Sunday, April 26, 2020

The ADHA Seems To Be Making Very Heavy Weather Of Secure Messaging And It Is Not Clear Why.

A few months ago this release appeared. At the time I missed some key details.

Media release - Secure messaging standards to be mandatory

20 January 2020: State, Territory and Commonwealth Governments have released a joint statement in support of new standards for secure messaging, stating that the standards will be mandatory in future procurement for applicable systems.
The joint statement was shared with industry at a workshop in December 2019 which was attended by over 50 representatives from clinical and secure messaging software suppliers, governments and clinical representatives.
The Australian Digital Health Agency has been working with industry and governments over a number of years to achieve interoperable secure messaging across different systems – necessary to accelerate use of electronic messaging over fax machines and paper transmission.
The workshop launched the approach to national scaling for a consistent, standards-based approach to secure messaging across Australia, to enable healthcare providers to communicate effectively as part of the National Digital Health Strategy 2018-22.
The workshop was jointly chaired by Ms Bettina McMahon the soon to be interim CEO of the Australian Digital Health Agency, Ms Emma Hossack Chief Executive Officer, Medical Software Industry Association (MSIA) and Dr Nathan Pinskier GP and former Chair of the RACGP Expert Committee – eHealth and Practice Services.
Ms Bettina McMahon said “Many people across industry, governments and peak associations have been working with us since our first meeting in December 2016 to solve what some were describing as an intractable problem. We’ve had quiet confidence that we could co-produce specifications and standards with industry and professionals, try them out in early implementations, and get to a point where Australia’s customers of these systems would require their use.
“We’re now at that point – with Governments confirming that future procurements will reference the standards as mandatory requirements.
Once again government, the health sector and the software industry have come together to address a key priority in the National Digital Health Strategy. It is this level of cooperation and shared insights that will let us achieve the benefits of digital health.”
Ms Emma Hossack said “There is work underway on a standards framework, trust framework and federated directory solution which is marvellous. We have consensus that these will be developed collaboratively and in keeping with the broader digital health interoperability approach. Whilst this can’t be rushed, we are optimistic that future development will occur through agreed standards, validation and conformance which is good news for all Australians using the health system.”
Dr Nathan Pinskier said “In the last three years, we have witnessed a significant level of industry collaboration and commitment in order to resolve a major deficiency in healthcare secure messaging being the lack of seamless interoperability between disparate software products. In this new decade of 2020, this collaborative program is now poised to deliver tangible benefits to both healthcare providers and their patients.”
A Communique on the outcomes of the workshop was released that describes the steps that will be taken to support national scaling of standards-compliant systems.
The Communique acknowledged the work done with industry to co-develop standards which were tested and refined through proof of concept implementations, the balloting of standards where appropriate, and the provision of financial support to industry to implement these standards.
ENDS
Here is the link:
The important part of the outcome was a so-called “Scaling Study” referred to in the Communique.
----- Begin Extract

National scaling approach

An approach for national scaling was discussed that encompasses the following initiatives:

