ADHA adopts cooperative model to try to fix secure messaging

The Australian Digital Health Agency (ADHA) has managed to wrangle the medical software industry, the jurisdictions and healthcare providers on board a new program to work towards a functioning, interoperable secure messaging system, adopting a cooperative model that it says will ensure the agency is held to account for its work.

As reported by Pulse+IT yesterday, the ADHA has set up a program board headed by the chair of the RACGP's expert committee on eHealth, Nathan Pinskier, and eHealth Queensland CEO Mal Thatcher, along with WA community representative Fiona Panagoulias, that will tackle the lack of interoperability in secure messaging as a priority.

Posted in Australian eHealth

Tags: RACGP, MyHR, ADHA, secure messaging


0 # John Lambert 2016-10-27 12:50
Please don't forget the people at the other end of the transmission - fixing GPs is only a small part of the problem - until specialists and other health care providers like allied health and alternative practitioners are connected, we won't eliminate fax machines!
0 # Brett McPherson 2016-11-23 09:20
Interoperabilit y will provide solutions for all users: Telcos do it, Banks do it, surely several Secure Mesaging Providers should be able to do it: or maybe it's more about the $$ and who gets paid !
0 # Nikki Thrift 2016-10-27 13:04
Great articles Kate and good to see the ADHA tackle the problem of interoperabilit y however it is important to recognise that interoperabilit y in itself (and lack there of) not the only issue and is not the magic bullet.
Adoption of secure messaging - there are still many parts of our health system that can not , or do not use secure messaging to exchange communication. It is often related to system capability but sometimes it is just business process.
Efficacy of secure messaging - even when secure messaging is in use, often a health service may 'double' up and also send a hard copy/fax. This problem can also be coupled with a 'choked up' holding file in the EMR that makes it difficult to locate and review records hence copies are requested to be sent by fax. Maintenance of secure messaging is also part of this problem - taking focused business resources to keep clinical applications up to date with messaging addresses.
I'm not sure sufficient effort has been made on sizing up these 2 areas and its not that hard. Dr Haikerwal reports a scanning pile of 12kg - quite simply ...what is in that pile?
If each practice were to audit their scanning they can quickly identify the source. Sometimes it will just be a case of connecting the dots between the practice, the provider and their secure messaging provider. In other cases it will identify service providers that could clearly benefit from secure message exchange.
I don't intend these comment to detract form the good work that ADHA is now poised to undertake however I do assert that each practice can practical steps right now to minimize the inbound glut of scanning. I would suggest that a similar audit could be applied to outbound faxes; what, to who, how often and nip these in the bud as well.
I actually think we need some common sense strategies alongside the technical implementation to collectively define and solve the problem.
Nikki Thrift
0 # Thinus van Rensburg 2016-10-27 18:22
I had a very long chat with a representative from the ADHA about this very issue last night. I think a major stumbling block is convincing the State and Territory Health Departments to play ball. There are numerous examples of e-security/priv acy being ignored and an increasing push to simply send & receive e-mails with confidential data all over the place. They simply don't want to know about the correct processes and could not care less about the huge penalties private practitioners could face if found to be in breach of the privacy legislation.
0 # John Lambert 2016-10-27 20:13
I'm sorry Thinus but I can assure you that the largest State by population, NSW, certainly IS concerned about correct processes and cares deeply about privacy and confidentiality of the highly personal health information of our citizens. We also are VERY keen to "play ball" with the ADHA (and are already doing so). Not sure who you spoke to but they don't reflect the view of NSW Health and would be great to advise them of their error - happy to chat to them directly.

