that at the very least the Government should be releasing a summary of the findings with a summary of what has been done to remedy each of the issues identified. To just bat the whole thing away leaves the public with the sense that something is being hidden and this will only result in a lack of trust in the overall system. Openness is clearly the best policy in areas like this in my view.
On the first article again openness would have said - yes we had a lot of problems prior to ‘go live’ and here is how each of them has now been addressed. Given the rocky start from the ‘go live’ for the first few months it seems unlikely we are being provided with the whole truth on the status just prior to ‘go live’ and since that the date the silence has been deafening. We are no in the situation where really no-one outside Government has a clue as to what is going on.


Earl Hose said...

Also, on the Plibersek venture for national real-time prescribing access to detect abuse of prescription meds.
State not sold on tracking.

A spokeswoman for the Victorian Health Department said the idea of real-time reporting "isn't a silver bullet". "The viability of real-time prescribing is being tested in the market," she said. "There is significant detail to be worked through to ensure that the Tasmanian model can be implemented nationally."
There must be more behind this one.

Bernard Robertson-Dunn said...

re: http://www.theaustralian.com.au/australian-it/no-risk-guarantee-on-e-health/story-e6frgakx-1226500971872

A DOHA spokesperson said:

"As we've said before, the system released was safe and secure, as confirmed by the IT and cyber-security experts at the Defence, Finance and the Attorney-General's departments. The PCEHR system has high strength security features including extremely strong encryption and firewalls."

As usual, and as I've said before, they are treating the PCeHR as an IT system not a health information system.

I'd like to know if the following risk is included:

"There is a risk that unauthorised and/or not monitored people (i.e. the access is not logged and hence not on the audit trail) will be able to to see private information on unattended or unprotected devices that display ehealth information."

If it is, then I'd like to know the mitigation strategy for this risk.

The risks are all to do with information access and protection, not the system.

And it's also unrealistic to expect the "Department of Health and Ageing ... to guarantee that its much vaunted e-health record system is risk-free"

There is no such thing as risk free, only risk acceptance, risk mitigation and risk avoidance.

By (logically) centralising health information and making it easily accessible, the PCeHR increases the risk that the wrong people will get to see information they shouldn't.

It's how this risk is mitigated that matters. However, I have seen no evidence that this risk has been mitigated.

Anonymous said...

What has happened to that joker Charles Wright at eHealthCentral.

Occasionally I have visited his blog to compare the content and news that you provide and to check whether I am missing anything.

It is clear that Charles Wright was nothing but the cheapest of spruikers sponsored by NEHTA to create some positive commentary about their disappointing lack of achievement.

It is also clear that since NEHTA concluded their sponsorship of his blog that he has vanished.

If his blog was a car, then it would be a burnt out and abandoned wreck. The only thing missing is some spray paint vandalism and broken windscreen.

I lost all respect for Charles Wright once he started with the high-pitched and defensive shrieking on behalf of his sponsors.

Anonymous said...

I think the biggest and most likely risk is that there will be insufficient take up of the NEHRS to make it a goer, and that all that money, effort and opportunity will be lost. The mitigation is…

Anonymous said...

The money, effort and opportunity has already been lost, the smoke has just not cleared enough to survey the damage on the landscape. A very successful PCEHR would still be brain dead wrt advancing eHealth in a meaningful way as the core design is very flawed. Its not really useful for decision support or inter provider communication, which are the areas that the existing working technologies could have delivered with 1% of the money and delivered real benefits. Its another poll driven fiasco that chooses to thumb its nose at existing professionals talent in a very arrogant Yes minister kind of way. Lets hope that when it fails they will stop trying to "Help" us.

Anonymous said...

Anonymous said "I think the biggest and most likely risk is that there will be insufficient take up of the NEHRS to make it a goer, and that all that money, effort and opportunity will be lost."

That has always been the biggest risk to the entire venture, but no-one was ever prepared to take it seriously or entertain the idea at all because it wasn't politically acceptable.

And a DOHA spokesperson saying that the system was safe and secure because it has firewalls does not offer much solace to those who know that firewalls are only useful when configured correctly.
It can be as good as saying you have a front door but the windows are open.

As Bernard states, the risk of unauthorised people being able to see private information could be low/medium/high/extreme. Who knows. What's so wrong with telling the Australian public how their personal information will be protected from that risk? Especially if you want them to have confidence in this

Anonymous said...

Android apps leaking personal, banking details

The researchers created a fake Wi-Fi hot spot and mounted an attack that spied on data sent and received by the apps.


Anonymous said...

Referring to the “Plibersek venture for national real-time prescribing access to detect abuse of prescription meds Earl Hose said…..... There must be more behind this one. 10/23/2012 07:23:00 PM”

…… like the Drug & Alcohol bureaucrats refuse to engage with the private sector script exchanges which together are capable of delivering 95 percent of the total solution today.

Why? Simply a classic case of narrow minded, short sighted, obfuscation by the public sector, notwithstanding there are more death from doctor shopping than from road accidents.