On Sat, 2003-08-09 at 11:32, Thomas Beale wrote: > Christopher Feahr wrote: > > >I'm not familiar with the "Australia Card", but I agree that unique, > >global identifiers are required for patients. Americans, however are > >very resistant to the idea of being uniquely identified in almost any > >context. There is a deeply ingrained belief that there is safety in > >anonymity and some sort of inherent danger in absolute identity. I > >think the basis for the global fear is that the theoretical computer > >security will fail... or could fail.
But that is not an unreasonable fear. Security of computer system is not perfect, although improving, but there are still large, unaddressed problems - the biggest being the threat from "insiders" - people with privileged access to the the system. No-one likes to talk about this, because it means having to doubt the integrity of colleagues, or oneself. Experience in the national security and intelligence domains has shown that rigorous screening and checking do not prevent major security breeches by insiders. Thus, attention and effort needs to be paid to designing failsafe security - by a number of means: first of all, use of trusted systems with mandatory access control, so not even teh sysadmin or dbadmin can see what s/he is not supposed to see. Possibly storage of data in encrypted form using a lattice of keys (still very theoretical, and hard to engineer securely). Almost ceratinly using distributed and partitioned storage (on physically and administratively distinct computer systems) of the consolidated database (the central EHR). The fundamental problem is that security only improves asymptotically as you throw resources at the problem (and hence, the risk of a security breech also declines only asymptotically, and never reaches zero), whereas the hazard increases at lest linearly, and arguably as a power function, as you consolidate the records of more and more people in one system. That is why I think (and this is my personal view) that EHRs should start small, at the local or regional level. EHRs at this level have the greatest impact - because the majority of the need for shared records occurs between local providers, and the socio-political issues are much more tractable, particularly when all the providers and a significant number of consumer representatives who will be participating can fit in a single meeting room to thrash out issues. However, the prevailing view is that it is possible to jump straight from some very limited pilots to large scale consolifated EHRs containing records of millions of people in a single step. > > > This ingrained belief in Australia I think is due to lack of trust more > than anything. Australia was a nation of convicts and rough soldiers > once, many of them Irish. What better combination could there be for a > deeply held distrust of authority?! Not to mention the continent of indigenous nations which existed before that. > > But - the psychology is probably different with the EHR. When we talk > "Australia Card" (insert your country name here), what the population > sees is a national id card but with no reasons attached - no stated > concrete benefit or system. So they see it as the "thin edgeof the > wedge". But if the government comes along with a persuasive EHR solution > and can show the 20 benefits to consumers, and yes, there will need to > be a national identifier *for this purpose* then I think people will > view it differently. (Note to oppressive governments: don't try to > introduce identity cards on their own; make them ride on the back of > something else;-) Yes, I agree. There are two approaches to making this work: the first is national legislation, establishing such a single purpose identitifier and making it illegal to use it for any other purpose. The main problem with that approach is defining the scope of the permitted purposes. Direct patient care? But not billing? But not research? But not health services performance monitoring? Clearly much debate is needed on these issues, but a reasonable and workable compromise can probably be reached. The second approach is to use a series of surrogate unique identifiers, each with a limited scope, but mapped to each other by a central agency which operates under tight rules (preferrably legislated). A full albeit somewhat discursive description of this approach, written from the point of view of disease registers and research databases, but equally applicable to EHRs, can be found at http://www.biomedcentral.com/1471-2288/3/1 This latter approach implies the ability to reliably map from common, non-unique partial identifiers such as name, date of birth, address etc to these surrogate unique identifiers. There is quite a lot of research going on around the world on this problems - see for example http://datamining.anu.edu.au/projects/linkage.html -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030810/9e0eea43/attachment.asc>
