Demographics service

The main issue here is varification of authenticity of digital
data entry. There must be some mechanism to ensure that every
entry placed in the EHR must be authenticated by the signitory,
even if the entry is made by a secretary, DEO or transcription-
ist.

A first-step solution might be this:

- writes are tracked (author, timestamp)
- regular clear-text database dumps are taken (say, twice daily)
  this includes the tracked writes (eg audit logs)
- dumps are signed to be authentic by a, say, CMO
- dump hashes are timestamp-signed by non-affiliated third
  parties (say, digital notary servers provided by medical
  faculties, etc.)

This is kept for later presentation to a court. It shows
proper care and due course (we aim at doing this - and
partially already do - in GnuMed).

In a second step writes might not just be tracked but also
required to be digitally signed off which would add
non-repudiation to the data in the authenticated dump.

Audit trails of visits are only to ensure read access by
authorised agencies.

Even that does not really add any value. IF access occurred it
must have occurred with proper credentials (barring bugs in
the software). The question is whether those credentials were
abused by someone who wasn't supposed to know them or by
someone in the know but who wasn't supposed to access that
part of the data. One study showed a decrease in the latter
when "tracking reads" was announced to the regular users.

Karsten

Hi David,

At the first level your statement re admissibility/inadmissibility of paper versus
paperless records is correct, but correct with caveats. The Rules of Evidence can
vary with the Jurisdictions and the perceived need to enter the 'available record'
may permit 'other' records to be admitted (classbook exceptions).

This asides, courts may well apply a higher standard upon Healthcare Practitioners,
Facilities, Payers and Patients that translates into 'You should have created and
maintained this record and therefore you must comply with fewer permitted exceptions'.

Another tack would be the reasoning that: 'You produce lots of legally admissible
records and therefore must meet an additional burden to get the Court to admit this
one'. An inadmissible 'record' regardless of form and content can complicate matters.

As for multiple copies, modifications, errors, omissions and unauthenticated records,
these can result in 'hair-pulling' events. For example, the attorney that drew up a
trust formation (standard form) document for my parents omitted a single sentence.
This came from a standard for straight off an Internet site. How the sentence went missing
is a mystery.

The fun part came when the interpretations of multiple attorneys were compared. To
avoid having the whole document thrown out by the Court, and the controlling Trust
document, an out-of-Court settlement was achieved.

Recognize that no one, even the initial Attorney, detected the missing sentence until
the end-of-life for the Trust approached.

Applying this to Healthcare as an analogy results in the conclusion that 'Doing it right
the first time in a legally sufficient manner may avoid bad stuff later'!!

Other:
-If something crucial shows up on your monitor screen, do a Screen dump to a file
and create a time/date stamped archive. It is a record and a mechanism exists to
produce a permanent copy easily reproduced on paper.

-admissible records that indicate a complete, continuous, correct, accurate, precise
process are preferable over those that are incomplete, disconnected, incorrect,
inaccurate and/or imprecise. They make easy targets.

Regards!

-Thomas Clark

Bigpond wrote:

Hi Karsten,

Comments in text.

Regards!

-Thomas Clark

Karsten Hilbert wrote:

"That is not feasible"

And that's the problem that will keep the technical people in money for
years to come.
   

I am not a technical person per se. I am an clinician.

Not only must it be feasible it will be demanded by judges
and courts
   

Surely, courts and judges have been known to demand and
accepts proofs that aren't proofs before. They'll learn, too,
what things need to be taken to mean.

Legal systems tend to be autonomous in the sense that the remainder of society must
conform to the laws and Judicial interpretations thereof. They tend to rely upon prior
interpretations and modifications to the law and demand that suggestions for change be
substantiated beyond 'some' unpublished standards, e.g., genetics is provable since it
is consistently reproducible beyond statistical norms while 'Lie Detectors' are still
struggling.

Courts are not likely to be interested in learning about EHRs other than how to use
them in related cases as evidence that supports or defeats positions. EHRs supply
content, which can be taken out-of-context and which suffers from the common
maladies, inconsistent, incomplete, etc. In this way they are very similar to paper
records, i.e., Taken together, what do they convey to the Court.

