Tuesday, April 10, 2012

There Seems To Be Some Movement on The National Authentication System For Health (NASH). What Direction Is a Trifle Unclear.

The following e-mail was sent out by NEHTA last week.
“I would like to announce that the NASH Developer Materials have been released on the Vendor Portal   https://vendors.nehta.gov.au. These materials are provided for test purposes only, and do not allow access to any live data.
To download the Developer pack, please follow the Registration process. The pack can be located under “eHealth Foundations" -> "National Authentication Service for Health". You will have to accept the Terms and Conditions of the Licence Agreement to get access to the materials.
This release consists of the following documents:
1.       Release Notes, including
.         Download location for Secure Message Delivery Specifications
·         Download location for the PKCS11 Standard
2.       Draft Certificate Profiles for HPI-I and HPI-O/CSP
3.       NASH Concept of Operations
4.       Test HPI-O (set of 2 generic certificates)
5.       Draft Token Specifications
6.       Licence Agreement
Please read the initial document first for an overview of the rest of the pack: "NASH Concept of Operations - Release Note".
Please don’t hesitate to contact me  if you have any questions
Kind Regards,
Lxxx Mxxx
Engagement Analyst
nehta - National E-Health Transition Authority
----- End E-Mail.
For some very odd reason there is a very strict License Agreement before the NASH material can be accessed. It utterly bamboozles me just why this would be given the need for everyone to understand NEHRS (formerly PCEHR) security before trusting or using the planned system. This seems to be to be just a nonsense barrier.
I suggest people read carefully before downloading if they are actually planning to deploy, rely on or use the material. As a commentator I will just read and not fiddle so I can’t see how I can get into too much trouble!
At about the same time we had the following appear:

NEHTA's new baby holds key to doctors' access to e-health records system

  • by: Karen Dearne
  • From: Australian IT
  • April 04, 2012 5:03PM
TWO senior National E-Health Transition Authority executives have created a $0 company to act as the registration authority for the National Authentication Service for Health, as part of the Gillard government’s e-health record system.
NEHTA chief executive Peter Fleming and chief financial officer Christopher Hale registered NASH GA Pty Ltd last October, with Mr Hale as director and company secretary, and Mr Fleming as director.
The entity is a wholly owned subsidiary of NEHTA, established with one nil-value ordinary class share; it had a name change in February to E-Health Authentication Services Pty Ltd.
A NEHTA spokesman said the company was established as "a special purpose vehicle to act as the Certification Authority for the NASH", in accordance with Gatekeeper Accreditation (GA) requirements set for public key infrastructure (PKI) systems by the Australian Government Information Management Office.
"In order to protect the investment in the NASH and GA process and create arrangements that provided future flexibility, it was decided to establish a special purpose vehicle under NEHTA that would become the Certification Authority, the shares of which could be transferred to another entity should the role of NEHTA change and the circumstances require," he said.
"The Certification Authority is an integral part of the NASH, and must be 'Gatekeeper Accredited' by AGIMO.
"While the NASH is the authentication service that healthcare providers will use to access the PCEHR, it has been conceived as a broad authentication service to support the health sector, for example, for secure messaging between healthcare providers and future electronic prescribing."
More here:
My reaction to this is essentially amazement and incredulity. What on earth is a company needed for. Surely DoHA (or Medicare who already run a similar service) would have been a much more logical home. Of course it might be that the Directors are wanting - just like NEHTA - to avoid FOI scrutiny. That way the non-use of the apparently voluntary system will remain a state secret!
Another correspondent has suggest it is NEHTA trying to ensure ongoing relevance as a PKI CA rather than being eventually folded up.
I have to say NASH seems to be decaying into farce. Three months out from the NEHRS start we are given an apparently FINAL NASH Concept of Operations with Draft Code and specifications for NASH Tokens (to hold provider authentication credentials) from some two years ago.
It is clearly impossible for NASH to be implemented in any form in the next three months so the system will have to start using Medicare and not NASH authentication. This is a clear manifestation of planning failure (given how long we have known it would be needed) as far as anyone can tell and really suggests to me NEHTA simply is not up to implementing any significant project properly.
As for the task of registering, identifying and providing tokens to the 600,000 people who work in the Health Sector - you have to be joking. It also seems consumers / patients are now out of scope for NASH as far as one can tell.
Additionally it is hard to see a case for starting again with NASH rather than enhancing the authentication service already offered by Medicare that is already in widespread use.
Given NASH has comprehensively failed in the key raison d’ĂȘtre of supporting implementation of the NEHRS time for Strategic Rethink has arrived.


Andrew Patterson said...

If NEHTA were intending to have some secret strategy to ensure ongoing relevance as a CA then I would suggest that they would do the exact opposite of what they have done - in that they would have registered THEMSELVES as the CA.

I think the idea of a separate legal entity for a CA whose ownership can be transferred around (to be owned by DoHA for instance) is perfectly sensible. I presume there are also legal advantages in terms of limited liability etc.

Not everything is some great conspiracy.. despite the breathless tones in which it gets reported in newspapers.

(I agree with the rest of the stuff about the NASH rollout being farcically late)

Anonymous said...

so, when fleming set up NASH GA in his name in october, did he pay nehta back the money nehta paid in september to the external law firm for advice regards this legal entity