1.Develop a secure messaging governance framework

2.Develop secure messaging use cases
3.Develop standards and a standards framework
4.Implement a federate directory solution
5.Develop a trust framework
6.Support change and adoption across the health sector
7.Develop a framework of levers
There was support to continue work underway, especially for initiatives2, 3, 4 and 5. Attendees recognised that there is more work to be done on these before commencement of work on the other initiatives.
Attendees agreed that the standards framework and governance arrangements should not be developed in a vacuum, bespoke to secure messaging. A collaborative, not “top down”, approach was endorsed for development in this space. The governance arrangements should be consistent with the broader digital health interoperability approach.
Flexibility in mindset and pragmatism in approach were endorsed as the means for achievement of the goal not aiming for perfection but reflective of current approaches in software and practice. We will develop high-level criteria that define what success looks like. We will consider this over the next six months and agree next time we meet.
Workflow
Attention needs to shift to usability and workflow for end users. Now that barriers to interoperability at the technical layer are largely addressed, with the exception of financial and business models, the success of national scaling is dependent on the experience of clinicians using secure messaging solutions. Attendees agreed that user experience design work is best done by industry in conjunction with end user stakeholders. It was acknowledged that the Agency could assist this important work through facilitation of collaboration across industry and professional associations. The Agency would also have a role with provision of enabling services, such as test environments.
Directories
Attendees acknowledged the critical importance of directories in achieving secure messaging interoperability. There was a recognition of the need to continue work on federated directories, and that the success of our efforts will impact workflows and usability. It was also noted that directories should be open rather than closed federations.
Priorities
Momentum for change and adoption should be created by selecting a use case and a timeframe for achievement of the most widely used message type occurring via secure messaging by a set date. Attendees supported the Agency proposing a use case (e.g. referrals or discharge summaries) to be primarily electronic by a specific point in time, with various change and adoption levers applied in support.
The Agency will consult on a suitable use case and timeframe by April 2020.Success criteria will be defined along with the timeframes for them to be met. Once these criteria have been met, a plan for national adoption will be developed.
Looking to the future
Attendees recognised the plans underway to achieve interoperability across a broad range of healthcare systems, and their relevance to the goal of seamless national secure clinical messaging. Incremental improvements towards interoperability in secure messaging were acknowledged and supported as an approach to date, but the next iteration is now approaching where systems will exchange data through APIs rather than the current transport protocols.
Some software organisations are already investing in this capability, so there will be a time when these new technical methods will supersede current methods. There is a desire to develop for the future, not just for legacy systems.
As we move to new methods including more use of FHIR-based APIsdevelopment should occur through a pathway of agreed standards, validation and conformance criteria.
Clarity in respect of quality control measurements and monitoring will be an essential part of this progress. It was generally agreed that previous approaches have not progressed as quickly or as smoothly as anticipated. In the meantime the digital health environment has continued to develop. The new methods that are emerging will be well suited to the contemporary environment, and these too will be covered by a framework to avoid silos and the mistakes of the past.
----- End Extract
Here is the direct link to the full Communique.
What I did not take enough notice of was an apparently contemporaneous report that runs to over 100 Powerpoint pages (114) that is boiled down to the paragraphs above.
Here is the direct link:
The project ran from late July to early October 2019 with the report delivered on 21 October, 2019.
Frankly the report is a joke.
Examples of the nonsense:
a. A total of 88 surveys of practices nation wide formed the basis of the current state assessment as best one can tell. (Page 20)
The claim was:  “The survey responses provided a unique end user perspective that has been incorporated into the current state analysis” but somehow 76% of the respondents were from Queensland – where Medical Objects alone has 72000 connected users!
b. Consultation with the major providers of Secure Messaging – Telstra, Healthlink, Medical Objects and ReferralNet seems to have been 1 three hour session. (15 August 2019 – p109)
c. It seems that pretty much all the plans don’t get started until June 2020 (p101) or later! Examples of what is to start then  include “Establish a Standards Working Group – seems they don’t have one” or “Develop a case for change” And so it goes!  How you make anything mandatory when the Standards are missing I find pretty problematic! Maybe it is something to do with levers?
d. A really good piece of nonsense is to “mandate the use of NASH” after a review of what seems to have already taken a decade. This also seem to happen before a suitable trust framework id developed! (p101) (Will the pain ever stop?)
It should also be noted that while the Communique notes the importance of FHIR for the future no roadmap etc. is provided for a transition that I can see. Similarly the provider directory seems to be pretty underdone. It is hard to know just how much real progress has been made with this critical piece of work.
I really wonder how such a clearly impractical and non-real world based report can escape.
Updates on all this would be welcome via comment.
David.

21 comments:

  1. I might be wrong here but Standards Australia IT-014-06 Developed standards for secure messaging. Why is all this ignored?
    ADHA formed with some pretty useful people planning how standards could be funded and used in the new era of digital. What happened to all of that? I was engaged in some early thinking and the approach and strategy seemed sound to me, even the tool to help profile what standards you needed to consider was brilliant, does anyone know what happened to all of that knowledge and value? Seems Tim and Bettina have a lot to answer for.

