Wednesday, September 15, 2010

Some One Needs To Be Held Accountable for This NEHTA Fiasco.

The following appeared late yesterday.

NEHTA to release smartcard tender

  • Karen Dearne
  • From: Australian IT
  • September 14, 2010 7:21PM

THE design and build of the National Authentication Service for Health will be done by the private sector, despite years of work on the project by NEHTA.

The National E-Health Transition Authority is set to release a "fairly significant" contract tomorrow for the NASH smartcard and public key infrastructure (PKI) project - the user authentication system originally planned to be in place to support the launch of the Gillard government's controversial Healthcare Identifiers scheme.

Head of infrastructure services Stephen Johnson said NEHTA had been working on NASH "for quite some time" and had realised its complexity warranted participation by experienced industry players.

"We've been trying to define and design the authentication needs for healthcare in the e-health domain for the years to come, and we've realised it's a very complex affair," he said.

"The more we looked into the design aspects from all perspectives - healthcare providers, suppliers and so on - the more we found it lent itself well to (approaching) the marketplace."

Mr Johnson declined to reveal the value of the contract but said it would be fairly significant although not in the hundreds of millions of dollars.

NASH was touted as the key means of ensuring patient privacy and secure professional access to information as regulations underpinning the HI service were pushed through Parliament in June.

It was intended to ensure only authorised people could access patient details held by the Medicare-operated HI service, and establish an audit trail in the event of problems.

In March this year, NEHTA chief executive Peter Fleming told the Senate inquiry into the HI legislation that NEHTA was "moving quickly" with the Queensland government to develop the encryption technologies needed to support NASH.

Mr Fleming said "small-scale implementations, rather than pilots" of the building block components - identifiers, NASH and secure messaging - would begin from mid-year, "using real patients and real data".

After the laws passed, on July 1 every Australian was mandatorily issued with a unique 16-digit number to uniquely identify personal records as health information begins to flow more broadly across the healthcare sector.

The request for tender shows NEHTA wants someone to provide an end-to-end design, detailed specifications for technical and business operations and a delivery plan - to be followed by a buildout and commencement of operations.

NEHTA has been working on NASH in tandem with the identifiers program since 2005; the design, test and development of the NASH software interfaces was originally scheduled for 2008, with deployment of the system through early adopters slated for 2009.

But Mr Johnson said there had been a misunderstanding over NASH's readiness to launch with the HI service.

"That's certainly not a message NEHTA has put out," he said. "There is an authentication requirement for participants in the HI service in certain circumstances.

"That specific authentication medical providers need for the identifier service is already catered for by Medicare, which is our HI service provider.

More here:

http://www.theaustralian.com.au/australian-it/government/nehta-to-release-smartcard-tender/story-fn4htb9o-1225922843106

Here is the tender announcement.

http://www.nehta.gov.au/about-us/tenders/705

Request For Tender For The Provision Of The National Authentication Service For Health (Rft 2010/01)

The National E-Health Transition Authority (NEHTA) was established by the Australian Commonwealth, State and Territory governments in July 2005 to develop better ways of electronically collecting and securely exchanging health information. It is responsible for the design of e-health initiatives on a national basis, the first of which is the Healthcare Identifier Service which commenced on 1 July 2010. NEHTA works collaboratively with stakeholders across the health sector to develop the specifications and standards for the national e-health infrastructure and applications.

NEHTA is seeking organisation(s) with proven ability to deliver the design, build and operations of a National Authentication Service for Health (NASH).

The NASH will provide the necessary strong authentication for the healthcare sector, including the provision of Public Key Infrastructure (PKI) and secure tokens such as smartcards for healthcare providers and supporting infrastructure.

NEHTA is seeking the provision of services from suitably experienced parties to provide the following services for the NASH:

  • Deliver an end to end detailed design;
  • Develop detailed specifications for the technical service(s) and business operations of the service;
  • Provide a detailed delivery plan, resource plan and costs;
  • Build and commence operation of the necessary Credential Management Services (PKI) and Token Management Services to support e-health; and
  • Provide an ongoing operational capacity / capability for these services.

The Tender will be released on 15 September 2010 and will be available from 12:00 hours (Australian Eastern Standard Time). To obtain a copy of the RFT you must first register, visit www.tendersearch.com.au/nehta for details.

A Tenderer Briefing will be held on: 20 September 2010 commencing from 14:00 hours (Australian Eastern Standard Time) at the Sydney Harbour Marriott, Circular Quay, 30 Pitt Street. Sydney Australia. Security clearances are not required to attend this briefing.

