Security decisions are proving a tough nut for the developers of the Health Information Management Technology Plan.
The final version of the plan, sparked by the Ministry of Health, is due to be handed to ministry chief executive Karen Poutasi by the end of next month. The project, which is also known as Wave (working to add value through e-information), aims to provide more consistency in the passage of information between the computer systems of various health providers.
Wave’s programme director, David Moore, says security of personal medical information is clearly important for the health consumer, particularly once there is a consistent network. In some respects, he says, the difficulty of passing data from one system to another has to date acted as a safeguard.
The standard of security, however, should probably be different for, say, the information that someone is HIV-positive as against the information that they have a cold. “If we encrypted everything to the same standard,” he says, “the system may collapse under the weight of security provisions. This has happened [to parallel health information exercises] in the UK and Australia.” Moore was speaking to Computerworld last week while taking a break from a meeting of a Wave working party which had been bogged down for more than an hour in security discussions.
“It’s very obvious that we [the health sector] don’t handle patient privacy well,” he says. “And that’s true of paper records as well as electronic records. We need to approach security and privacy end-to-end,” adopting standards to secure information after it has come out of the network and computers as well as within.
The consequences of sensitive health data leaking out are likely to be permanent for the subject, he says, unlike the theft of a credit card number, where consequences can be repaired.
The Wave project embraces the existing Health Intranet, an inter-provider network that went live 18 months ago under the Ministry’s NZ Health Information Systems (NZHIS) division. Wave may significantly change the Health Intranet.
In the process, the rival private set-up Healthlink — or lessons from it — may also be pulled into the Wave initiative, Moore says. Healthlink’s and Wave’s approaches, especially on security, show “some divergence”, though there is also much in common.
Moore discounts any suggestion that these moves may lead to dominance of the health sector by one vendor. Providers will still have the “flexibility” to use any chosen system while adhering to the “standards glue” that holds the nationwide processing of health information together, he says.
The planners are still unsatisfied with the degree of consumer involvement. “We are sending out a second consultation document focused on getting consumer input,” Moore says.