In parallel with the implementation of the National Health Identifier Service (Hi Service) we have been led to believe there will be implemented a robust individual provider authentication system (termed the National Authentication Service for Health – NASH for short).
The intent of having this authentication service is so that access to the planned HI Service for now, and later for the proposed, but still a bit vague, PCEHR Service, can be robustly controlled and appropriate audit trails put in place to assure public confidence as to who has accessed their private health information and who has modified and update information contained in such a system.
It is clear that without NASH (or some equivalent) this system being available there will be major issues and concerns about how any information leakage or abuse can be properly detected.
From this link you can read what was initially planned for NASH.
More recently (AAPP Forum – March 11, 2010) we have been told:
The National Authentication Services for Health (NASH) provides the required strong authentication of healthcare providers and organisations, and is an important foundation service in the developing e-health community.
Establish a national supply of trusted digital credentials available to all entities in the health sector
(Slide 20). Logo of NEHTA, DoHA and IBM at the bottom of the slide.
We are also told (next slide) NASH will:
• Support software vendors to transition their products to use nationally recognised digital certificates;
• Provide sufficient flexibility to leverage investment from organisations such as Medicare Australia; and
• Encompass the current use of PKI by Medicare and in the future National Individual credentials.
• Services will be available to support required functionality of HI Services and Secure Messaging
You can review the whole presentation from here (other interesting stuff also):
For some reason, it does not seem to be on the NEHTA’s web site but it is also here:
It is not clear why the Communio Group is hosting the file.
Even more interesting when hunting around for hints of progress with NASH I came across brief descriptive resume for a developer of the NASH.
Previous roles with the National eHealth Transition Authority (NEHTA) included undertaking the development of successful multi-million business case proposing the development of a new smartcard service to be used by doctors when accessing sensitive electronic health information. The NASH program is noted as a key piece of national e-health infrastructure in the National E-Health Strategy (2008) and is leveraged by a number of other e-health programs, including NEHTA's Unique Healthcare Identifiers service.
Gil has been a frequent public presenter on NEHTA and NASH program - e.g., CeBIT (May 2008) and Australian Smartcards Summit (July 2008), Identity Management Summit (Feb 2009).
So NASH is to be smartcard based, funding for millions has been secured and those who are to use this service (Docs, Nurses and So on) are still in the dark! Additionally a key manager (Gil Carter) in the area seems to have left.
I understand there are upwards of 600,000 professionals and support staff who may need to be issued a smart card. The cost of those cards, checking ID’s and maintaining all the infrastructure – your guess is as good as mine. Even $2 per card + $5 per 10 mins to confirm ID get to close to $5M. Then of course there is the mandatory ‘public information campaign’ at who knows how much
With just one month until the HI Service is meant to start, the chance of any real security around it looks a bit illusory to me.
Just typical is all one can say.