The following paragraph is my own view:
Having said that, a system that included capability to communicate using S/MIME or equivalent SECURE email standards would be welcomed by many, as it would probably actually be used by the many practitioners who don't use eMRs or practice management systems. The secure messaging providers who make money on a per transaction basis may disagree of course :-)
0 # Thinus van Rensburg 2016-10-27 22:00
Hi John

Not being in NSW I have not spoken to NSW Health (not sure why you thought I had). I can certainly attest to many years of struggling with ACT Health about this matter and having multiple anectdotal similar reports from GPs both in Victoria and South Australia. I am currently trying to address the matter in the ACT at Ministerial level as the Clinicians and Administrators simply cannot understand why I refuse to send or receive patient clnical data as unencrypted attachments or, even worse, in the header or body of a plain e-mail. And then include it to a list of (unmasked) e-mail recipients that includes addresses at domains such as Hotmail & Yahoo.

This is a battle I have been fighting with them for most of the last decade and I am getting nowhere - in fact it is getting worse.

0 # John Lambert 2016-10-27 22:35
Hi Thinus,

I didn't think you had spoken to us, but you made a sweeping statement " I think a major stumbling block is convincing the State and Territory Health Departments to..." You said you had had a long chat with a representative of ADHA who I was referring to in the "Not sure who you spoke to..." sentence of my reply...

Be careful when using anecdotes as evidence - my experience is anecdotes are often the exception rather than the rule, and are often misinformed unless fact checked. I would hope that most administrators in NSW would understand why you refuse to send unencrypted or otherwise insecure emails with patient information in them. Having said that, I suspect understanding of this is not universal amongst ALL administrators and clinicians.

Dissapointing that you think things are getting worse/going nowhere. I know that eHealth NSW is very aware of these issues and working hard with ADHA and others to find useful and workable solutions!
0 # Thinus van Rensburg 2016-10-28 07:41
Hi John

Your reply is indicative of the issues that we as the end users of the overal system face. You came out with a profession of how much effort NSW is putting into this issue. Kudos.

This is followed up with criticisms about my statements, doubting of my sources and a not so subtle "well you could not have spoke n to anyone of substance" sub thread.

This is unfortunately endemic when dealing with the Public Servants trying to roll these programs out (yes, another sweeping statement) as they deal with the other parties as if they don't know what they are talking about and from a position of power.

The reality is firstly that many of us are very clued up in our knowledge about the issues confronting us and to imply, as you did in your reply, that we are relying on factually incorrect anecdotes, is not helpful. The second reality is to understand that all those GP, Specialists and Allied Health workers are Private Businesses and need to be consulted with - not talk down and give orders as that approach will not work. If the expectation is that we spend our time and our time and our money on this the attitudes need to change.

As a footnote: my ADHA discussion was a formal face to face interview as part of their current stakeholder interview process. Not just a chat in the street

0 # Lynden Crawford 2016-10-28 10:08
Hi John,
Medical-Objects has had smime email capability for > 10 years using certificates, PGP or GNUPG and we have only ever had one person use it but they rapidly got sick of manually importing reports into their software and requested a proper client that does it automatically. There appear to be a lot of opinions on secure messaging, but many of them are naive opinions, lacking real world experience. I am happy to set you up to receive SMIME email, but given the frequency of spam and ransomware etc I would not advise using email in a practice setting, unless the user is very experienced. Even then you can get fooled.

Andrew McIntyre
0 # John Lambert 2016-10-28 10:18
Ironically - look at this message - is it from Lynden Crawford or Andrew McIntyre :-)

Either way, you raise a great point - secure messaging covers a wide gamut of communication, ranging from documents or information best stored in an eMR or PMS, but there is also a need for other communications relating to patient care that may not be appropriate to keep in an EMR or PMS - research related perhaps, documents pertaining to groups of patients etc. Any solution really needs to serve both purposes - S/MIME or related might be needed as well as solutions integrated with EMRs or PMSs - but we still have LOT of practitioners on paper - not much point integrating with something that doesn't exist :-)
0 # John Lambert 2016-10-28 08:48
Hi Thinus,

This isn't a competition and if it were, you and I are on the same side.

I am first and foremost a clinician at heart, and yes, I have been a public servant all my working clinical life. I'd like the chance to explore your concerns more.

I'm sure you can work out how to contact me if you are serious about addressing the concerns you have.