Whatever legal problems the Healthcare Industry now has with paper records may
remain with EHRs, and some new ones may be created due to the new technology,
e.g., a paper record can be locked up in your Safe Record Repository, an EHR can
be archived on the Internet and available to Hackers.

if the EHR is to ever be truly adopted.
   

Too pessimistic, IMO.

The EHR will be adopted and hopefully Legislatures will make new, appropriate law.

Even now we have rules
that all e-mails where a decision is made must be printed out!
   

Which is akin to photographing every screen you view.

If the content is crucial then make a record of it.

The paperless world has never been to court.
   

In a court one not always has to provide a waterproof trail of
evidence. There is "substantial evidence" (is that what it's
called ?). And there is "demonstration of due course" which
adds a lot of weight to what otherwise are simple assertions.

Admissible "Substantial evidence" permits inference and deduction while admissible
evidence of a "course of conduct" for an individual, an association or an industry can be
used for a variety of purposes to 'tip the scales', EHRs may well be viewed as being
more 'form' than 'function', i.e., the content is similar to that derived from paper records.

It is feasible of course but complex. Flags are set when pages are viewed,
   

Those flags do not document what you want them to document.
Such a flag only documents that it was set. Everything else is
"due course". Eg. if the flag is set "it is reasonable to
assume" that it was set by the software the doctor claims to
have used. Also "it is reasonable to assume" that the doctor
thus "saw" what that program would display in conjunction with
that flag being set. No hard proof there.

Flags are a problem and can be subject to multiple interpretations.

Hi Gerard,

Wish you were right.

Comment: Changes in the legal system can be used to prove the continuing existance
of Evolution.

Regards!

-Thomas Clark

Gerard Freriks wrote:

TNO, the institute I work for, is of the opinion that the archiving solution is the preferred one.

By the way.
The topic started discussing demographic services.

In general interoperability translates into the need for many shared points of reference.
So for identities of persons as wel.
Since persons are recorded in systems using a set of more or less unique features and since these unique features vary in time, one person will have many digital identities.
This calls for a mechanism that unites all these variations on one theme.
Eg the demographic server.

Gerard

-- <work> --
Gerard Freriks
TNO Kwaliteit van Leven
Wassenaarseweg 56
Leiden

Postbus 2215
2301CE Leiden
The Netherlands

+31 71 5181388
+31 654 792800

Hi Bob,

An 'international awareness' must be developed in advance and evolved continuously.
The EHR community is part of the bedrock of future Healthcare policies, procedures
and practices. It must be based on facts and incorporate all available information.

The Legal community requires facts in the form of admissible evidence and information in
the form of testimony, inferences, deductions and interpretation. It renders judgments in
accordance with established law and in some cases remedies for parties before the Court.

In the presence of this certainty it makes 'big' mistakes and sometimes loses its way. As an
example, Forensic Science has upset many judgments and caused the restructuring of
many policies, procedures and practices. A complaint often heard is that Forensic
Science, and genetics in particular, has in a short time caused more change than years of
reasoned thought within the Community.

With jurisdictions releasing prisoners from Death Row for crimes they did not commit to
ineffective FDA-approved drugs, with fatal side effects, for specific conditions being
withdrawn change is 'in the air'. A recent humorous complaint from the bench comments
on juries demanding to have Forensic data and analysis prior to deliberations.

It might be that 'fact-based outcome-oriented' Healthcare is becoming popular.

"...
tickle the need for some common upper ontology for the domains of governance
which includes the process by which the legal environments are created and
maintained in various countries
...
the question of governance in standards bodies
...
..."

This is not an easy task due to the supremacy of the Administrative, Legislative and Judicial
branches of governments plus the diversity and number of governments. The following is a simple
example of how technology, science and legal processes can work in one jurisdiction.

