Most of the sites are using "a National E-Health Transition Authority-sponsored initiative to inject Individual Healthcare Identifiers (IHIs) into GP desktop software", the Medical Software Industry Association says.
"This has been done largely without the consent or cooperation of the software vendors (who provide the 'host' systems)," its submission to the inquiry says.
"This is an inherently unsafe process. MSIA made NEHTA and the federal Health department aware of its concerns over this process at the Conformance, Compliance and Accreditation (CCA) governance group more than 10 months ago.
"However, the roll-out has continued unchecked, and NEHTA has been unable to provide any information about subsequent evaluation of potential errors that may have been introduced into live patient records."
The MSIA's president, Jon Hughes, treasurer Vincent McCauley and committee member Emma Hossack will be giving evidence to the Community Affairs committee's broad-ranging inquiry into the PCEHR Bill and related matters.
Later on Monday, representives from two lead sites using the Synch application - developed by Brisbane-based Health Industry Exchange Ltd to NEHTA specifications, will appear before the hearing, together with Mark Gibson, HIE's e-health manager.
Abbe Anderson, chief executive of the Metro North Brisbane Medicare Local, and Adam McLeod, director of e-health strategy, Inner Melbourne East Medicare Local, say their sites have worked with Medicare, NEHTA and participating GPs "in the initial deployment of IHIs to ready general practices for the use of e-health systems and processes".
"Our activity has been to adopt and adapt available aspects of national infrastructure and e-health specifications at the local level to provide health information exchange and record-sharing between GPs, clinicians and hospitals," they said in a joint submission also from the third lead site, Hunter Urban Medicare Local, presented late on Friday.
"During the past 12 months, more than 300 practices have been supported to undertake initial healthcare identifier matching with more than 1 million IHIs processed.
"Practices have been able to undertake initial data quality work to determine their level of e-health readiness for use of IHIs.
"Vendors have been provided early insights as to the issues that practice systems will need to handle in the operation of IHIs."
The three lead sites say it's essential to integrate the PCEHR system "into GPs' existing desktop clinical software and workflows; a system that involves GPs logging onto a website or having to rekey information will fail".
HIE chief executive Brett Silvester has previously told The Australian that its Synch application was "the first of its kind software to comply with both the Medicare operations and NEHTA compliance processes for IHI deployment".
"The HIE Synch application we produced enables data matching with the Medicare HI service data store to retrieve and store patients' identifier data into the GP practice desktop system," Mr Silvester said last July.
"By synchronising practice records with the HI service, the application will help improve the correct identification of patients, data quality and accuracy when communicating and sharing information among healthcare providers.
"Having passed both (conformance and compliance) tests, it is now able to be connected to the HI service and is being installed in over 300 general practices in the 'wave one' PCEHR sites."
But the MSIA points to a peer-reviewed paper by Dr McCauley and Dr Patricia Williams of the School of Computer and Security Science at Edith Cowan University, Perth, which warns unauthorised "bolt-ons", or "parasitic software", risk introducing a variety of vulnerabilities and threats.
These include "a significant threat" of buffer overflows "where the parasitic software has not followed established standards of development, or has not been developed consistent with the style and construction of the applications and database" it interacts with.
Buffer overflows occur where a program writes outside the boundary checker, effectively violating memory protection, and are a well-known vulnerability subject to malicious attack.
Other risks include a lack of secure authentication with operating systems and databases, the manipulation of session IDs, a lack of change management control, and direct threats to the security present in operating systems and databases.
In their paper, Trusted Interoperability and the Patient Safety Issues of Parasitic Health Care Software, the authors say that while it is increasingly common for products to be built in a modular fashion, "to be securely interoperable with other software requires agreed, consistent and accountable interfaces".
"This may take the form of vendor-to-vendor arrangements, or via a trusted external third-party who coordinates agreed interactions, such as a jurisdiction," they say. "Standards are a particular form of mutually trusted third party.
"Unfortunately, this agreed method of interoperability is not always present in vendor software. Where one software product or module interacts with another, in the absence of any agreement, it is referred to as 'bolt-on'.
"It is more descriptive to refer to such software in terms of its potential for harm using the biological analogy of parasitic.
"Parasitic software can operate by data injection into or data extraction from the associated host database. Both forms exploit access mechanisms or security flaws in the host software independent of the host vendor and in ways not intended or supported by the host vendor.
"As Australia moves to a national connected e-health system, these issues are causes for grave concern."
McCauley and Williams note that many existing products were not designed with the new e-health systems in mind, and therefore lack sufficient controls in relation to unauthorised bolt-ons.
"In effect, unintended use of their associated databases is occurring without sufficient security measures in place. This leaves the integrity of the data at risk," they say.
"Further, when program updates occur in in the host software, the parasitic software that has not, by definition, been developed in synchronisation, may be unaware of the changes to the host functionality and database resulting in malfunctions and vulnerabilities."
This does not occur where a bolt-on program is working in agreement with the host system, provided there is ongoing tested integration between the host application and bolt-on product.
