Another NEHTA Readathon!

Oh joy, oh wonder! NEHTA has just given us some more reading material!

This time we have an endless series of documents on Identity Management (IdM).

What a wondrous collection they are.

Included are:-

Framework for Analysing, Planning and Implementing Identity Management within E-Health v1.0 (76 pages)

Authentication Assessment Methodology v1.0 (55 pages)

Identity Management Discharge Summary Authentication Assessment v1.0 (28 pages)

Identity Management Glossary of Terms v1.0 (48 pages)

Identity Management Resource Set Building Blocks Layer v1.0 (36 pages)

Identity Management Resource Set Guidelines Layer v1.0 (39 pages)

Identity Management Resource Set Standards Layer v1.0 (19 pages)

Identity Management Resource Set Templates Layer v1.0 (33 pages)

Total = 334 pages.

What does all this mean and amount to?

I think the core of what is being outlined here can be seen in the following three quotes:

Identity Management

NEHTA sees Identity Management (IdM) as:

“an integrated system of policies, processes, and technologies that enables health organisations and the E-Health Community as a whole to facilitate and control users' access to applications and information resources while protecting confidential personal and business information from unauthorised users.”

When applied in a consistent and systematic way across a healthcare community, identity management underpins:

  • identification of parties involved in healthcare activities – providers, patients, organisations and locations;
  • authorised access to resources;
  • confidential transmission and receipt of private or sensitive information;
  • integrity of information transferred between parties; and
  • traceability and audit of activity between transacting parties.

And

Identity Management Program

“NEHTA’s Identity Management initiative is developing a national approach and an alignment framework to guide the Australian health sector toward a uniform and comprehensive approach to managing digital identities and their access to E-Health applications and information resources.

This requires that healthcare providers, across the board, migrate practices and systems to the point where they meet the interoperability and ‘security’ requirements necessary to build a trusted national approach to E-Health.

…..

The Identity Management work program is intended to support the migration of organisations and applications from the broader sector into the National E-Health community.

Inside the E-Health Community, identity management ‘systems’ will need to be aligned with the principles described in the NEHTA Interoperability Framework (IF) and Enterprise Architecture (EA) documents. It is anticipated that the sector will adopt a Services Oriented Architecture (SOA) approach based on Web Services. Such systems will generally be developed as ‘greenfields systems’, filling a new role or acting as a migration target.

Identity management systems of varying complexity exist outside the E-Health Community in the broader Australian Health Sector. Over time such systems will need to become more aligned with the directions being developed by NEHTA. These migration projects may not be initially fully compliant and conformant with the NEHTA Interoperability Framework and Enterprise Architecture, but will be able to adopt key principles and approaches from the Identity Management Framework that will ensure that future work can continue the transition towards a fully realised E-Health implementation.”

Further clues are found in the Business Principles to be Applied to IdM (from the Guidelines Document)

“2.1.1 Business Principles

2.1.1.1 Maximize Benefit to Health Care

Statement: Decisions about electronic health infrastructure components must always maximise the quality of care.

Rationale: Where there is any conflict or uncertainty in making decisions about infrastructure specifications and services, the goal of providing better quality of care should take precedence.

Implications:

  • The benefit to health care provided by an infrastructure specification or service must always be identified.
  • Decisions about technology should be driven by health care needs rather than technological or other concerns.
  • A simple solution that provides immediate benefit to health care organisations is preferred over a technologically better solution.
  • The Institute of Medicine quality of care principles [IOMQOC] should be applied to such decisions, that is, health care should be safe, effective, patient-centred, timely, efficient and equitable.

2.1.1.2 Service-oriented Approach

Statement: A service-oriented approach to the development of specifications and services will be applied.

Rationale: A service-oriented approach requires that specifications and services provide an identifiable, relevant and cost-effective service to businesses using the infrastructure. The business-level service definition becomes the point of alignment between business, information and technical

perspectives.

Implications:

  • The business-level relevance and benefit associated with services must be identified.
  • Service usage is captured in process definitions that specify the interaction between service providers and service consumers. Processes might be as simple as request/reply or even a one-way message but can also be considerably more complex.
  • The business-level responsibilities of both service providers and service consumers must be identified in a process.
  • Processes provide the basis for agreement between service providers and service consumers, and as such, should reflect the concerns of all parties involved in an instance of service usage. These concerns should be reflected in the services.
  • Services identify information (data) associated with service provision and use. In a service-oriented approach, an information model must be associated with business services using that model to identify the benefit to the business. Information models should not be specified without the context of one or more services.”

It is really important to stand back from all this and to see just what is being provided here. We are being told that – although there is a huge amount of work and consultation still to be undertaken – that here is the IdM Framework that is to be used by the Australian Health Sector.

Can I suggest that for any organisation to make a call of that magnitude it really should have a track record of delivery in such a complex arena. Additionally any entity planning to adopt the framework and all the associated complexity would want substantial assurance regarding the stability, utility, cost effectiveness and practical implementability of what was being offered. I really can’t see that either pre-condition is true.

On the basis that NEHTA has NO track record of successful delivery of anything of this complexity that assurance would have to be based on pure faith rather than any experience.

Given the funding to start work on Identifiers was announced in February 2006 and all we now have is a “Framework’ which needs a vast amount of further elaboration to reach any state of practical usability it seems unlikely much will actually be delivered before the money runs out in 2009. All this just shows how terribly slowly progress is being made (if at all). It really seems to me that NEHTA are quite unlikely to deliver in any sensible time-frame.

Also missing from all this is any business case that justifies doing all this. That surely must be done before anyone would bother investing in such a complex and unwieldy process as the one outlined here.

Lastly, one is forced to wonder just how much of this has been discussed with and aligned with the IdM plans that Medicare Australia and the Office of the Access Card have. As best I can make out the IdM Framework is assuming that Jurisdictions and Medicare will be registering providers and individuals to the standard NEHTA desires. I suspect this may come as news to these entities – given the level of IdM that is required in many e-Health transactions to ensure security and privacy. Who will bear the registration costs one wonders?

One also wonders whether becoming a registered professional or acquiring an Access Card is all that is needed – or does such registration need to be verified / repeated by NEHTA?

Before closing I must comment on the Business Principle to “Maximise Benefit to Health Care”. Read carefully and I am sure you, like me, will say that this is pure motherhood and will also be able to think of a legion of different situations where the Principle is just silly. (Hint. I think the third point is just wrong and the second is very much dependent on the circumstances. Re the first point – the bottom line is that some infrastructure just has to be (i.e. exist) for anything else to be able to happen)

Another un-consultative clunker I believe.

David.

0 comments:

Post a Comment