BRAIN FINGERPRINTING

*IN THE SUPREME COURT OF IOWA**
*No. 122 / 01-0653
Filed February 26, 2003

TERRY J. HARRINGTON, Appellant

vs.
STATE OF IOWA, Apellee

http://www.judicial.state.ia.us/supreme/opinions/20030226/01-0653.asp

"...
Upon our review of the record and the arguments of the parties, we conclude (1) Harrington’s appeal is timely; (2) this action is not time barred; (3) Harrington is entitled to relief on the basis of a due process violation; and (4) Harrington’s motion for conditional remand is moot. Accordingly, we reverse the district court judgment, and remand for entry of an order vacating Harrington’s conviction and sentence, and granting him a new trial. We deny Harrington’s motion for remand on the basis of mootness
..."

Brain Fingerprinting Laboratories
http://www.brainwavescience.com/Ruled%20Admissable.php

"...
In order to be admissible under the prevailing Daubert standard, the science utilized in a technology is evaluated based on the following four criteria: (The Iowa courts are not bound by the Daubert criteria used in the federal courts, but they do use them when determining the admissibility of novel scientific evidence.)

   1. Has the science been tested?
   2. Has the science been peer reviewed and published?
   3. Is the science accurate?
   4. Is the science well accepted in the scientific community?

The judge ruled that Brain Fingerprinting testing met all four of the legal requirements for being admitted as valid scientific evidence. The ruling stated: "The test is based on a 'P300 effect.'… "The P300 effect has been studied by psycho-physiologists…The P300 effect has been recognized for nearly twenty years. The P300 effect has been subject to testing and peer review in the scientific community. The consensus in the community of psycho-physiologists is that the P300 effect is valid
..."

This example identifies one approach to modifying existing legal processes. There are close to
200 countries in the UN and each maintains significant diversity.

An approach taken within the US is based upon a set of 'Model Codes' (see the Legal Information Institute at: http://www.law.cornell.edu/statutes.html ).

A recommended approach to addressing Healthcare under the Law, Legal requirements,
handling and interpretations of EHRs, and related Legal processes is to:
1)Expand the Model Codes to cover EHRs
2)Include appropriate provisions with the EHR standards to build-in compatibility with
the Model Codes
3)Include processes to handle change.
Separate Legislatures and Judicial systems reference the Model Codes now, i.e., When in
doubt look at what others have built. Since Judicial systems interpret the laws that the
Legislatures have enacted the opportunity to impact the system to achieve goals for the
common good in the shortest time lie with the Model Codes.

At least this approach can be considered foundational.

Regards!

-Thomas Clark

Bob Smith wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The main issue here is varification of authenticity of digital
> data entry. There must be some mechanism to ensure that every
> entry placed in the EHR must be authenticated by the signitory,
> even if the entry is made by a secretary, DEO or transcription-
> ist.

A first-step solution might be this:

- writes are tracked (author, timestamp)
- regular clear-text database dumps are taken (say, twice daily)
  this includes the tracked writes (eg audit logs)
- dumps are signed to be authentic by a, say, CMO
- dump hashes are timestamp-signed by non-affiliated third
  parties (say, digital notary servers provided by medical
  faculties, etc.)

This is a logical process to start with. The issue here is
acceptance and institution of the 'notary servers' ... these
need to find a place within the system universally.

[some snipped]

> Audit trails of visits are only to ensure read access by
> authorised agencies.

Even that does not really add any value. IF access occurred it
must have occurred with proper credentials (barring bugs in the
software).

Yup, as far as the technical side is concerned, this should be
the end point that we need to go for presently ...

The question is whether those credentials were abused by
someone who wasn't supposed to know them or by someone in the
know but who wasn't supposed to access that part of the data.
One study showed a decrease in the latter when "tracking reads"
was announced to the regular users.

These are human shortfalls. The fact is, if a sysadmin is happy
to broadcast access passwords to all-and-sundry, ultimately,
he/ she is to be held responsible. It is possible to
incorporate much more stringent access methods by thumb imprint
or pupil signature varification (and methods yet to come).
However, such mathods may not be easily deployable or cost
effective.

Just my 2p

Bish

International Law now there's a fascinating issue. We can't even get
Australian law to work across 7 states and territories. We have a good
chance with HealthConnect and a strong central drive (but....). Goodness
knows how the USA will achieve it. We are all watching the UK NHS experience
with interest. I remember when we were looking at telehealth services across
state boundaries and the legal minefield of registration and accreditation
let alone litigation.
What interesting times we can observe!