The MSIA has repeatedly asked for details of a patient safety report conducted by NEHTA prior to the live deployment of the HI service, but has been refused.
"It remains unclear why NEHTA would not provide software vendors designing systems to access the HI service with a safety report so as to permit the safest implementations," its submission says.
"Further, it should be noted that the MSIA was repeatedly instructed by Peter Fleming, the chief executive of NEHTA, and other senior managers that we could not even 'speak' to NEHTA's clinical safety unit, and the CSU was instructed never to speak to any person from the MSIA.
"Clinical safety usually relates to the information and procedures controlled by clinical staff in a medical setting. However, there is another large area of patient safety that relates to the implementation and workflows relating to health software use.
"These also need to be fully reviewed. The inquiry should ask if they could be provided with the safety reports, audits etc, that relate to the 12 PCEHR sites."
The MSIA also raised two other HI service design flaws causing deployment problems.
During development of CCA test cases for healthcare provider and organisational identifiers, "it has been revealed that the current design does not allow discovery or validation" of these identifiers.
"At the time of writing, no-one is able to access provider or organisation identifiers via the HI service," it says. "The sector is still determining whether conformance test cases can be developed that satisfies patient safety concerns."
A further design flaw involves issuing a patient a new IHI under circumstances where corrections or changes are made to an existing IHI.
"However, once a new IHI is assigned, due to privacy constraints Medicare is unable to inform practitioners accessing the service of the changed demographics," the MSIA says.
"If software attempts to validate the old IHI, the new IHI is returned with a status of 'resolved'. Attempting to validate the new IHI fails because the demographics are out of date.
"Hence neither the new nor old IHI can continue to be used because they cannot be successfully verified and there is no mechanism for Medicare to inform practices.
"In a PCEHR environment, this would effectively cut off access to the patient's e-health record. It would also invalidate all documents containing either the new or old IHI and make it impossible to create documents where an IHI is mandatory."
The MSIA notes that it's unclear whether these issues are addressed by proposed legislative changes to the Healthcare Identifiers Act.
"It is at least certain that these issues will not be resolved before July 1, when the PCEHR is due to go live."
And it notes that a two-year amnesty period for accidental breaches of the HI legislation expires on the very day the PCEHR commences operation - putting providers at risk of incurring heavy financial penalties or even jail as they grapple with implementation.
In November, the MSIA called for a six month delay on the launch date, citing these major unresolved issues with the HI service and the immature state of many PCEHR specifications; the Health department rejected the request as "unwarranted".
The MSIA has since suggested deferring non-essential components, allowing the political imperative to be met while giving participants some breathing space.
Meanwhile, the submission from the North Brisbane, Hunter Urban and Inner East Melbourne suggests a national rollout is still far in the future.
As at the start of 2012, they say "strong progress has been made, with local health record repositories installed in each Medicare Local with demonstration local PCEHR field trials under way".
"Patient consent, enrolment and registration for e-health systems are in place, and large-scale patient recruitment campaigns are in the process of starting.
"GP practices are enabled for operations for local shared record summaries to commence with field teams providing training and deployment support, and communications programs for local groups under way."
The lead sites say there is "important value in early stage demonstration projects suitably funded to showcase the potential for e-health and pass on learnings and insights" for the national rollout.
They reject the need for delays while further consideration of privacy and other issues takes place.
"We support the importance of patient confidence in the systems deployed," they say.
"Patient privacy interests can be provided for, however there is potential for privacy issues obsession to overwhelm and slow progress if not kept in the context of limitations of privacy in current work practices and the may safety and quality issues with current paper-based systems.
"The move to an e-health based system will allow for the introduction of standards and standardised ways of exchanging patient information which will facilitate increased privacy and better privacy transparency.
"Technology currently in use in our projects has appropriate privacy capabilities with choice, to ensure patients' preferences and interests are provided for."
Representatives from NEHTA and the federal Health department will also appear at the inquiry on Monday.
Mr Fleming is likely to face questions about the current "pause" in work on interfacing GP desktop systems with the national PCEHR infrastructure, after The Australian revealed software vendors had been given the wrong specifications.
NEHTA acted after "after internal checks detected issues in the latest release of specifications, in November" Mr Fleming said in a statement.
"None of the software has ever gone live, this is about quality control to ensure absolute confidence in the software being used in the e-health pilot sites," he said.
"One of the reasons for having these sites was to test software and 'iron out the bugs' prior to the national infrastructure go-live."
NSW Health says pilot sites are already sharing clinical documents across healthcare settings, enrolling consumers and building consumer-based e-health solutions.
"A critical milestone was achieved in December, with NSW Health achieving integration with the HI service," its submission says.
"Medicare-generated IHIs can now be used in our statewide Image Archive and with general practice as part of the Greater Western Sydney PCEHR lead site initiative."
The Senate inquiry into the PCEHR has received almost 50 submissions. The committee is due to report its findings by February 29.
---
Autor(en)/Author(s): Karen Dearne
Quelle/Source: Australian IT, 05.02.2012
Bitte besuchen Sie/Please visit:
