Tuesday, February 19, 2013

For The Record - Senate Estimates Transcript From Last Week On E-Health. (13/02/2013)

The .pdf (134 pages is here - P78 where e-Health starts.)
Topic covered include discussion of current registered numbers, software readiness, cyber security, why we got stuck with Australia.gov.au and patent issues.
Certainly worth a browse.
Here is the relevant transcript.

Parliamentarians.

Fierravanti-Wells, Sen Concetta CHAIR
Siewert, Sen Rachel
Williams, Sen John
Furner, Sen Mark
Smith, Sen Dean
Brown, Sen Carol

Public Servants Involved.

Outcome 10
Ms Mary McDonald, First Assistant Secretary, Regulation Policy and Governance Division
Ms Jennifer Chadwick, Principal Adviser
Ms Beryl Janz, Assistant Secretary, Governance, Safety and Quality Branch
Mr Nathan Smyth, First Assistant Secretary, Population Health Division
Professor Rosemary Knight, Principal Adviser
Ms Alice Creelman, Assistant Secretary, Cancer and Palliative Care Branch
Ms Linda Powell, First Assistant Secretary, eHealth Change and Adoption, eHealth Division
Ms Fiona Granger, First Assistant Secretary, eHealth Development and Operations
Ms Liz Forman, Assistant Secretary, eHealth Strategy and Policy Branch
Mrs Sharon McCarter, Assistant Secretary, eHealth Development and Engagement Branch
Mr Matthew Corkhill, Assistant Secretary, eHealth Operations Branch
Ms Janet Anderson, First Assistant Secretary, Acute Care Division
Mr Charles Maskell-Knight, Principal Adviser, Dental Branch
Dr Andrew Singer, Principal Medical Adviser
Parliamentary Secretary for Disabilities and Carers
Output Group 10.2—e-Health Implementation
National E-Health Transition Authority
Mr Peter Fleming, Chief Executive Officer, National E-Health Transition Authority
Mr Chris Hale, Chief Financial Officer, National E-Health Transition Authority
Dr Christopher Mitchell, Head of Adoption, Benefits and Change, National E-Health Transition Authority.
----- Begin Transcript
Senator FIERRAVANTI-WELLS: I might ask some questions on the PCEHR. What is the current number of PCEHR user sign-ups?
Ms Powell: As of yesterday, there were 56,761.
Senator FIERRAVANTI-WELLS: I think the targets in the 2012 portfolio budget statement of half a million sign-ups by 2013 are very ambitious, I would have thought, with 56,000. You are clearly not going to achieve that target. You cannot be that optimistic.
Ms Huxtable: Senator, I think we went through this at some length at the last estimates. I would have to say that much of what I said at the last estimates would still stand. The figure of 500,000, I think as I said last time, was a figure that related to our expectation based on international evidence around what we could expect in the first full year of operation. As you know and as we have provided evidence before in this place, the process of rolling out the PCEHR has been an evolutionary one. We started with a capacity to register from 1 July. Some time after that—I think it was in mid September or the end of August—the provider portal went live. We have been working with NEHTA on the GP software interface so that within GP software products there could be the capacity to view the PCEHR and interface with it—upload documents and the like. That process has been ongoing. But we are now, I think, in a very positive space in terms of the GP software providers, where 90 per cent, from memory, of the software that is used by general practice, if that makes sense, has now incorporated the PCEHR into their software. That is now being made available to practices. So I would say that in our evolutionary path we are well and truly down that path now. Of the registrations that we have to date, there has not been, I guess, a big push for registration. So a lot of these have been almost a natural process that has occurred. Certainly we have been working with the e-health sites to encourage registration, but getting that GP software in place is the time when you can get the real value of the record. So this is the time when that push can really begin. So I do not think that the figure of 500,000 in the first full year of operation is still achievable. I would argue that we are really now in a place where we are beginning to see the more comprehensive, I guess, operation of the PCEHR system, not just registration but also clinical use.
Senator FIERRAVANTI-WELLS: So there is the sign-up. In terms of the health summaries that have been put on, you gave me an answer to a question that some summaries have been uploaded from pilot sites ahead of the planned rollout of clinical software to connect providers to the system. How many health summaries are we talking about?
Ms Huxtable: At this point there is a fairly low number of shared health summaries because we are in the early stages of GP software having the capacity to upload shared health summaries. There is a fairly high number, I would say, of consumer entered documents. So the record is populated with a variety of documents, or has the potential to be, some of which are generated by clinicians and some of which are generated by consumers. In addition, there are Medicare documents, which include the information where someone says, 'Yes, I want my MBS and PBS information in my record.' That is drawn from the Medicare site into their record from the Medicare databases. There is a very large number of documents in that regard.
Senator FIERRAVANTI-WELLS: Has any money been provided to Medicare Locals or other organisations to help them promote the registration process?
Ms Huxtable: There has been money provided to Medicare Locals for a variety of things, not only supporting registration but actually predominantly around supporting practices and helping practices get ready for participation in the PCEHR.
Senator FIERRAVANTI-WELLS: The answers to questions on notice on Medicare Locals we will come to later. The answer that you gave me at E12267 on Medicare Locals refers to core funding to support their operational costs, including administration and management. Would those sort of funds be included there?
Ms Huxtable: I might have to look at the actual question because I am not sure if that is a question about Medicare Locals more generally or whether it is about e-health in particular.
Senator FIERRAVANTI-WELLS: I asked: for each Medicare Local, how much funding is being provided for admin and management each year over the forward estimates? I have just asked about money going into Medicare Locals to promote a PCEHR registration process. Would that be contained in any moneys for administration and management or would it be over and above that?
Ms Huxtable: Over and above, on advice from my colleague.
Senator FIERRAVANTI-WELLS: So home health practitioners have signed up?
Ms Powell: We have over 1,000 health organisations registered to use the PCEHR. In fact, it is 1,171. Over 1,000—again, 1,325—individual health providers have been given authorisation links who work within these organisations.
Senator FIERRAVANTI-WELLS: So how many practice management software companies are now compatible?
Mr Fleming: In terms of the GP desktop, there are two companion tools—HIE and Pen—that operate in seven practice management packages. This is for GP desktop. They are all compliant with the specifications and represent probably about 98 per cent of software on GP desktops.
Senator FIERRAVANTI-WELLS: So 98 per cent of the practice management software is compatible?
Mr Fleming: I can give a specific example there. I was in HCM's offices last week. They are the major vendor in this space. They represent probably somewhere in the order of 50 per cent. They have updated their systems, like the others. They were able to tell me at the time that 1,400 of their customers have taken the latest release and upgraded their systems. There is a process from when the software is updated to when it gets loaded onto the computers.
Senator FIERRAVANTI-WELLS: So only two per cent of the market share of software out there is not compatible?
Mr Fleming: Correct.
Senator FIERRAVANTI-WELLS: So when will Medical Director software be health compatible?
Mr Fleming: It is compatible.
Senator FIERRAVANTI-WELLS: Best Practice software?
Mr Fleming: It is compatible.
Senator FIERRAVANTI-WELLS: Can you just explain to me why there has been so much delay in the major practice management software providers becoming compliant considering the PCEHR launched on 1 July?
Mr Fleming: A number of steps are required in rolling out these systems. Provider software is one of the last steps and, indeed, registration after that, because it needs to be in place. I will put it in perspective. The things that all these vendors have done is they needed to make changes to their systems to get connectivity in there both ways. They needed to make changes to their systems to allow the uploading of shared house summaries, the creation of event summaries and the creation of the ability to send and receive discharge information. A huge number of changes to those systems were made and then needed to be tested both within the environments we set up and within the local environments before they roll out on a larger scale.
Senator FIERRAVANTI-WELLS: Mr Fleming, these applications that we are talking about may be compliant and compatible, but have they been released for GP usage?
Mr Fleming: Absolutely. So in each case, each of the vendors—Genie, Best Practice, Zmed et cetera—have upgraded their systems and have released them, and they are being rolled out on a very large scale.
Senator FIERRAVANTI-WELLS: So can you just explain to me why you did not ensure that the practice management software was ready for the 1 July launch? It would have been a more prudent approach, would it not? You cannot release on 1 July and not have your practitioners able to use it.
Mr Fleming: Look, there are many, many steps in this program.
Senator FIERRAVANTI-WELLS: I know. We have been following them over years and years, Mr Fleming. We have heard it all before, but, anyway, go on.
Mr Fleming: The reality is that this is one of the final steps in there.
Senator FIERRAVANTI-WELLS: You mean we are almost at the end?
Mr Fleming: We are. We are getting registrations. It is flowing through, absolutely. So the infrastructure is in place. We are now in a good position to be taking those registrations and providing meaningful use.
Ms Huxtable: Senator, can I say too that we are talking here about the PCEHR, but there are also other dimensions to electronic health. The foundations to enable those dimensions to work appropriately have been the things that have been worked on now over some years. They are very complex issues. One is the health identifier service, for example, which, as we know, is a fundamental precondition for PCEHR. But equally it is required for secure messaging to work appropriately. So we are seeing many of the features that have been worked on, yes, for some time, not just in a PCEHR space but more broadly. Mr Fleming can talk about the foundation solutions that NEHTA have been working on that are really getting to the point where we see they are coming into fruition now and can see the benefits being realised coming out of that.
Senator FIERRAVANTI-WELLS: Can you explain to me why it is mandatory for users signing up for their PCEHR to also be forced to sign up for an Australia.gov.au account?
Mr Madden: We used the Australia.gov.au sign-on logon process so that we could actually start to follow a whole of government pattern to provide a single sign-on service for people in Australia to connect to securesystems supported by government. We could have had an option where the e-health program created its own user ID and password regime, which then means consumers who use online tax services, online Centrelink services, online Medicare services and online health would be confronted by a set of regimes where they have to prove their identity over and over again and have the problem of trying to remember the passwords for these things they might use infrequently. So this is part of a whole of government development where we are all trying to get to the stage of proving your identity once so that you can then have a relationship and a connection and interaction online in a secure way with any one of the agencies that are part of that scheme.
Senator FIERRAVANTI-WELLS: And so at what point was this decision made?
Mr Madden: To use Australia.gov.au?
Senator FIERRAVANTI-WELLS: Yes. And to make it mandatory for people to go via that route?
Mr Madden: That was worked through in the concept of operations and was consulted quite widely.
Senator FIERRAVANTI-WELLS: What was the date?
Ms Huxtable: That was several years ago.
Mr Madden: It was 2011. The month we can probably find. It was in the first four to six months of 2011.
Senator FIERRAVANTI-WELLS: Was that a decision of government or a departmental suggestion?
Mr Madden: It is government policy to bring together whole of government services for the benefit of clients. This was put in as a suggested means of gaining access to the PCEHR through the concept of operations. It was then consulted through the clinical advisory groups, through the industry advisory groups, the IT industry and taken to the consumer forums as well, again as part of the overall concept of operations.
Senator FIERRAVANTI-WELLS: So at what point? You said December. Did you say December 2011?
Ms Huxtable: No. He said 2011.
Mr Madden: It was probably in the first four months of 2011. I cannot bring to you right now which month we finally signed that off.
Senator FIERRAVANTI-WELLS: So was this decision publicly communicated to the prior commencement date of 1 July? You said early 2011. At that time was it publicly communicated?
Mr Madden: It was publicly communicated through the concept of operations, which was the consultative vehicle to get to all of those communities and industries to tell them how this whole thing would work.
Ms Huxtable: Including to the general public. The concept of operations was a public consultation document.
Senator FIERRAVANTI-WELLS: Can you explain the claims that the PCEHR infringes on patents filed by My Medical Records.com?
Mr Fleming: It is probably best, Senator, if I answer that. We first heard about that on 7 February, when an article dated 5 February in America came to our attention. MMR Global has never contacted us at all. Indeed, our understanding is that they are investigating a potential claim but have nothing solid.
Ms Huxtable: That is what the article says.
Mr Fleming: From 7 February, we have obviously taken a look at their patents both from an architectural and a legal perspective and have briefed our lawyers to investigate. But certainly this company has not contacted us at all.
Senator FIERRAVANTI-WELLS: So you are confident that no patents have been infringed while creating the PCEHR?
Mr Fleming: We have gone through a very detailed process. As Mr Madden mentioned, we went through concept of operations. We undertook a very detailed analysis through external parties of the standards in place around the world. So we have every confidence in our process. However, we also accept legal processes and nuances so we have briefed our lawyers. We have asked them to do further investigation. They are working with our architects at the moment. As I said, the first we heard of this was on 7 February, so late last week.
Senator FIERRAVANTI-WELLS: I do not have any further questions. In the absence of Senator Boyce, that is it, unless some other senators have questions.
Senator FURNER: I might just go through some of the stats first on the EHR when it came into place. What is the current uptake in terms of applicants that have taken up EHR?
Ms Powell: We have over 56,000 consumers registered for the PCEHR. In fact, it is 56,761. We have 1,171 health care organisations registered to use the PCEHR. We have 1,325 individual providers for whom authorisation links have been established with one or more of those organisations.
Senator FURNER: Can you explain to the committee the difference between the providers and the health organisations, please? I understand what the health organisations are, but can you cover off for us the providers.
Ms Granger: There are two participants from the health care community in the system. One is the health care provider organisations. So that is hospitals, GP practices et cetera. The other is the individual providers who work or contract with those organisations.
Senator FURNER: The 5,661 registered—
Ms Huxtable: It is 56,761.
Senator FURNER: How did they get online? Was it a process of them having a one-on-one meeting with their doctor or their hospitals?
Ms Powell: There are three main ways that people will register for the PCEHR. One is directly online through the Internet through what we call the consumer portal. About 76 per cent of people register that way. So you can just go on through ehealth.gov.au and go through the registration process yourself. You can also—
Senator FURNER: How long does that process take online? Is it a simple process?
Ms Powell: It depends if you have all of your information to hand. You need to have enough information to be able to verify your identity. So you need to have your Medicare number, for example. Then there is a range of different questions that you might be asked to verify that you are who you say you are.
Senator FURNER: I might go through that process with you so I understand. I guess once you are registered, like any registration on the Internet, you set up a bit of a page or an entry and you can add to that along the process of personal medications or those sorts of things?
Ms Powell: In terms of the registration process, again, it also varies depending on whether you already have an Australia.gov.au account, for example. So when I set up my account, I had to create an Australia.gov.au account. Then that linked through to my Medicare account and created my own record. Once you have that record, it will ask you what you would like to have included. So it will say, 'Would you like all of your MBS Medicare billing information uploaded?' You can also upload your PBS information, which is a record of what pharmaceuticals have been dispensed that have been covered by the PBS. There are places where you can put whether or not you want to be an organ and blood donor. You can put immunisation records on there. There are places where you can make your own personal notes. They are things that you can do as a consumer which are in addition to the event summaries and the other information that will be put up by your health care provider.
Senator FURNER: That is interesting. You are prompting me to ask many questions as a result of your answers. If you register to be an organ donor, you then need to get some sort of recognition or acknowledgement from your family. Is that correct as well?
Ms Powell: Without wanting to go into another policy area, I understand it is very wise to let your family know of your intentions because they will be the decision-maker at the time. You can also register separately for the organ donor register.
Senator FURNER: So you are up and running on the net. Do you need a user name and password and all those sorts of things that generally come with becoming registered online?
Ms Powell: What you normally get is you get your Australia.gov.au logon and you get a password that goes with that as well. When you are actually using the system with the GP, if the GP is using the system too, they will have your information in front of you and you, of course, will not have to log on because it will be automatically opened through the GP software within the practice.
Senator FURNER: So essentially you could have an online registration without doing it through your home, for example? I am thinking of probably my dad. He does not own a computer. If he wanted to become an e-health user or recipient, he could go to his GP and say, 'Okay, I want to be registered online and I want to have a site or a registration so I know if I am travelling up north and I am injured in a motor vehicle accident, the hospital up there can get my e-health records through you.'