As always it will not be the technical issues that stop (slow) us - mind you
archetypes are a challenge (sorry Sam) and so is the HL7 RIM!

In any event it will be the human factors that get us in the end - consumer
rights, privacy, professional roles, security, data aggregation and simple
fear and stubbornness.

At the end of the day what created the medical record and why? Have we lost
sight of its use as a simple and effective knowledge management tool for
individual clinicians to work in the way that they wanted too -flexible to
cope with all their individuality and frailties. This will be the stumbling
block as we try, oh so hard to make it a holy grail of health care - it
never was and I doubt it ever will be.

Hey but isn't it fun!

David from Downunder.

This is a logical process to start with. The issue here is
acceptance and institution of the 'notary servers' ... these
need to find a place within the system universally.

It could just as well be served by another entity of trust,
say, a bank safe or a real human notary.

Karsten

Since persons are recorded in systems using a set of more or less
unique features and since these unique features vary in time, one
person will have many digital identities.
This calls for a mechanism that unites all these variations on one
theme.

IOW you want FEBRL.

Karsten

Hi Gerard,

My understanding is that demographic services collect, organize and process the
characteristics of a 'population'. Presuming this, then I am a member of a large number
of 'populations' regardless of intent. Narrowed to Healthcare the number of
'populations' shrinks but not to one.

Given the fact that modern 'populations' are not 'stationary' it appears that there are
many of us that can claim or hold membership in multiple Healthcare 'populations'
which themselves are subject to new additions, e.g., those genetically sensitive to
drugs of a particlular family.

Identifying the indiviudal may have to be a separate operation. Identifying whether the individual
is a member of a 'population', or 'populations's a subsequent task.

A 'demographic server' is likely to be specific and limited in scope to address
'super populations', e.g., persons residing within the boundaries of a specific geographical
region, e.g., Africa. A 'network' of such server could provide additional coverage.

Since one can apply a variety of rules to the specification of an individual 'population',
the 'rules' become significant especially where the 'rules' are chosen to affect results,
all Diabetes Patients in the London area. Due to a number of reasons one may not be able
to claim that London-area Diabetes Patients are the same as those in other regions, and, of course, that the Healthcare systems are the same or equivalent.

Foundational is 'personal identification'. Without it a 'demographic server' is handicapped.
Hence a good test for the server is a seriously injured person arriving at a Healthcare
facility unable to communicate with no other form of identification.

Since there are many other 'issues' and 'factors' important to the design, development and
deployment of a 'demographic server' one may have to accept discussions that attempt
to integrate topics. They are valuable R&D efforts are results-oriented expectations are
very likely to increase quickly.

Regards!

-Thomas Clark

BTW: I tried to avoid bringing 'Public Health' into a discussion about 'demographic servers'.
That would have been lengthy!

Gerard Freriks wrote:

Hi,

What is the definition, scope, function of the concept:
" demographic server"
in the context of OPENEHR?

Thomas, Sam, Dipak: HELP!

Gerard

-- <private> --
Gerard Freriks, arts
Huigsloterdijk 378
2158 LR Buitenkaag
The Netherlands

+31 252 544896
+31 654 792800

Hi Bish,

Periodic and immediate 'Bio' identification would satisfy certain security requirements
re authenticity, e.g., official documents (e.g., post surgical release). Your comment re
'thumb imprint', or scan, provides a more secure means of authentication that may be
required.

Requiring that a 'digital signature' be incorporated within a EHR is a step forward but
if all that is required is the presence of a digital signature one can be obtained from
multiple sources.

As you indicated 'verification of authenticity' is required. Verification, however, can be
'fooled' as well, e.g., where digital signatures are collected in advance into a set of
'secure signatures' the presence of one or more of these signatures within an EHR
indicates just that and no more.

How is this solved in other fields? 'Bio ID' is one approach, e.g., 'finger and thumb imprint',
a digital photo and a voice track, in addition to other digital signatures puts up a much
higher wall. I am intrigued by the combination of voice tracks with background syn,
e.g., Practitioner and Practitioner + Patient..

An example would be a Hospital Delivery Room (multiple persons) and an automatically
generated voice track Properly encrypted the track would be hard to break and/or
deny.