    ReplyDelete
  2. Until there is a serious effort to make processing HL7 V2 messages interoperable, and not just cut down pdf only versions of REF messages, interoperable messaging is not possible in anything other than highly controlled artificial demonstrations.

    After 2 decades of eHealth authorities NASH should be sorted and its not, a please explain response is appropriate. Its easy to waste time on these clowns and I guess given enough time something might happen, but not sure there is enough $$ in the government coffers to sustain a multi-generational project, which is what it will be at current rate!

    I wonder what this report cost? They should know what to do by now and the fact they do not is pretty telling. 20 yrs and billions of $$ spent for no return suggests they need to stop this laughable circus show. I can't justify spending much time on ADHA matters. The report mentions "pockets of success" with 16K messages a month in Barwon. Ummm what about 1 Million, mostly clinical messages a month on Sunshine Coast?

    ReplyDelete
  3. Exactly the same could be said of My Health Record, Secure Messaging, ePrescribing, Interoperability.

    "The tracing app isn’t a huge threat to privacy. But from past experience, the government is"
    Bernard Keane, Crikey, 27 April https://www.crikey.com.au/2020/04/27/covidsafe-tracing-app-government-abuse/

    Should you download and use the coronavirus tracing app?

    No, but not so much because of the app itself as the people who are behind it.

    ...

    (The government) introduced data retention laws supposedly reserved only for a small number of security agencies, protected against abuse and mission creep, and aimed only at serious crimes. Instead, the agencies using metadata have ballooned, the most trivial offences are now included and security agencies abuse the data without being held to account.

    It defied laws designed to prevent the misuse of the personal information of transfer payment recipients to publicly vilify — via leaks to friendly journalists — a citizen who publicly criticised the government over robo-debt. Its bureaucrats insisted they had done so lawfully because they were correcting her “mistake”.

    It used laws it introduced aimed at deterring whistleblowing within government to raid journalists’ homes in search of sources that caused embarrassment for security bureaucrats. It raided opposition offices and Parliament House itself searching for information on sources that had embarrassed NBN Co.

    It used surveillance to undermine legal professional privilege and harassed and prosecuted the men who exposed criminal wrongdoing by ASIS, in the K/Collaery case.

    It has given itself powers to force software and device manufacturers to secretly plant malware on devices to target citizens. Its signals intelligence body — which helped write the app — refuses to share information about major security vulnerabilities in widely used IT systems so it can exploit them for commercial espionage.

    Given this, no amount of safeguards around government access to the information — and those safeguards won’t be legislated for weeks anyway — would be sufficient to guarantee that this government’s instincts to abuse its power would be curbed.

    Still, advocates for the app urge that a small loss of, or risk to, privacy is nothing compared with the benefits of the app in helping alert people to the risk of infection and help the government identify cases. Except, those benefits could be obtained through a more decentralised app that doesn’t allow any part of the government to access the unencrypted information on the device of someone who has tested positive.

    And such an argument is only a minor variation of the argument always put forward by governments, that we could all be safer if we gave up more rights, more freedom, more privacy, in the name of fighting crime, defending terrorism, stopping drugs — anything that saves lives and makes the community safer.

    Public health bureaucrats and academics are little different from national security bureaucrats and academics in their command-and-control mentality, one that sees freedom and privacy as a minor inconvenience in the pursuit of the greater good. Indeed, one commentator on the weekend compared those who value their privacy to terrorist Carlos the Jackal.

    Advocates also invoke another oft-repeated argument, that given IT companies already know so much about us, what does another breach in our privacy really matter — an argument best left on the shelf until the grim day when Apple, Google et al can raid our houses, prosecute journalists and jail whistleblowers.

    If you’re not planning to embarrass or publicly criticise, or seek to hold to account, government ministers and bureaucrats, you probably don’t need to worry too much about how the government will abuse your personal information. And you can always, at various stages in the process, opt out of providing information. You can even delete the app if you want.

    But the government can’t do what it would evidently prefer, which is to delete the facts about its long history of abusing power and personal information.

