NASH project “still going backwards”
A digital identity and authentication expert has described the need for individual clinicians holding National Authentication System for Health (NASH) security tokens to renew them by fax as “bizarre”, saying it showed the six-year long NASH project was going backwards.
Stephen Wilson, principal analyst at Constellation Research, said a manual renewal system that still used a fax machine “rather takes the 'e' out of eHealth”.
Last week, Pulse+IT reported on the frustrations of former NEHTA clinical lead Mukesh Haikerwal when he received a notice that he had to renew his NASH PKI certificate for individual healthcare providers after just one year, and that he had to either fax or post his renewal application form to Medicare.
Mr Wilson said renewing by fax was bizarre, but that the deeper problem was the need for manual renewal. “Healthcare practitioners shouldn't need to do any renewal, by fax or email or anything,” he said.
Mr Wilson said he had worked on a new form of certificate registration nearly a decade ago called relationship certificates, which are specific to different industry sectors and can be renewed with reference to definitive membership databases. In the case of healthcare, this would most obviously be the Australian Health Practitioner Regulation Agency (AHPRA).
“The first relationship certificates were (ironically) piloted with Medicare nearly 10 years ago; the technique is approved by the Gatekeeper PKI Unit in the Department of Finance,” he said.
“NASH certificates should be relationship certificates, defined by the AHPRA database. A NASH certificate could be automatically renewed so long as the holder is still current with AHPRA.
“This is what AHPRA is for, so it's nuts that certificate holders have to do anything at all.”
NEHTA originally contracted IBM to build the NASH system in March 2011. IBM undertook to have the system up and running by June 26, 2012, just in time for the PCEHR going live on July 1, but the $23.6 million contract was terminated by NEHTA when IBM failed to fulfil the contract. Medicare was subsequently contracted to deploy an interim solution in August that year.
However, Dr Haikerwal said individual NASH tokens did not begin to be issued until December 2012. Some clinicians prefer to use the Orion Health-designed provider portal - for which an individual token is required - rather than their clinical software.
Mr Wilson said the project had taken so long it seemed the wheel was constantly being re-invented.
“NEHTA do not seem aware of PKI best practice,” he said. “They are not making best use of this technology at all. The NASH project is over six years old, and yet they are still going backwards. It's tragic.”
Location and individual certificates
A Department of Human Services spokesperson told Pulse+IT that 7190 NASH PKI certificates have been issued to healthcare provider organisations, as well as a surprisingly high number of individual certificates. The DHS spokesperson said 5154 individual NASH PKI certificates had been issued as of December 31, 2013.
Individual certificates are predominantly aimed at doctors who work in hospitals that are not yet registered, and at allied health practitioners such as physiotherapists who do not yet have conformant software. One GP familiar with the process said some doctors preferred the portal view of the PCEHR and used the individual certificate to view patients' records rather than their practice software.
However, most organisations should only have to apply for an organisational certificate. For example, David Roffe, CIO of St Vincent's Hospital in Sydney, said he only used the organisational certificate as managing multiple individual certificates would be too difficult. St Vincent's clinicians use the hospital's clinical information system to access the PCEHR.
General practice and specialist software vendors generally only allow organisational certificates to be used. Stat Health CEO Carla Doolan said her company only used these certificates, as did Best Practice chief commercial officer Craig Hodges.
“Best Practice does not make use of the individual NASH certificate dongles or smart cards,” Mr Hodges said. “Our users may use these to log into the provider portal outside of Bp, however it doesn't affect Bp functionality at all.”
However, Dr Haikerwal is one of a number of GPs who use both. All seven of the GPs working in his practice have an individual certificate, although no GP other than himself is accessing the PCEHR under legal advice.
“When I do home visits I take my PC and access the PCEHR with my token, not the site certificate,” Dr Haikerwal said. The main reason is that the view through the provider portal is far superior to that provided through the B2B interface in his clinical information system (CIS), he said.
“If you use the Business to Business interface (B2B) on the CIS, you get a list of MBS and PBS items for patients. Each one you then need to click on to open and see what is behind it. Each click takes around 30s to open the document plus the initial 30s to access the PCEHR using the site certificate.”
He said the most items he had seen in two years of using the PCEHR was a Department of Veterans Affairs patient who had around 760 documents in the MBS/PBS section of his PCEHR. If he wanted to see what is inside each document, he would have to click on them all.
Another former NEHTA clinical lead, Melbourne GP Nathan Pinskier, echoed Dr Haikerwal's criticisms of the difficulty using the system. Dr Pinskier said the provider portal, while not perfect, was much easier to use than any of the B2B interfaces.
“What people wanted was data, not packages,” Dr Pinskier said. “They didn't want to see all of these documents bundled together – they wanted to see the data exposed. What the provider portal does is provide the high level overview of the health summary. It is there, it is unpacked, and it provides other clinical information in context.”
Neither Dr Haikerwal nor Dr Pinskier blame the clinical software vendors for the problems with the B2B interface, saying the vendors were given specifications which they followed. What it has led to, however, are numerous instances in which older documents, such as PBS or MBS items, are listed at the top while newer, more clinically relevant documents, are presented below.
“You could open up the B2B document view for a patient and be presented with 300 plus documents which postdate the last shared health summary,” Dr Pinskier said. “If they are PBS or MBS documents you won't immediately know what they contain – you have to click on each one in order to access the contents and will inevitably not bother if there are 300 or 500 or thousand such documents.
"The clinical workflow requirement was that clinically generated documents such as discharge summaries and event summaries that postdate the last shared health summary should be clearly displayed in the B2B document list. This was not conveyed to the vendor community.”
Dr Pinskier also said the problems with the NASH system were apparent some years ago, and that an automatic verification system should have been established.
“Medicare already has a huge community of providers who were already identified and verified,” he said. “Why couldn't they use that for the NASH cert? Basically you should have been able to log on to HPOS, identify who I am and say I want a NASH certificate.
“That would have happened had the NASH portal ever got up. That was part of the original planning but it never came to fruition.”
Pulse+IT understands that Medicare is working on allowing NASH certificates to be issued and renewed through HPOS, but DHS would not confirm this.
“The National eHealth Transition Authority (NEHTA) is responsible for the design of the NASH,” the DHS spokesperson said.
“The Department of Human Services works in collaboration with the Department of Health and NEHTA regarding the development of further NASH functionality for eHealth.
“Any questions regarding future capability should be directed to NEHTA.”
A NEHTA spokesperson said the organisation was "currently working with the Department of Human Services (DHS) and sector stakeholders to improve the Issuance, Renewal and Revocation processes associated with NASH Organisational and Individual Certificates and make them as simple and as seamless as possible".
Posted in Australian eHealth