In other areas similar approaches are available, e.g., encrypted time/date/voice tracks
can be integrated into Medical devices and then into EHRs. Side benefits include
integration of the time/date into the EHR.

A major problem with the photo approach is that some persons become unrecognizable
after a 12 hour shift.

A problem with ordinary 'digital signatures' is that they can be hacked, patched and the
wrong ones, e.g., a reserved place in an EHR for a fixed-length digital signature is bad
since one might be able to place another there.

Regards!

-Thomas Clark

USM Bish wrote:

Hi David,

Suggest you look at the creating systems for Patient-centered and controlled
Healthcare Records that incorporate portions of the Practitioner created and maintained
Healthcare Records.

Regulations and other 'governance' was designed primarily to target Practitioners and the
practice of Medicine. In many cases they are protective. Much like the 'common law' of
ancestral England where the intent was to keep the populated well enough for battle.

Modern regulations, e.g., Patient privacy, are designed to keep noses out of the Patient's
and their Practitioner's business, e.g., Insurance Companies.

However, Patient controlled secure Healthcare Record Systems are apparently different
under the law, exception for the companies controlling them, so that, with secure coverage
for all transactions, the Patient and Practitioner can maintain their relationship in
private. Even other Healthcare service providers (e.g., labs) would deal with
Patient-Practitioner provided identification objects.

There seems to be low impact upon the Practitioner while the Patient has to take some
additional control over the management of their Healthcare (e.g., responsible for
maintaining the records).

As a Patient Advocate I have been looking at the Patient's side of the equation and it is
not as bleak as one might think. Even Senior Citizens are becoming computer literate
and computer application trainable. The younger generations are already there.

Could be interesting for 'Down Under' and Remote Medicine in general.

Regards!

-Thomas Clark

Bigpond wrote:

Hi Gerard,

Some possible applications and sources:

'coronary and stroke event rates in the population' (project-oriented)
http://www.ktl.fi/publications/monica/demoqa/demoqa.htm#Discussion

Deaths - lethal Dosage
http://www.ohd.hr.state.or.us/chs/pas/ar-tbl-1.pdf

UN Statistics
http://unstats.un.org/unsd/demographic/sconcerns/disability/disform.asp?studyid=223

Hearing:
http://gri.gallaudet.edu/Demographics/factsheet.html

Center for Demographic Study
http://cds.duke.edu/publications/search/search_results_ALE.htm

HIV/AIDS:
http://www.dph.sf.ca.us/HIVPrevPlan/HPPC01FnlRpt/ch3p61~1.pdf

RAND/HEALTH:
http://www.rand.org/health/archive/sociodemographic/

Center for the Advancement of Health:
http://www.hbns.org/newsrelease/after8-8-00.cfm

Where related to Healthcare demographics the EHRs may have to incorporate the
demographics.

Regards!

-Thomas Clark

Gerard Freriks wrote:

HI Thomas,

Thanks.
I know for certain we (and possibly OpenEHR) is using the term 'Demographic server" for other notions.

SO lets wait for the other Thomas to tell us what OpenEHR means.

Gerard
-- <private> --
Gerard Freriks, arts
Huigsloterdijk 378
2158 LR Buitenkaag
The Netherlands

+31 252 544896
+31 654 792800

Hi,

There is another issue with digital signatures in the context of EHRs:
Their value decreases over time and with them the value of digitally
signed documents as legal evidence.
In other words: securely signed documents don't necessarily provide a
secure basis for verifying authenticity for the required time-span of
EHRs (30 and more years).

This is due to the following reasons:
- the employed cryptographic algorithms and the keys lose their
security qualification in the course of time. (algorithm may found to be
insecure, key length may be too short for increased computer power,..)
- It cannot be guaranteed that the directories and documents needed for
the verification of the underlying certificates are available for 30
years or more.

In addition, the use of digital signing procedures is often insecure and
information for the subsequent evaluation of the actual security is
missing.
To achieve high conclusiveness of digitally signed documents and to
realize their integration into practical use, the documents complete
life cycle ranging from generation of the document, generation of the
signature, presentation, communication to (long-time-)archiving and
later use have to be taken into account in a comprehensive way.

