It has been a long and at times difficult two years for the federal government's Health e-Signature Authority (HeSA).
Mandated to deliver a single Public Key Infrastructure (PKI) security solution for the health sector, HeSA has endured trenchant criticism from a resistant medical lobby. It has seen its certification vendor change hands from Baltimore, to SecureNet to Betrusted. At the same time applications vendors have proved more than a little slow to develop software to deliver the federal government's grand vision of e-Health.
While PKIs have been in widespread use for intra-governmental electronic transactions for around five years, selling the idea to health stakeholders such as doctors, specialists, hospitals and insurers has not always been easy according to the CEO of HeSA, Suzanne Roche.
(Suzanne Roche presented the keynote address on Security and Privacy Issues for eGovernment at the CeBIT eGovernment Forum in Sydney.) "We [initially] sold PKI as a technology solution, we didn't sell it as a business solution. We didn't talk about the business value, business uses and the like. So it was little wonder that [the eyes of] doctors and peak glazed over. We didn't articulate [the rationale for using PKI] very well," Roche frankly admits.
Rather than abandoning the standard, HeSA took a long hard look at itself and set about rehabilitating the way it did business with its stakeholders.
"We needed to shift the focus from our own environment to one that would be able to meet the needs of our users. That's the people who want to get PKI, not just ourselves. That has been a tremendous challenge.
"The real value of PKI is it offers, in an electronic environment, authentication and non-repudiation. That's where you can move from a manual environment to an electronic one. It's the only recognised solution that enables you [to maintain privacy] and to do business online in a paperless environment," Roche said.
In plain terms, this means health providers, from obstetricians to geriatric care specialists, will use a single PKI certificate from HeSA to transact business securely with the federal government and preferably each other. Understandably, Roche is keen to push the advantages of a single system rather than a fragmented one.
"Can you imagine how inefficient and frustrating it would be for a GP to have to use a HeSA certificate to do business with the Health Insurance Commission, then a different solution for the hospital, then another for the specialist and so on? The efficiencies of e-business will only be achieved if GPs don't have a fragmented approach to security," Roche said, adding that robust privacy and security remain imperative for health providers to move business online.
Another issue facing the health sector is that of smaller organizations upgrading current systems to enable e-commerce - such as GPs still coming to grips with what sort of platform is required to conduct transactions.
"The technology has rapidly increased in its level of sophistication over the last couple of years. To do any sort e-business, you need to have a good computer. What you will find is that a lot of the computers on GP's desks have not been patched and arguably not even set up correctly," Roche said.
Roche asserts that while applications were initially slow to develop for e-health transactions, the number of applications and solutions coming to market, and being deployed, is now growing exponentially.
"[The] lack of applications has been another huge challenge. It's like having a telephone and nobody to talk to. You would have to wonder why on earth you want this thing. PKI is not new, but its implementation is new.
"You are going to see it implemented through software, business processes and applications. It will be accepted in the same way as e-mail and will be taken for granted. Our role [at HeSA] is to mature that technology."