Ms Powell: That is right. So we talked about the online registration. I think you asked about the different ways that people can register. You can also register through what is called the administered portal, which is where you can ring, for example. The Department of Human Services has a phone line and they will help you and walk you through that process. You can also register at some of the health care providers. We also have what we call an assisted registration tool, which is a streamlined approach for organisations that already have a good sense of your identity. So the proof of identity requirements for the individual are less where they are a known customer. For example, you might be registered at the hospital or at your local GP. There may be someone there who steps you through the process. That just takes two or three minutes if you are already a recognised person there.
Senator FURNER: And what has been the uptake of those processes of registration?
Ms Powell: The administration portal accounts for 16 per cent of registrations. The assisted registration tool is eight per cent. I might add on that last one it has only been in operation this year. It is something that we have been trialling at a number of places around the country. It has proven very successful. We are looking at what we can do to broaden the take-up of that.
Senator FURNER: And are recipients encouraged to register through that process—the seven per cent?
Ms Powell: It tends to be opportunistic registration. So, as I said, we have only just been trialling it. It is now readily available to organisations that registered as healthcare providers for this purpose so they can all take this up. But that has only happened in the last couple of weeks. So what might typically happen is you might be sitting in the waiting room at the GP surgery and someone at the Medicare Local may have sent someone out to talk to people while they are there. They may sign them up while they are waiting, or their GP might suggest to them during the consultation, 'This is a really important thing. When you go out, there is someone sitting there and they will sign you up.' And that has proven very popular and very effective.
Senator FURNER: I know you covered off on information and things like that. But let us say they had an adverse reaction to some medication or something like that or they return home from being treated by their GP and they have an adverse effect from the treatment. Can they enter their notes in respect to their experiences online as well?
Ms Powell: That is right. Consumers can enter their own notes as well as, obviously, the healthcare provider can enter that. So we would hope that one of the things that would be incredibly useful coming out of this is, in fact, adverse drug reactions and allergies and things are something that would be automatically put on the record. As you said, if you find yourself in an emergency department in a strange town, you do not have to remember in your sick state what drugs you are on or what you are allergic to and those sorts of things.
Ms Granger: And there is a special part of the consumer entered notes in the record that has both their medications and an adverse reaction they have observed, and their clinicians are able to do that.
Ms Huxtable: I will add a little to that. There are two ways that consumers can enter notes into the PCEHR. There is a consumer-entered health summary, which can be viewed by the provider. There is also an area for just consumer-entered notes. Almost for your own purposes you can keep a bit of a diary of your blood pressure or whatever it might be so that you have a place where you can go and keep your own information around your general health.
Senator FURNER: Can the providers access the records without the consumer's permission?
Ms Powell: No. The consumer controls who has access to what information. So when you create your record, you can say, 'All healthcare providers can have access to this' or you can say, 'This one, this one, this one but not this one' or you can just say, 'This group and nobody else.' And you can change that as you want to as well. So you do have control over who has access to it. There is also an audit trail so that it is possible to tell who in fact has accessed your system.
Senator FURNER: So if they cannot access it, how is it the case that you have an audit trail where you can identify who has accessed it?
Ms Huxtable: This is an audit trail that the consumer can see. So when you go in through the consumer portal to view your record, there is an audit log in there and you can see who has accessed your record. You can identify from that whether an external provider has accessed your record and you have not gone to that provider so you have a means to say, 'Well, what is going on here?' It is a fairly standard way to give assurance around security of the record.
Senator FURNER: I will go to the security and privacy part of the e-health record. You have covered off on some of that already with regard to the audit trails. What sort of firewalls or IT protection does it have in place to make sure that people are not accessing your file or providers' files to gain information about your residence or your past medical history and those sorts of things? What have you got in place to protect the consumers?
Mr Madden: The government has security and information and cyber policies around data and the protections it will be put to. They are prescribed by the Defence Signals Directorate. The make-up of the data centre, which is housed by Telstra in Melbourne, needs to meet all of the strict requirements for firewalls—the ability to detect attacks and the ability to detect out of pattern traffic. So millions of calls coming through could be an attack on the service. Those things are monitored 24/7, and there are some pretty complicated analytics that start to build those patterns. Each of the records is connected to the identity of the patient and all of them are kept in their own
little bundles according to patient identity. So we have the audit logs to be able to identify who has looked at those records to check if there has been an incorrect viewing of the records.
Again, for things where consumers need to log in, they need to use their Australia.gov.au identity plus their own password that they have set to gain access to their own record to be able to put the settings in in the first place about who is allowed to look at it, put in their own consumer entered information and nominate GPs or health professionals who might have access to certain records or certain types of records. The GPs themselves have access to an authentication credential, which is a digital certificate—the national authentication service for health. They need to prove their identity as general practitioners or healthcare providers to the health identifier service. On the basis of that, we issue them with a token credential, which in an electronic sense means it lives inside their network or their GP software. So they have then got a password that they then need to use to connect to the servers to prove or authenticate who they are to get access to those records.
