The following appeared a few days ago.
Thursday, 28 January 2010
e-Health: something's rotten in the State of Kevin
"The End User Security Reviews clearly found that there are instances in which particular users may share user credentials (whether they be passwords or tokens) to facilitate their obligation to patient care.
In situations such as a hectic Emergency Department or a large onsite trauma situation, the adherence to business processes which promote unique identification and authentication of users of the HI Service may not be practically possible.
The security controls and awareness levels found in these assessments have been varied."
{NEHTA - HI Service Security and Access Framework 13/11/09 PUBLIC}
For the rest of the blog drop in here:
http://northcoastvoices.blogspot.com/2010/01/e-health-somethings-rotten-in-state-of.html
This got me to start thinking just where the Nation Authentication Service for Health (NASH) was up to, as it is needed for the HI Service.
I found this page:
http://www.nehta.gov.au/component/docman/cat_view/49-publications/48-connecting-australia/54-nash
NASH
As significant amounts of sensitive and personal information is being sent electronically around the globe, there is a need to guarantee the authenticity and validity of the information that is being exchanged. In the case of your personal medical information, there is an even greater imperative to ensure that information is collected and securely electronically exchanged only by those authorised to do so.
The National Authentication Service for Health (NASH) project will deliver the first nationwide secure and authenticated service for healthcare organisations and personnel to exchange e-health information.
Together with clinical terminology, messaging standards and unique health identifiers, NASH will provide one of the fundamental building blocks for a national e-health system.
Categories
Information Specification, Content & Requirements
However no joy. Both these are empty of any information at all!
The article referenced in the blog does provide some small help and raises more than one issue!.
See here:
http://www.nehta.gov.au/component/docman/doc_download/877-security-and-access-framework
For those who missed the release of the document initially there are some interesting things said.
This provides the first interesting section:
“2.2 End User Access - Threat and Risk Assessment
The potential user base of the HI Service is diverse. Once fully operational, it is expected that upwards of 500,000 Healthcare Provider Individuals (HPI-I’s) will participate in the HI Service. In addition, large numbers of HI Service Users will require access to the service to facilitate the delivery of healthcare services. The end user security assessment has allowed NEHTA to ascertain security vulnerabilities, risks and threats that an end user presents at a ‘typical’ healthcare setting, and gain an understanding of current security practices and awareness levels.
In order to obtain a cross section of the healthcare community in a diverse array of healthcare settings, a range of private and public health organisations were visited. Numerous staff members were interviewed, and practices and processes reviewed and evaluated.
The End User Security Reviews assessed the following:
- • A large city public hospital
- • A children’s public hospital
- • A private pathology and radiology service
- • A private hospital
- • A rural public hospital
The End User Security Reviews clearly found that there are instances in which particular users may share user credentials (whether they be passwords or tokens) to facilitate their obligation to patient care. In situations such as a hectic Emergency Department or a large onsite trauma situation, the adherence to business processes which promote unique identification and authentication of users of the HI Service may not be practically possible.
The security controls and awareness levels found in these assessments have been varied. These findings are invaluable as they provide a solid ‘real world’ understanding of security in a variety of healthcare settings. They will give primary input into appropriate baseline security controls that will need to be included in Participation Agreements, and security considerations that will need to be included in the design of third party health systems (such as Patient Administration Systems).
These reviews have ultimately assisted in designing and developing effective and usable controls for the HI Service.”
Now I am not sure how you read this, but what it says to me is the chance of having trustworthy provider identification – to reassure the public their records are secure – is not high at all. Too many people and too many situations where ID technology will get in the way – exactly as has been discovered with the provider smartcards in the UK!
I think you will find NEHTA has no clue about how to handle emergent and high volume situations - especially with many providers all needing computer access. Some explanation of how this was to be handled would have been good.
I could have told them had they asked!
This is also very interesting:
3.3.2.2 Healthcare Provider Individuals
Healthcare provider individuals (possessors of HPI-Is) will be identified through their professional registration process or other approved processes. Access will be either by identifying themselves to an HI Service officer by phone, person, fax or mail or by using a PKI certificate to electronically access the HI Service. Certificates will be available upon request using the National Authentication Service for Health (NASH).
As an individual healthcare provider they will be able to access their own provider information. However, they must provide evidence, either to a body acting as a Trusted Data Source to the HI Service, or directly to the HI Service Operator, that they are employed by a healthcare provider organisation, before being permitted to access the core HI Service. The core HI Service includes IHIs and associated healthcare individual information, and the healthcare provider directory services (which include the details of healthcare provider organisations and consenting healthcare provider individuals).”
I am not sure if I read this correctly, but it sounds like solo GPs and specialists who work for themselves are not going to have access without a lot of work and signing all sorts of documents – see below!
The other issue, of course, is that the National Registration System is not planned to start until mid 2010 – so there is not going to be much time to get providers into the system, issue all the PKI certificates and so on with the current planned live date of the HI service being the same! (July 2010)
Even more remarkable is this:
“4.3 Participation Agreements
Participation Agreements will be a necessary requirement for healthcare provider organisations to actively participate in HI Service. A Participation Agreement will be executed as part of an overall registration process. The Participation Agreement will form an integral part of the security framework, providing the foundation for best practice security. Participation Agreements will include enforceable terms and conditions, underpinned by legislation, and will address a broad range of fundamental areas of responsibility.
In order to access the HI Service, healthcare provider organisations will be required to address the following areas in relation to security:
• Comply to minimum baseline security requirements (including areas such as account creation, unique identification of users in interfacing systems to the HI Service, password management strategies, firewalls, anti-malware, audit trails);
• Participating organisations will be required to maintain any computer and other ancillary electronic equipment to meet a minimum standard of being technologically adequate for the purposes of the IHI and HPI services;
• Have mechanisms in place to manage risks and liabilities;
• Have policy and procedures that address information security and privacy; and
- Provide education and training to all HI Service authorised users so that they are aware of their responsibilities.”
Continued.
Showing characteristic understanding of the sector they seem to imagine all the providers are going to rush to take on all these extra-obligations, at their cost, to suit NEHTA. Just why would anyone bother?
They are clearly dreaming and have not thought through and worked out how to distinguish the perfect from the possible and then how they are going to even get to the possible.
The whole document also seems to identify a range of problems for which it has no answers – and this document is released about 2 months ago! What has changed I wonder?
Of course all this makes a joke of all the claims of how all access to the HI will have full reliable audit trails etc. They are really dreaming I believe.
The following provides the FAQ for healthcare providers.
http://www.nehta.gov.au/images/flipbooks/HI-Brochure-Providers-FAQs-NEH050/index.html
The one big question it does not answer is the obvious one. Why would I go to all this trouble and if I do what can you show is really in it for my patients and me?
Finally, it is clear from the FAQ that allocation of provider identifiers will be staged over who know how long – so I wonder if all the other issues are addressed just how long it will be before the actual HI Service is really operational nationwide. Let’s face it – it will be years!
As I have said before – let’s see a realistic implementation plan. As it is now we are all in the dark!
David.
0 comments:
Post a Comment