At a recent event I was presented with a question from the floor that caused me to think harder than I have before about how we treat people in health who need access to technology to support what they do. The story went something like this:
‘I’m a surgeon in training, a cancer surgeon, a surgeon who will on occasion need to look at the word breast on my internet connection in the hospital, and yet, when I do this I am reported to IT and I have to seek permission, regularly, to be able to search for this word. What can you do to change this?’
So, how do we react to that! The work we are doing in eHealth Ireland has a wonderful focus on turning clinicians into fans of technology and yet in this scenario we treat a clinician, a person in a profession that requires a huge amount of intelligence and common sense, like a child. The history of access to digital health data has taught us to be very careful with it; there are ‘bad people’ out there who want to do bad things with information. However, there are better ways to protect information than simply removing access to it. The concept of prevention or cure and which is better I guess applies as equally to information as it does to the health and wellbeing of patients.
As an organisation, we have in the last twelve months invested in the plumbing to enable digital solutions to be made available to clinicians when they come on line. Through fear though we have then blocked off this plumbing and are stopping clinical staff from making use of what has been done so far, and we need to change this. There is a common analogy used in the delivery of information governance.
‘Why do racing cars have brakes….
….. to allow them to go faster!’
The healthcare system in Ireland is starting to invest the time and effort required to give it ‘brakes’ so that it can go faster. However in the interim we need to collectively think through what our starting point is for information governance and identity management.
A key, specific benefit of the eHealth Ireland programme of work is to facilitate the delivery of integrated care throughout the healthcare system; this therefore will require new thinking to evolve on the art of security, identity management and access controls.
What if we looked at the model that has been adopted in a number of European countries whereby access control is monitored by the subject of the record? The public of Lithuania for example have been given the tools to look at their electronic health records and see who has accessed them. They can then personally make a judgement as to whether the clinician had a legitimate reason to access the information. If not then there is a process that swings into action with consequences that are clearly understood by clinician and patients alike.
In Wales a similar tactic has been used, but in the Welsh example the custodian of the access control has a specific resource in each care environment and peer to peer measurement. The shared record clearly identifies the last three accesses to a record therefore allowing a peer to peer belief in the access controls of clinical records.
There are other options. The NHS in the UK has implemented SMART card access to clinical records but still has to have a consent process for patients that many describe as complex. Regardless of the SMART card access the NHS is also required to open up the records and the detail of access to them to the public. In Ireland, we need the consent process for the sharing of clinical records to be as simple and centralised as possible as the delivery of care is dispersed so widely across organisational type and geography. This does make the model that countries like Lithuania have adopted attractive.
Lessons learnt from many countries on the sharing of clinical records alerts us to the fact that we have to get this right from day one. We have to understand what the people of Ireland want and attempt to put a solution in place that allows information to be shared efficiently and safely whilst taking on board the needs of the public. Technology and the information related to it has become a commodity for patients and clinicians alike, however too many healthcare systems have compared the delivery of care to that of booking a flight or internet banking for us to allow that analogy to take hold. We start on this journey knowing we need to consult carefully with the public on what they feel is the best way for this to work and not simply treat health information in the same way as we treat banking information.
Opening up systems as well as data is important. In healthcare we are trying to move to a model where we keep people out of the healthcare system, health and wellbeing being delivered to patients to avoid illness. This is where I would like to get to with the delivery of information governance – that we consider what process we can put in place that allows clinicians to stay safe whilst accessing information they need to provide care to patients, rather than removing access on the chance that they do something wrong.
Delivering identity management is difficult to get right. It is why we will have the Individual Health Identifier and that it is such an important foundation of eHealth in Ireland. We need to be able to manage the identity of patients throughout the system for safety, for governance and for efficiency, on top of delivering a solution that enables integrated clinical care.
The dial tone is an individual identifier. It seemed like such an odd thing for a Microsoft ‘brain’ to say at a recent meeting, but then when you think about it there is so much sense in it. The dial tone you used to hear when you picked up the phone was a noise that identified you, what you were allowed to ring and who you were. This seems like the perfect example of how we have to get identity management right. Like the dial tone, identity management should be there because you are using a digital solution! As we move into the creation of identity services for health this, as a principle goal will be part of what we are trying to do – make it be there as part of the existence of users in the eHealth eco system.
The right to have technology support the care delivery is there. The consumeristation of technology and human right to basic principles like WiFi is starting to be part of the consciousness of patients and public. Knowing this adds even more impetus to us needing to provide solutions to governance and security issues, for example if a patient is in hospital they should have access to WiFi. By simply having access the care they can receive will be improved as they will feel more ‘at home’ in the setting they are in. We have to put in place an understanding of what can be done with that WiFi without tying ourselves up in knots trying to keep it secure.
As we get closer to the release of the Knowledge and Information strategy we have put the themes within this blog at the foundation of what we intend to deliver.