Please register for this briefing via email: nashrft@nehta.gov.au no later than 14:00 hours (Australian Eastern Standard Time) 17 September 2010.

----- End Quote:

You can find my commentary here:

http://aushealthit.blogspot.com/2010/06/nash-this-is-sleeper-of-problem-i.html

and here:

http://aushealthit.blogspot.com/2009/06/nehta-is-simply-not-ready-for-any.html

among heap of others (Just search the blog for NASH for lots of material).

In summary for almost 3 years we have been told NASH is coming and now we discover it was just a twinkle in someone’s eye and will now be designed and developed externally because NEHTA can’t quite work out how to do it.

Incompetence piled on deception adds up to me to a serious need for some management accountability to be delivered with some major resignations for having wasted public money.

David.

12 comments:

  1. This fiasco has been going on for years and years. It has now become a Gillard Government responsibility. It pains me to say this but in my view NEHTA could do untold damage to the Gillard Government if NEHTA is allowed to continue with its incompetent filibustering which has gone on long enough at the cost of hundreds of millions of dollars and nothing of any note to show for it.

    I might also add, that this is not something Tony Abbott should be trying to score points over as NEHTA came into being during his time as Health Minister. He, along with the current government, is equally responsible for the current situation. Continuing to turn blind eyes will not address the issues.

    The problem is that NEHTA now employs almost 300 people and regardless of what it does or what it delivers it has a life of its own and it will just keep bumbling along until someone in authority has the intestinal fortitude to get of their backside and do something about it.

    ReplyDelete
  2. The unfortunate thing is that NEHTA has got it half-right finally by choosing to contract an industry vendor to establish this infrastructure for smart card and credential issuing. There are many, many providers of smart cards, certificate services and so on in Australia. There really isn't that much to figure out - although it's complex there are proven patterns and businesses operating.

    I say half right, because the half-wrong thing they've done is that rather than enabling a market for a number of providers of eHealth authentication services (by writing the specifications, contracting initial implementations, establishing incentives, supporting lead adoptions, etc) they're going to pick one winner. That one winner will take a clean sweep and build the whole infrastructure.

    In two years we'll have a repeat of the identifiers debacle. A NASH service will be operational but no health IT vendor's systems or health providers internal applications will be able to use them. NEHTA will have 'delivered' - it will make no difference on the ground.

    ReplyDelete
  3. The cost of an industry wide PKI service is not insignificant and the HESA/Medicare costs to date would probably be in the hundreds of millions after an expensive false start.

    The time to allow other CA's was then and not now. Most practices now have Medicare Location Certificates and to do it all again from the ground up is madness. Its also irresponsible with txpayers money, which seems the be the flavour of the day.

    When the SMD (Secure Messaging) was being discussed Nehta spoke as if they would have NASH and resisted any attempts to make SMD work with the existing certificates alone. It certainly could and can work with the existing certificates except that the Astronaut Architects at Nehta, who want to use the latest xml encryption and webservices which rely on certificate usage that the Medicare Certificates do not have. There is no advantage to these things other than they are trendy, and also happen to be very inefficient. They have turned a simple problem (messaging) into a complex one, requiring expensive crusades like NASH and this tender.

    The fact that, despite burning $160,000 a day for 5 years they have been unable to even consider the needs of decision support, a fact they actually stated in their blueprint, makes the whole organisation invalid. They need to start with the needs of decision support and work back to requirements to have any credibility, as the advantages of eHealth only really flow when decision support emerges. We may as well just use fax and scanning based systems otherwise.

    They have ignored the needs of decision support in AMT and as a result it’s stillborn. The whole SNOMED-CT focus is on static refsets with virtually no semantics. The profiles they release have not defined terminology usage, its "TBA".

    The new policy that I adopt is to assume that anything that emerges from Nehta is broken until proven otherwise. The costs of implementing flawed, half cooked specifications is too high for it to make any sense. This NASH announcement drives a nail into the SMD coffin as without a decent Public Key Infrastructure its not safe to send off data into the internet, hoping the Key you hold is actually truly for the recipient. It also prevents the automation of result routing and it won't scale without that. It can scale with the the Medicare LDAP service now, but that’s not trendy enough to use.

    I am flabbergasted at the ineptitude of this organisation.

    ReplyDelete
  4. @Andrew McIntyre
    "the advantages of eHealth only really flow when decision support emerges"

    Are you sure about that? I'll put this comment down to blind rage.