So the overall security regime meets our national e-authentication framework requirements and meets all of the cyber and protective security and information security procedures and guidelines. There is an accreditation process that is governed through an accredited set of assessors that are accredited through DSD to undertake those reviews. We need to get a sign-off of the overall security regime across the whole system. We did that at the first release. We did that at the next major release, where we changed functionality. We need to do that either annually or when we make significant changes to the system. But part of those policies means we have got ongoing and 24/7 surveillance of all activities across the whole network to be able to detect anything that kind of looks out of the odds.
Senator FURNER: Does the system have capabilities like something similar to other fields, where someone tries to log on, say, three times incorrectly and you are blocked out for a period of time?
Mr Madden: We have a system whereby you are allowed a number of attempts using your user ID and password. If you fail, there is a point where it will lock your record for a period. If people have remembered their password incorrectly, there are mechanisms for them to go and reset their password again, again by proving their identity through some shared secrets they set up in the first place.
Senator FURNER: Have there been any detected cyberattacks on the system at this point in time?
Mr Madden: No.
Senator FURNER: There has not?
Mr Madden: No.
Senator FURNER: Does that surprise you?
Mr Madden: No. The way that we would determine and report on a cyberattack is one that has had some impact on the service. I guess what we do have is a series of defensive pieces within the firewall and the architecture that make it fairly secure. But, again, the surveillance operations mean that if we do detect particular things that look like out-of-pattern messages from what I would call an unidentified IP address, for example, they kill those messages as they come as opposed to saying that was an attack. So they could be misdirected inquiries to the service. They could be a whole range of things, but nothing that we would detect as a cyberattack.
Senator FURNER: In 2012, there were several news channels indicating that there will be reported cybersecurity attacks in Queensland general practice.
Mr Madden: We are aware of the GP cyberattacks. That was probably more what is known in the industry as a trojan, where some spurious code has been downloaded into their network or to their servers and has taken over control of parts or all of their systems. Those attacks were not directed or did not come through any of the e-health or any of the government connected services. That is unfortunately just a factor of life in cyber world, where we have people who make an industry out of those things and another industry that creates remedies to those particular problems. But while those things probably were made prominent in the media because they were towards general practices or people in the health industry, I think you will find there would be equal if not more calls for those sorts of attacks in other industries and private homes.
Senator CAROL BROWN: Earlier we were talking under the paid care area about the expansion of the electronic advance care plans. They said that I needed to ask these questions in this outcome.
Ms Huxtable: Yes. That is correct.
Senator CAROL BROWN: I am particularly interested in where we are with the expanded deployment of the electronic advance care plans. Are you able to give me just a general overview to start with?
Ms Powell: Sure. You would be aware that we did have the Cradle Coast program, which I know Ms Huxtable talked about briefly this morning. We are spending a small amount of money this financial year tocontinue the operation of the advance care plan clinical repository, which was established as part of the Cradle Coast connected care e-health site. That funding will go to the Tasmanian government and that is for this financial year. Following that, as part of the Tasmanian package, there are a number of elements that we will be working on, which will include making advance care plans available through the shared electronic health record. It will look at putting together a repository to store these and develop an advance care planning tool that is going to be useful to everybody. That package is something that we are working through with the Tasmanian government at the moment. We do not have the details of that finalised, but we are talking to them about exactly what form that will take and look like over the next couple of months.
Senator CAROL BROWN: Is there any expectation of when that might be complete?
Ms Powell: The funding for the package—
Senator CAROL BROWN: When are we looking to have the deployment rolled out? When is the commencement date?
Ms Powell: The advance care planning facility in the Cradle Coast is there now.
Senator CAROL BROWN: The expanded rollout.
Ms Powell: The expanded one will not start before July because that is when the funding starts to flow. We are working with the Tasmanian government now to work out priorities and implementation plans and exactly what we want that to look like. That will take some time. I do not imagine it will be all go on 1 July, but that is when the funding starts from.
Senator CAROL BROWN: So how are we envisaging the rollout to take place? It will not be in all Tasmanian aged-care facilities, will it?
Ms Powell: At the moment it is in four.
Senator CAROL BROWN: They are all in the Cradle Coast area?
Ms Powell: All in the Cradle Coast area; that is right. How fast and where it rolls out is something that we will need to agree with the Tasmanian government. We are still having those conversations with them. We met with them last week about it and we are meeting with them again on Monday.
Ms Huxtable: But I understand that the intention is that it will roll out to a much larger number of residential aged-care facilities than the four which are currently able to access the service.
Senator CAROL BROWN: But were you looking for facilities across Tasmania, not just up in the north-west region?
Ms Powell: That is right. That is what we will be talking about. I am just being very cautious.
Senator CAROL BROWN: But limited?
Ms Powell: It is not limited in any sense, no. There are no limitations that we are putting around this.
Senator CAROL BROWN: But the aged-care facilities have to sign up?
Ms Powell: They will need to want to participate, yes. The government will need to support them as well.