    ReplyDelete
  4. Dear colleagues,

    I found that over a 20 year of implementing messaging systems in Australia, I steadily agreed more and more with Andrew McIntyre whose comment above really nails it.
    "Until there is a serious effort to make processing HL7 V2 messages interoperable, and not just cut down pdf only versions of REF messages, interoperable messaging is not possible in anything other than highly controlled artificial demonstrations."

    In my view, all of the efforts to set up committees, deliver expensive reports, fly people hither and yon, are useless unless either of the following two options is relentlessly pursued.

    1. Make all message senders undertake continuous conformance testing/accreditation run by an independent body, returning to sender any non-conformant messages. Zero tolerance for bad messages.

    2. Accept the fact that SMD interchange etc has been a huge/massive waste of time, accept that you have multiple incompatible message delivery systems and develop a strategy that embraces that fact.

    Given the abysmal progress to date, I suggest that option 2 is the better bet. I have spoken to ADHA about what a "strategy that embraces that fact" might look like but received blank looks as they try, try and try again to make something work that clearly just plain will not.

    Best wishes,

    Tom

    ReplyDelete
  5. Bernard Robertson-DunnApril 28, 2020 9:25 AM

    A good definition of insanity is doing the same thing over and over again while expecting a different result.

    It's also a definition of government bureaucracy.

    The best strategy government could adopt is to just get out of the way.

    They could well remember the GOSIP vs TCP/IP wars, except they are probably totally unaware of them. The IETF (i.e. industry) developed standards and solutions. They were the experts and had a vested interest in getting it right.

    The only role for government(s) in that scenario would be to fund and facilitate cooperation and collaboration.

    The arrogance of wannabes like NEHTA, ADHA and Jared Kushner is staggering.

    I agree with Tom that option 2 is the better bet as long as the government's strategy is to put things in the hands of people who are equipped to solve such problems.

    ReplyDelete
  6. ADHA- has been tasked with evolving digital health to meet the needs of modern Australia. So based on what April 28, 2020 7:54 AM mentions, it is safe to assume the ADHA is not the entity it is supposed to be.

    Have a National bodies setup as a Federal Agency has proved to be to constraining, DoH has it little data base now, time we got back to build the successor to Nehta.

    ReplyDelete
  7. Bernard Robertson-DunnApril 28, 2020 5:48 PM

    "ADHA has been tasked with evolving digital health to meet the needs of modern Australia"

    No they haven't

    From About the Agency
    https://www.digitalhealth.gov.au/about-the-agency

    "Tasked with improving health outcomes for Australians through the delivery of digital healthcare systems and the national digital health strategy for Australia, the Australian Digital Health Agency (the Agency) commenced operations on 1 July 2016.

    The Agency is responsible for national digital health services and systems, with a focus on engagement, innovation and clinical quality and safety. Our focus is on putting data and technology safely to work for patients, consumers and the healthcare professionals who look after them."

    Improving is not evolving. Improving is incremental changes to existing solutions. Evolving is developing new ways to solve existing problems.

    Improving is better horses. Evolution is the invention of the internal combustion engine and using it in a car.

    The two paragraphs above are classic American management consultant speak. Full of vague concepts that makes everyone feel better, but achieves very little.

    ReplyDelete
  8. Ernst, I’ll take your mug of warm fuzzy US consultancy and raise you a cold
    Cup of legislation.