For a truly long-term-solution for EHRs, a solution must be provided for
this problem.
If you are interested in details, see http://www.archisig.de/english

Further, signed data may - of course - not be changed in order to keep
electronic signatures valid. But when data has to be exchanged across
networks, or in context of systems migration, such changes are
inevitably occuring. Trying to avoid this with the help of new
standardized and stable data formats contradicts experiences (although
openEHR itself might be a solution for this problem).
So, procedures are necessary to convert signed documents and preserve
their evidence value (legally secure transformation). See
http://www.transidok.de/index-en.html for details.

Regards,
Sebastian

Dr Sebastian Garde
Faculty of Informatics and Communication
Central Queensland University
Rockhampton Qld 4702, Australia

s.garde@cqu.edu.au
Ph +61 (0)7 4930 6542
Fax +61 (0)7 4930 9729
http://infocom.cqu.edu.au/hi

There are undeniably enormous challenges in this area.

However, right now, we have a health system that operates off bits of paper augmented with IT here and there. Can we verify the authenticity of a medical record from the 1970s today? Will a paper health record created today be authenticated in 2030? If a doctor receives a medical history on paper and one of the pages has a fold on the corner which causes two pages to be turned instead of one, can we prove in a court today if the doctor did or didn't see the information on the second page? Hey, forensic science isn't that good even on CSI

Surely the goal of EHR is to do better than the existing systems in some areas (so there is benefit in choosing EHR), and no worse in others (so there is no significant detriment)? For example, won't some patients have better outcomes because their doctors have access to their past allergic reactions thanks to an EHR, even if we cannot prove in a court whether the information did or didn't get rendered correctly on a computer screen?

If we are serious about proving in court "what the doctor saw", I can only suggest that we create a head-mounted device with a camera (positioned at eye level) and microphones positioned at ears and mouth and record every second of the doctor's working life as evidence of what they saw, heard and said. Of course, it cannot prove whether those images and sounds were processed cognitively or not, which is what you need to establish to go from "what the doctor saw/heard" to "what the doctor knew". It is easy to overlook something on a page or on a screen, despite it being in plain view.

If people or organisations perceive significant benefit from technology, they will not wait for the technology to be perfected. They will weigh up the risks and benefits and proceed accordingly. As an example, many people used analogue mobile phones for years despite widespread public knowledge that they were not completely secure, but obviously felt that the benefit outweighed the risk, no doubt figuring that nobody would be motivated to eavesdrop on their basically boring conversations. A few people suffered because their conversations were not secure (e.g Prince Charles!) but most people had no adverse experience.

This is not to say that we should not try to solve the problems that are being identified, but I doubt the lack of immediate solutions will be a showstopper to many organisations or nations rolling out EHRs if there are other compelling benefits.

Kerry, who thinks there is a need for an openehr-societal mailing list for this kind of discussion

Dr Kerry Raymond
Distinguished Research Leader
CRC for Enterprise Distributed Systems Technology
University of Queensland 4072 Australia
Ph: +61 7 3365 4310, Fax: +61 7 3365 4311, www.dstc.edu.au

Dear All

The openEHR design team have, over many years, decided to separate the demographic information from the EHR data. Advantages are, amongst others:
1. Security - you need access to both sets of data to know about an individual
2. Normalisation - you can find people even though they have moved, changed their name etc
3. Many health environments have developed demographic services which people want to keep.

The EHR model has quite different classes than the EHR model - and the archetypes are therefore different.

The demographic server in an openEHR environment provides identifying, contact and credentialling information about parties.

Hope this is helpful...Sam

Hi,

It is known for quite some time that digital signatures are not the best solution to encrypt information that has to be archived.
For functions like this we need a real person/organisation that provides this archiving function.

see by Ross Anderson:
http://www.usenix.org/publications/library/proceedings/ec98/full_papers/anderson/anderson.pdf

Gerard

-- <work> --
Gerard Freriks
TNO Kwaliteit van Leven
Wassenaarseweg 56
Leiden

Postbus 2215
2301CE Leiden
The Netherlands

+31 71 5181388
+31 654 792800