Senator CAROL BROWN: Do they have to invest in any sort of electronic technology in their aged-care facility? How do they sign up for it? There is a lot of interest, obviously, in this project back home. So how does an aged-care facility sign up to be part of the expanded deployment?
Ms Powell: No rules have been set about that. But my expectation would be they would need to commit time and staffing resources to training, learning the systems and understanding the process and how to use it. So there would be that kind of investment on their part. In terms of the actual details and the technology that sits behind that, that is something that I do not think we are in a position to know yet. But there is quite a bit of money to support that.
Ms Huxtable: I will add to Ms Powell's response. We do have some experience here because we have had the e-health site at the Cradle Coast operating. So obviously as part of that, aged-care staff were receiving training in recording residents' wishes, and communication between staff, families and doctors improved. In fact, there have been some very positive outcomes from what has already occurred in the Cradle Coast. I know one of the anecdotal things that has been put to me is that those facilities have found it easier to attract general practitioners to come and provide care in their facilities, presumably because they have better access to information than they had previously. There was a fairly small evaluation done which, I think the University of Tasmania was involved in. It showed that there was a 71 per cent decrease in presentations to the north-west area health service over a three-month period from the residential aged-care facility. The degree to which we can say that directly links to the operation of the wave site, I do not know. But it is an interesting confluence of events.
Senator CAROL BROWN: Those are the sorts of messages I am getting back. You can understand why people are very excited about an expanded deployment. So you are looking for the deployment to start on 1 July. When you say 1 July, what does that mean?
Ms Powell: That means that the funding is available from 1 July.
Senator CAROL BROWN: On the ground, what will that mean? Is that when aged-care facilities will be able to put up their hand?
Ms Powell: We are not at that stage yet. We are still having conversations with the Tasmanian government. We have not agreed on an implementation plan or time frames or anything like that, so I am just not able to answer that.
Senator CAROL BROWN: So you are not able to say whether it is going to be limited to a certain number of aged-care facilities?
Ms Powell: No. But there are no constraints that we are putting around the conversation, and we expect that we will look at the whole of Tasmania.
Senator CAROL BROWN: Well, there is the funding. We are looking at $11 million, I think.
Ms Huxtable: I think there are a number of elements to the e-health part of the package. For example, my recollection is that one of the elements is to get NEHTA to do some work around national specifications around advance care plans so that electronic copies of the advance care plans can sit within someone's electronic health record.
Senator CAROL BROWN: I wanted to go through those other aspects of the e-health initiatives, but this one was about palliative care.
Ms Powell: You are quite right. Eleven million dollars has been set aside for the palliative care component. The sort of things that it might be spent on are things like training for residential aged-care facilities developing conformant software, operating the repository, enhancing the infrastructure to support the aged-care plans, developing specifications and standards and obviously the implementation.
Senator CAROL BROWN: So it is all on track. You are happy with how it is all proceeding with the Tasmanian government?
Ms Powell: Yes. We have been having very positive conversations with them. As I said, we had nearly a full day workshop last week around how this would go. We are meeting with them again on Monday. We will continue meeting because there are a lot of things to sort through, including agreeing how, when, priorities, orders, timing and those sorts of things.
Senator CAROL BROWN: And so those meetings take place in Tasmania?
Ms Powell: Not yet. No, they have all been in Canberra.
Senator CAROL BROWN: You may have already covered it in the previous questions, but I did want to touch on the e-health initiatives that are funded under the Tasmanian health assistance package. I am sorry if you are going over old ground. My understanding is that about $37 million has been allocated under the package over a number of years. Would you be able to go through each of those elements for me?
Ms Powell: Certainly. We have already talked about the advance care planning and the palliative care service delivery program, which includes a small amount of money for this financial year to maintain the repository.
Senator CAROL BROWN: So is that $11 million included in the $37 million? How much overall, because I thought that $11 million was put in the palliative care area, but it just happened to be an e-health initiative?
Ms Powell: I will go through each of those components with you. We have $19.3 million which has been set aside to enable public hospital connection to the PCEHR system. The sorts of things that that might cover is upgrading the Tasmanian public hospital clinical software to be PCEHR conformant; deploying the PCEHR system conformant software into the Tasmanian hospitals; and upgrading infrastructure that might be associated with that. There are some ideas that we are developing that we need to test and talk through with Tasmania. So this is not the hard and fast proposal; these are just the sorts of things that we are thinking about. But we are looking at trialling the use of mobile devices, such as iPads and tablets, within the hospitals to connect to the PCEHR system so that it can be used by clinicians as they wander around the wards. Another is trialling processes for assigning individual healthcare identifiers to newborns in the hospital setting. We are very keen to do some awareness raising and education of hospital staff to support their participation in the system as well as other healthcare providers and patients. There is going to need to be some coordination by NEHTA to facilitate the deployment of upgraded clinical software in other public hospital systems and documenting the lessons that we
have learnt from this so that we can share those benefits with the rest of the country. Obviously, there will be some evaluation of all of that.
Senator CAROL BROWN: So that particular initiative is expected to be commenced in 2014?
Ms Powell: Yes.
Senator CAROL BROWN: So June?