I am on twitter and facebook and LinkedIn - my work email address isn't hard to guess either...
0 # Thinus van Rensburg 2016-10-28 16:24
Hi John
Thanks for the offer - I am however already spending an extraordinary amount of time on dealing with this issue within the ACT (both as a private GP and with a few other hats on) and cannot spend much more time on this with someone in whose State I don't even reside. I need to clean things up in my own backyard first.
I did take the liberty of contacting a few interstate colleagues and mentioned our discussion to them (without off course revealing your details:
These are responses from senior clinicians in three different States:
"in Victoria I can write electronically to a select few private specialists and to my neighbouring GP Clinics. That is it. I cannot write securely to any of my referral hospitals. I continually receive identifiable information via unsecure email from my local hospital. I rely on the fax for almost all my communication. Things are not fine in Victoria!"
"Echo the above scenario in SA! Things are fine only if they adopt the ostrich attitude of burying their head in the sand!"
"In Qld I can send secure referrals to Cairns Hospital and a few specialists privately, but not to Townsville Hospital"

For what it is worth
0 # Lynden Crawford 2016-11-23 11:26
I would like to make you aware of the current impediments and issues Medical-Objects are facing in supporting and utilising SMD as an interoperable solution in our industry.
Here are some of the current impediments we face with interoperating with other vendor networks:
1. Limited site uptake of Nash Certificates & Healthcare Identifiers (HPI-O & HPI-I)
2. Lack of registration of identifiers in the Healthcare Provider Directory (HPD)
3. Existing uptake is limited to General Practices that were part of ePIP only, which excludes Aged Care, Allied Health, Specialists, Radiology, Pathology, and many hospitals.
4. Lack of implementation of Network HPI-O identifiers within large organisations, which is needed to be able to address departments within an organization
5. Lack of location specific provider identifiers. (e.g. when the same provider works in multiple departments within an organization as well as outside in private practice).
6. Health care identifiers for addressing of messages
7. Slow and difficult Nash Certificate issuance
8. Slow and difficult Nash Certificate renewal – need for automatic software certificate renewal
9. Unavailability of healthcare identifiers in directories
10. Poor integration with National Provider directories from practice software systems (sender and receiver)
11. Red-tape around ability for network operators to look up identifiers and resolve their meanings
12. Non-adherence to HL7 Australian standards by receiver practice software systems
13. Non-adherence to HL7 Australian standards by sender practice software systems
14. Raising the bar for lowest common support for receiving systems to include presentation (on screen and print support) of most common formats including XHTML (strict), PDF, RTF as per AS4700.2-2012 and HB262.
15. Need for cost effective compliance testing for receiving practice software
16. Need for cost effective compliance testing for sending practice software
17. Clarity on requirements for individual signing of referrals with digital signatures.
18. Better support of individual signing tokens, which are properly labelled for systems with multiple certificates tokens attached.

We have invested vast amounts of human resources and money in this technology toward achieving the outcomes of interoperable secure healthcare messaging, yet, due to the limitations listed above, no benefit has been realised for end-users or vendors alike.

I hope this clarifies our position.
0 # Thinus van Rensburg 2016-11-23 13:37
An interesting thread.

Yesterday I finally received a reply from ACT Health regarding my concerns about secure messaging - a month after I contacted them.

The response was:
1. They send their e-mails using TLS on their server so their e-mail is secure.
2. They are "working" on making sure they are masking recipient e-mails.

I had to reply and point out:
a. They are doing nothing to ensure that the receiving servers are TLS enabled
b. They are probably using Outlook based software which defaults to optional TLS rather than mandatory TLS. This makes their system inherently insecure
c. Some of their recipient e-mails are Gmail, Hotmail & Yahoo addresses so even if it is fully TLS enabled they are still breaking the law by sending patient details to servers based overseas
If we cannot get the highest office within ACT Health to understand that they are not complying with secure standards and legislation what hope do we have of getting individuals, small businesses and others to comply

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2021 Pulse+IT Communications Pty Ltd
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.
Supported by Social Media Agency | pepperit