This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Tuesday, April 10, 2012
There Seems To Be Some Movement on The National Authentication System For Health (NASH). What Direction Is a Trifle Unclear.
The following e-mail was sent out by NEHTA last week.
“I would like to announce that the NASH Developer Materials have been released on the Vendor Portal https://vendors.nehta.gov.au. These materials are provided for test purposes only, and do not allow access to any live data.
To download the Developer pack, please follow the Registration process. The pack can be located under “eHealth Foundations" -> "National Authentication Service for Health". You will have to accept the Terms and Conditions of the Licence Agreement to get access to the materials.
This release consists of the following documents:
1. Release Notes, including
. Download location for Secure Message Delivery Specifications
· Download location for the PKCS11 Standard
2. Draft Certificate Profiles for HPI-I and HPI-O/CSP
3. NASH Concept of Operations
4. Test HPI-O (set of 2 generic certificates)
5. Draft Token Specifications
6. Licence Agreement
Please read the initial document first for an overview of the rest of the pack: "NASH Concept of Operations - Release Note".
Please don’t hesitate to contact me if you have any questions
nehta - National E-Health Transition Authority
----- End E-Mail.
For some very odd reason there is a very strict License Agreement before the NASH material can be accessed. It utterly bamboozles me just why this would be given the need for everyone to understand NEHRS (formerly PCEHR) security before trusting or using the planned system. This seems to be to be just a nonsense barrier.
I suggest people read carefully before downloading if they are actually planning to deploy, rely on or use the material. As a commentator I will just read and not fiddle so I can’t see how I can get into too much trouble!
At about the same time we had the following appear:
TWO senior National E-Health Transition Authority executives have created a $0 company to act as the registration authority for the National Authentication Service for Health, as part of the Gillard government’s e-health record system.
NEHTA chief executive Peter Fleming and chief financial officer Christopher Hale registered NASH GA Pty Ltd last October, with Mr Hale as director and company secretary, and Mr Fleming as director.
The entity is a wholly owned subsidiary of NEHTA, established with one nil-value ordinary class share; it had a name change in February to E-Health Authentication Services Pty Ltd.
A NEHTA spokesman said the company was established as "a special purpose vehicle to act as the Certification Authority for the NASH", in accordance with Gatekeeper Accreditation (GA) requirements set for public key infrastructure (PKI) systems by the Australian Government Information Management Office.
"In order to protect the investment in the NASH and GA process and create arrangements that provided future flexibility, it was decided to establish a special purpose vehicle under NEHTA that would become the Certification Authority, the shares of which could be transferred to another entity should the role of NEHTA change and the circumstances require," he said.
"The Certification Authority is an integral part of the NASH, and must be 'Gatekeeper Accredited' by AGIMO.
"While the NASH is the authentication service that healthcare providers will use to access the PCEHR, it has been conceived as a broad authentication service to support the health sector, for example, for secure messaging between healthcare providers and future electronic prescribing."
My reaction to this is essentially amazement and incredulity. What on earth is a company needed for. Surely DoHA (or Medicare who already run a similar service) would have been a much more logical home. Of course it might be that the Directors are wanting - just like NEHTA - to avoid FOI scrutiny. That way the non-use of the apparently voluntary system will remain a state secret!
Another correspondent has suggest it is NEHTA trying to ensure ongoing relevance as a PKI CA rather than being eventually folded up.
I have to say NASH seems to be decaying into farce. Three months out from the NEHRS start we are given an apparently FINAL NASH Concept of Operations with Draft Code and specifications for NASH Tokens (to hold provider authentication credentials) from some two years ago.
It is clearly impossible for NASH to be implemented in any form in the next three months so the system will have to start using Medicare and not NASH authentication. This is a clear manifestation of planning failure (given how long we have known it would be needed) as far as anyone can tell and really suggests to me NEHTA simply is not up to implementing any significant project properly.
As for the task of registering, identifying and providing tokens to the 600,000 people who work in the Health Sector - you have to be joking. It also seems consumers / patients are now out of scope for NASH as far as one can tell.
Additionally it is hard to see a case for starting again with NASH rather than enhancing the authentication service already offered by Medicare that is already in widespread use.
Given NASH has comprehensively failed in the key raison d’être of supporting implementation of the NEHRS time for Strategic Rethink has arrived.