    https://www.legislation.gov.au/Details/F2016L00070

    9 Functions of the Agency
    (1) The Agency has the following functions:
    (a) to coordinate, and provide input into, the ongoing development of the National Digital Health Strategy;
    (b) to implement those aspects of the National Digital Health Strategy that are directed by the Ministerial Council;
    (c) to develop, implement, manage, operate and continuously innovate and improve specifications, standards, systems and services in relation to digital health, consistently with the national digital health work program;
    (d) to develop, implement and operate comprehensive and effective clinical governance, using a whole of system approach, to ensure clinical safety in the delivery of the national digital health work program;
    (e) to develop, monitor and manage specifications and standards to maximise effective interoperability of public and private sector digital health systems;
    (f) to develop and implement compliance approaches in relation to the adoption of agreed specifications and standards relating to digital health;
    (g) to liaise and cooperate with overseas and international bodies on matters relating to digital health;
    (h) such other functions as are conferred on the Agency by this instrument or by any other law of the Commonwealth;
    (i) to do anything incidental to or conducive to the performance of any of the above functions.
    (2) In performing its functions under paragraphs (1)(a) and (c), the Agency must, if appropriate, act collaboratively with:
    (a) Commonwealth, State and Territory Governments; and
    (b) other key stakeholders, such as peak health associations, health industry bodies, clinical groups, health consumer organisations and healthcare providers.
    (3) If an intergovernmental agreement is relevant to the performance of a function of the Agency, the Agency must have regard to the agreement in performing the function.
    (4) Subsection (3) does not limit the matters to which regard may be had.
    (5) Where the Agency may provide a service, the Agency may do so:
    (a) itself; or
    (b) in cooperation with another person (including the Commonwealth); or
    (c) by arranging for another person (including the Commonwealth) to do so on its behalf.
    (6) The Agency may charge fees for things done in performing its functions.

    ReplyDelete
  9. Bernard Robertson-DunnApril 28, 2020 10:41 PM

    Ernst?

    I can't work out if you are agreeing of disagreeing with me.

    However, "The Agency has the following functions:" is not the same as "ADHA has been tasked with ..."

    "Tasked with improving health outcomes" in an objective. Functions are the things they can do.

    ReplyDelete
  10. Bernard it must have been a random auto-correct. I’ll blame the Covidsafe app.

    On this occasion I generally agree with aspects of your statements.

    ReplyDelete
  11. Tom Bowden said at 7:54 AM on April 28, 2020: "Make all message senders undertake continuous conformance testing/accreditation run by an independent body, returning to sender any non-conformant messages.

    We could call that independent body the Australian Healthcare Messaging Laboratory. Oh wait - we did: https://www.pulseitmagazine.com.au/news/australian-ehealth/317-the-collaborative-centre-for-ehealth-and-the-australian-healthcare-messaging-laboratory

    ReplyDelete
  12. Dr Ian ColcloughApril 29, 2020 12:13 PM

    Well said Oliver. Instead of standing behind and strengthening the AHML - 12 YEARS AGO - bureaucrats and some major industry players brought their power and influence to bear to undermine the AHML forcing its demise. "As you sow so shall you reap".

    ReplyDelete
  13. Ian, what were those people's and organisations' reasons for wanting AHML to be closed?

    ReplyDelete
  14. Its a little hard and possibly a bit scary to be inside the head of the powers that be. The basic problem is that doing base level testing is not very "announceable" and doesn't generate the sort of powerpoint presentations that generic management likes to give. Its the equivalent of passing your anatomy exam vs announcing a successful liver transplant. The later requires a very high standard of anatomy knowledge, which medical school and surgical exams ensure but you can't really make a fuss of someone passing an anatomy exam.

    We are trying to do complex IT without ensuring that the base level non announceable criteria are met and not surprisingly things fail. They fail in dangerous ways every day, but it seems no one cares about that and just want complex stuff to just work, when there is no hope of it working when you understand the horrible state of standards compliance we have.

    The basic problem is putting generic managers into a technical space. Its like the NASA problem where managers demanded the laws of nature bend to their will. Nature cannot be fooled and neither can health IT. If the messages are non compliant the behavior at the other end is undefined. Worse than that, when the messages are compliant they fail at the other end, so the problem is not just message compliance, its the handling of compliant messages at the other end.

    What you typically see is unrealistic political deadlines for something to work and vendors saying it can't be done in that time and making things compliant will take time and money so the generic management just dumbs things down to try and meet deadlines. Organizations like AHML getting picky about getting things correct were a barrier to pushing things through on the political timeline so were brushed aside as a barrier to "success". In reality its the generic management that are a barrier to success, but they have the $$ and the PR firms to try and paste over the cracks, but strangely enough actual success still eludes them and they seemingly don't understand why.

    Messaging 100% compliant messages to 100% compliant receivers would allow messaging to be simplified by 95% but we have made no progress in convincing the "authorities" that this is a undeniable requirement for actual progress and is viewed as a road block, but its actually a roadblock because the bridge is out and the river is a long way down! I personally withdraw from attempts to crash through the the safety barriers, which is what many projects demand. Does that explain why AHML was killed by the eHealth hubris that our national authorities exemplify?