Ms Powell: Well, for all of these, the story is the same. The funding is available from 1 July. We are working up the details around implementation between now and then. As part of that work-up, we have been agreeing with the Tasmanian government things like implementation time frames and priorities.
Senator CAROL BROWN: So how far are we along in terms of consultations with the Tasmanian government on this initiative?
Ms Powell: Of the meetings that I have referred to, we have had two meetings with them this year.
Senator CAROL BROWN: So those meetings actually talk about all of the e-health initiatives?
Ms Powell: Yes, amongst other things, yes. But we have been talking about these initiatives with them last week and we will be talking about them again and we will just continue. So we do not have agreement on the scope or anything like that yet.
Senator CAROL BROWN: Have any particular challenges come out? With the public hospital initiative and the person who controls the electronic health records system, are there any challenges in terms of the software that the public hospitals use in Tassie?
Ms Powell: There is nothing I could point to. But I think we are a long way off having those levels of conversations around the detail. But certainly my experience since I have been working in this area is that there are always a myriad challenges around the software.
Senator CAROL BROWN: Mr Fleming seems like he wants to tell me something.
Mr Fleming: There is an overlap here between the Tasmanian package and the NEHTA program. As you would be aware, NEHTA is owned by the Council of Australian Governments, of which Tasmania is obviously a key component. Within that context, we are working closely with Tasmania. We are working with their IT teams there and obviously have a reasonable cognisance of the systems in there. We would expect by around about the middle of this year—between June to September—certainly one of the first things you will see flowing through is that all of Tasmanian public hospitals will be capable of posting discharge information through to the person who controls the electronic health record. In order to achieve that, it also means they are utilising the HI system and a number of other key components. So we are not starting from a zero base. Let us see how we move that forward. Certainly from a Tasmanian perspective, we would expect that through the course of this year and certainly by the end, any Tasmanian citizen who is registered for the PCEHR, if they do go through the public hospital system, would also be able to get their discharge information flowing through into their record, as indeed it would flow through into the primary health system there as well.
Senator CAROL BROWN: Great. I had a couple more questions about the other initiatives that are in the package, but I might put them on notice because I do not want to take up too much time. I will put some on notice to the department. Thank you for your help.
CHAIR: Senator Fierravanti-Wells, you have others in this outcome?
Senator FIERRAVANTI-WELLS: Yes. I have a couple more questions. There are 560,000 health practitioners registered with AHPRA. If I understood correctly that figure, Ms Powell, only 1,325 have registered.
Ms Huxtable: Was that organisations or providers?
Senator FIERRAVANTI-WELLS: I thought you gave me separate health practitioners.
Ms Huxtable: Yes. Possibly.
Senator FIERRAVANTI-WELLS: And then a separate figure for health organisations. I assumed they were separate.
Ms Powell: I think there is a degree of subtlety there. Let me just find those numbers. So there are 1,171 healthcare organisations registered to participate in the PCEHR, which is not the same as being assigned a health provider individual organisation number. So 3,815 HPIOs, as we call them—health provider identifier for an organisation—have been assigned to healthcare providers.
Senator FIERRAVANTI-WELLS: I take it that they are included in the 56,761?
Ms Powell: No. The 56,000 number is consumers.
Senator FIERRAVANTI-WELLS: Ordinary Australian consumers?
Ms Huxtable: That is you and me, Senator.
Senator FIERRAVANTI-WELLS: So of the 560,000, we have 3,850 that have registered. That is less than one per cent.
Ms Huxtable: The 560,000 is not—
Senator FIERRAVANTI-WELLS: No. Health practitioners.
Ms Huxtable: I think we might need to register what that means. Recall that there are two types of identifiers here, one of which is organisations. Organisations can have very large numbers of providers in them—public hospitals, for example. So a public hospital could have a single organisational identifier but could have an exceedingly large workforce and they need their organisational identifier to be able to do things like post discharge summaries on to the PCEHR. So I am just not sure we can quite draw the links there.
Senator FIERRAVANTI-WELLS: What percentage of health practitioners that are registered with AHPRA do you believe have signed on to your system?
Ms Huxtable: I think we would have to take that on notice. I am not familiar with AHPRA details. But there is another angle to this, and we can put it on notice too, if you wish—I am putting my own questions on notice; that is not really done, is it?
Senator FIERRAVANTI-WELLS: That is very good.
Ms Huxtable: But that relates to the practice incentive program, the EPIP eligibility. Four of the requirements were from 1 February. Mr Butt might have more on this under outcome 5. There has been a quite high take-up of the EPIP, four of the requirements of which took effect from 1 February. The first of those requirements is to have an HPIO-HPII.
Senator FIERRAVANTI-WELLS: So to get that funding, you have to be—
Ms Huxtable: Given that our focus in the first stage is really around that sort of general practice, we are very encouraged by the rate of take-up and interest within general practice. So it is another angle, I guess, coming at the same issue.
Senator FIERRAVANTI-WELLS: I am just conscious of the time. Ms Powell, how do you sign on on behalf of older parents, mentally ill people or people who have difficulty but obviously for whom it would be beneficial? How do you deal with that? Do you need, say, a power of attorney to be able to act on behalf of one's parents or register one's parents or a carer?
Ms Powell: You can register as an authorised representative of a person.
Ms Granger: Well, there are two types of representatives people can have. One is an authorised representative who has guardianship type powers. There is also a concept of a nominated representative, where you can choose to share various levels of access. For the example of myself and my father, I could merely look at his record or he could choose to say that I could act as if I were him and keep his record updated.
----- [18:22]
Enjoy.
David.
 