    NEHTA need to give us some transparency as to WHY they can't use existing PKI services that seem to be able to accommodate the good majority of other needs. If there's a few scope items that means we need to invent our own PKI system then take it back to the stakeholders and try and get them out of scope....the Architects should know better.

    The biggest cost is not with NEHTA spending 160k per day, it's with the architects and projects within the Health departments who are being told to wait for NEHTA solutions. At least take the leash of us.

    ReplyDelete
  5. Hello,

    Its not 'blind rage' its actually knowledge of what makes a difference. CDS is the main game!

    David.

    ReplyDelete
  6. I wouldn't be so quick to knock NASH as a concept. The existing HESA key issuance run by Medicare is really very similar to the proposed process with a few exceptions:
    - the HeSA process is limited to having a single registration authority (Medicare), so no state jurisdiction
    - the HeSA process is only for certs. NASH also encompasses the tokens. State jurisdictions across Australia are already embarked on projects to roll out smartcards, so it makes sense to have a common service
    - it's designed to work for a much smaller number of certificates (about 20,000) and doesn't have a lot of the processes that would be required to handle 500,000

    And most of all, it's MEDICARE - the slowest, most expensive, most non-innovative department in Australia.

    One could consider HeSA a pilot of NASH, but it' not up to the job of providing credentials for 20 times more health professionals.

    NEHTA could have taken the easier route of getting Medicare to expand the HESA process to the 480,000 who don't have HESA keys. It would have been absurdly expensive and poorly run though.

    I think NEHTA have done the right thing here going to market instead of taking the lazy option of handballing it to Medicare.

    (That said, I agree with Andrew's other comment - "the advantages of eHealth only really flow when decision support emerges" - that's 100% correct. The advantages of eHealth do only materialise when the availability of actionable information that supports a clinicians decision making at the point of care is improved. Until then, it's role is merely efficiency - when it supports decision making in line with the clinicians workflow and decision making process - then it has an impact on quality and safety.

    NEHTA does seem to have a blind spot to this distinction)

    ReplyDelete
  7. Anything based on a hardware/device solution will fail. My iphone doesn't have a slot for smart card, and neither does my internet enabled fridge or my grandmas Nintendo Wii. That is, the paradigm of what constitutes a computer used for healthcare delivery is changing way too rapidly to be thinking in terms of hardware centric authentication.

    ReplyDelete
  8. iphones, ipads, wii's, ps3's, consumer devices, smart cards, usb devices, contactless tokens, bluetooth devices, etc. are all forms of physical devices that can be used as a security token.

    ReplyDelete
  9. Hesa/Medicare have been supplying Smart Cards for years, I am on about my third. About 70% of GPs on the Sunshine Coast were using them for referrals before they removed the need to use them.

    I am sure its easier to scale up an existing process that works than start again. They could create other CAs, but the certificates need to be available on the Medicare LDAP and they need to be under the same root certificate authority. We need a SMD specification that can work with the certificates that all the practices already have. We are already using Medicare certificates for data transfer and they are appropriate for that use.

    To wait another few years until this mess is sorted out is not acceptable.

    ReplyDelete
  10. Anybody who has been at a NEHTA briefing in the last two years will know that they were working with Medicare to make NASH happen. Given the sole source tender which was done to give the HI service to Medicare to build, there was form to suggest that NASH was going to be done the same mindless way.

    So it is interesting to note that after *years* of trying to make the Medicare certificates work to suit the present e-health agenda, NEHTA has been brave enough to make a hard call and go out to market to get a commercial solution instead. The NEHTA board is taking a huge risk with this, so the medicare story must have been just appalling.

    Could this be the first real sign from NEHTA of a different model for delivering foundation e-health services?

    If this works, could commercial EHR vendors expect to see a similar tender to deliver DOHA's $466m program? (would be nice if that tender were for a supplier panel arrangement, with EHR products complying with industry-agreed standards available through subsidised purchasing agreements)

    ReplyDelete
  11. Excellent comments. I had a 5 year plan in 1994 Nothing has changed I. The world of e-Health. 1 step forward 2 steps back.

    ReplyDelete
  12. Thanks for this David. You triggered off a memory of an article written a year ago:
    Governments change direction on health e-records Karen Dearne From: The Australian October 13, 2009 12:00AM
    "GOOGLE, Microsoft and other new providers will host Australians' electronic health records as the federal and state governments back away from funding a nationwide scheme...

    ReplyDelete