    ReplyDelete
  15. Dr Ian ColcloughApril 30, 2020 9:58 PM

    @Oliver 8:43 PM There are many reasons Oliver which Andrew has summarised far better than I could ever hope to do.

    AHML for the generic managers to whom Andrew refers either didn't understand or didn't want to understand, doing so was politically inconvenient; whilst for some of the more powerful vendors AHML was commercially problematic to their aggressive sales goals and revenue generation.

    ReplyDelete
  16. Bernard Robertson-DunnMay 01, 2020 1:14 PM

    This looks interesting. ADHA has decided to run an "Innovation Challenge".

    The Context
    The Australian Digital Health Agency is focused on both immediate responses to COVID-19 as it evolves into recovery management and shaping Australia's digital healthcare systems for the better beyond national health emergencies.

    While the rapid adoption of digital health services has presented some challenges, it also creates opportunity. So we are challenging innovators across Australia to come forward with scalable tools and solutions that position us to improve our digital health system.

    We are looking for digital health solutions that will enable delivery of care in new ways, improve health outcomes, strengthen responses to health emergencies and accelerate digital health into the future.

    https://innovation.digitalhealth.gov.au/

    Isn't that last paragraph what they have been created to do?

    It's also interesting that they never mention My Health Record.

    ReplyDelete
  17. Well at least the reframed from cheesy marketing. Refrain ing from mentioning things like “ This is your chance to provide the next great Aussie innovation” or trying to sound bleeding edge and dynamic by referencing greats like ‘Hills Hoist’, ‘Cochlear Implant’, or ‘WiFi’ or the ‘Mullet’.

    Will be interesting to see how this pans out, Australia has some great software startup programs so the bar is pretty high.

    ReplyDelete
  18. What does it 'mean' Bernard?

    "Challenging innovators across Australia to come forward with scalable tools and solutions".

    In other words this is a Request For Information (RFI). Don't be put off if you are not an "Australian Innovator", overseas innovators will not be excluded.

    Once we've sucked up all available information we will call a restricted Request For Tender (RFT).

    Please don't be too upset if you are not invited to tender because you are too small, or your revenues are too low, or your solution doesn't fit with the digital solutions we have in mind.

    And please don't feel obligated to mention the My Health Record. In fact we would prefer that you didn't, although we can't say that, because we don't want to be quoted.

    As you will appreciate we are endeavoring to distance the ADHA from the MHR with our 'new innovative approach' which we hope will distract attention from the MHR until it is quietly forgotten. But we can't say that either!

    Finally, David, please don't publish this comment on your blog because we don't want to be quoted there either.

    It might be better if we kept quiet and just pretended we didn't exist!

    ReplyDelete
  19. 5:14 PM. The ADHA is big on buzzword bingo but very light on detail. seems they can only predict 9 days ahead. Maybe they should run innovative ideas for planning. Is this simply a power point point pitch? How is due diligence run on organisations? At what cost? And under FAQ : (quote) The company will retain all their IP for their proposed solution for the purposes of the demonstration phase.

    It might be argued that you should have some expertise in spotting good ideas and evaluating them. I am at a lost as to why ADHA would operate this when there are perfectly good and mature entities out there supporting innovation hubs and startups.

    ReplyDelete
  20. The ADHA is about as useful as a chocolate teapot.
    Come to think of it, at least you could eat a chocolate teapot, which makes it more useful than ADHA

    ReplyDelete
  21. I fear there is sufficient digital health disciples coming through more than happy to fill the ranks of blind obedience and carry ‘big government’ assistance. It has become almost a cult, similar to Six Stigma or Human Synergistics Circumplex, which rely on pyramid technics where the high priest sole job is to brainwash the disciples and continue the cycle.

    The ADHA is a failing experiment and is in its final stages. If visionary people have some ideas might be worth follow this - www.australianageingagenda.com.au/technology/ict/tech-council-scoping-sectors-ict-capability-for-govt/

    ReplyDelete