8 comments:

Bernard Robertson-Dunn said...

The senate transcript of 14 February 2013 quotes:

Mr Madden: The government has security and information and cyber policies around data and the protections it will be put to. They are prescribed by the Defence Signals Directorate.

and

So the overall security regime meets our national e-authentication framework requirements and meets all of the cyber and protective security and information security procedures and guidelines. There is an accreditation process that is governed through an accredited set of assessors that are accredited through DSD to undertake those reviews.

(page 85)

end quote.

First DSD prescribes nothing. They offer advice to agencies who accredit their own systems.

Secondly the statement "an accreditation process that is governed through an accredited set of assessors that are accredited through DSD to undertake those reviews." is a load of rubbish.

Mr Madden is referring to IRAP assessors, who conduct an audit and certify, they do not accredit.

Thirdly, infrastructure security is not the same as information security. Mr Madden is conflating the two and arguing that, because the PCEHR meets the technical requirements laid out by DSD, the information in the PCEHR is properly protected. The two are not related.


Let's delve into the ISM and DSD's information on IRap assessors

DSD terms PCEHR

System Owner DoHA
Accreditation authority DoHA Secretary or senior executive in DoHA
Certification authority A body independant of DoHA, could be an IRAP assessor.
Audit A report provided by a certification authority
Assessor IRAP assessor, assessed and registered at DSD

According to the ISM, the agency does its own accreditation, not DSD. DSD never accredits, at best it is a certification authority for Top Secret systems. the PCEHR is not a Top Secret system. Therefore DSD has played no part at all in the accreditation or certification of the PCEHR.

IRAP assessors are not accredited, they are assessed and registered by DSD.

DoHA has accredited the PCEHR itself, assuming it has had an audit done by one or more IRAP assessors.

Has Mr Madden knowingly lied to the Senate? Is he just plain wrong? Neither is a good look.

I wonder if Ms Halton is aware of all this? She certainly should be. Anyone who knows anything about Federal government ICT systems knows that it is the agency head who takes full responsibility for ICT security. They assess and take the risk. No one else does. It's the law.

The Chief Executive's Instructions, issued by the Department of Finance and Deregulation states (page 3)

"1. Accountability and responsibility for an agency’s performance lies with the Chief Executive. This includes accountability for the agency’s management of risk."

and

"2.1.1. While there is no delegation applicable to managing risks, the following responsibilities are applicable to certain staff members:"

The Chief Executive cannot delegated managing risk.

She and her department may be able to wriggle their way past the Senate estimates committees, but Finance, AGIMO, DSD, and the Attorney General's Department are far better informed than Senators. Unfortunately they are either unable or unwilling to do anything about it.

It would seem that there are only two alternatives. Either I am wrong or Mr Madden is wrong. If I am, I will apologise. If Mr Madden is wrong, will he apologise to the Senate and issue a clarification? Whatever the outcome, Mr Madden being wrong is far more serious than me being wrong.

Although, if I am wrong it would probably mean that the DSD website is wrong.

These are the source documents

The DSD Information Security Manual (ISM) is available at
http://www.dsd.gov.au/infosec/ism/index.htm
The ISM Principles document defines accreditation and certification.

IRAP info available at
http://www.dsd.gov.au/infosec/irap.htm

Chief Executive Instructions and Operational Guidelines
http://www.finance.gov.au/foi/other-information/cei_og.html

Paul Fitzgerald said...

It seems the practice of quoting acronyms, and obfuscation to avoid answering the actual question is acceptable to those reporting to the committee. Unfortunate state of affairs. As you say Bernard, either situation for Mr Madden is a bad look, but who will take him to task?

Anonymous said...

"Anyone who knows anything about Federal government ICT systems knows that it is the agency head who takes full responsibility for ICT security."

DoHA are not very good at ICT or security. Full stop.
That's why they have botched up the PCEHR.
However they are good at stringing together random techno words and spinning misleading statistics. It seems it is not what you say, but the swagger you say it with that counts.

Also they don't know and they don't care that they have it all wrong. They are protected by their own impenetrable truth deflecting ego force-fields.

Anonymous said...

Bernard - you are not wrong.

Anonymous said...

DOHA should be able to provide the following basic information by State / Territory. Anything less reflects sheer incompetence.

Of the 1,171 healthcare organisations registered to participate in the PCEHR
1. How many are Medical Practices?
2. How many are Aged Care Facilities?
3. How many are Public Hospitals?
4. How many are Private Hospitals?
5. How many are Community Pharmacies?

This will reveal market penetration, distribution, sector breakdown.

This is the most basic and essential of information.

This information should be made public before another dollar of taxpayers funds are spent on this project.

Anonymous said...

Kate over at Pulse+IT provided some clarity on some of the numbers earlier in the week. As the previous commentator suggested, it looks like they didnt think to ask what type of organisation was registering for the PCEHR and are falling behind on processing...interesting they prematurely imposed the epip but weren't ready themselves.

http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=1323:pcehr-registrations-the-facts-and-figures&catid=16:australian-ehealth&Itemid=327

Anonymous said...

"... it looks like they didnt think ..."

That probably applies to a lot of things DoHA and NEHTA tried to do.

Anonymous said...

Yes and might also be useful to see how many consumers have registered by state/territory.