9 minute read
Irish health information systems landscape
Health information systems in Ireland
New telecommunication equipment for telenursing at Health Sciences North, Horizon Sante-Nord (HSN) in Ontario, Canada.
In June 2021, the ESRI published Developments in health information systems in Ireland and internationally. The report’s objective was to provide a comprehensive overview of Ireland’s health information context and determine components of international healthcare systems that could be deployed in Ireland to enhance the existing healthcare system.
Omnipresent and dynamic challenges faced by the healthcare systems as a consequence of increased demand, increasingly complex requirements and the onset of the Covid-19 pandemic have combined to drive the development of HIS and enhance eHealth.
Since it became apparent that the Covid-19 pandemic required real-time interventions by healthcare decisionmakers, there has been a catalytic impact on the adoption of health technology. At the same time, the pandemic has provoked significant public engagement with health data, potentially acting as an impetus to sustain public buy-in and increase investment in a modern HIS and health data collection.
Cognisant of the broad scope of health information systems (HIS), eHealth and health technology, the authors of the ESRI report, Brendan Walsh, Ciarán Mac Domhnaill and Gretta Mohan, homed in on components which are most pertinent to policymakers in an Irish context.
As such, its HIS report explored three core areas:
1. characteristics of successful international health information systems;
2. Ireland’s health information system and the health data context; and
3. telemedicine deployment during the pandemic.
Characteristics of successful international HIS
In order to establish a framework with which to view and understand Ireland’s current HIS context, the ESRI sought to explore and record key features of international HIS. In doing so, several commonalities were discovered among effective HIS. The first commonality is the national deployment of an individual health identifier (IHI). In Scotland, for instance, the Community Health Index (CHI) uniquely identifies individuals on a national register which is incorporated in numerous electronic medical recording systems in the NHS Scotland system.
The second commonality is the creation of a national electronic health record (EHR). EHRs enable information to be coherently linked between different components of a healthcare system. Interoperability between healthcare data systems is essential to unlocking the optimal benefits of health informatics. For example, the NHS Spine database in England links healthcare IT systems across services and providers, facilitating the secure sharing of information as per its eReferral Service. Similarly, during the pandemic, New Zealand’s National Health Index (NHI)
was linked to EpiSurv, the country’s Covid-19 case database.
The third commonality is the ability of different components with a health system to interact and integrate with each other. In the absence of this ability, the use of EHRs, big data and health technologies are restricted. Decentralised health systems, such as the Canadian model, or countries with several systems that cannot be integrated, such as NHS England, illustrate that a robust HIS with interoperability requires an holistic view of the health system, both public and private.
The final commonality is the instillment of confidence among data subjects, or the population as a whole, that data is collected for a specific purpose and stored safely and securely. Modern HIS can empower patients utilise their data to inform data-based decision-making about their care pathways. Likewise, telemedicine has ensured that patients were able to access care remotely, lessening the unmet need for healthcare during the pandemic.
Irish context
Developments in health information systems in Ireland and internationally demonstrates significant disparities in HIS, health data infrastructure and the deployment of health technologies across Ireland’s healthcare system. At the most basic level, and as exposed by the pandemic, Ireland’s public health data infrastructure is inadequate. Added to this is fragmented public and private healthcare provision.
Therefore, as acknowledged by the HSE leadership in 2016, the adoption of an IHI and national EHR could transform the Irish healthcare system. The creation of eHealth Ireland was a fundamental component of the HIS journey in Ireland. Between 2018 and 2021, capital funding for ICT projects has doubled to €120 million. At the same time, less than 0.8 per cent of the €20.62 billion health budget for 2021 will be allocated to eHealth and ICT.
The ESRI report identifies several areas within the Irish healthcare system within which there are omissions in the recording, collection, and collation of patient data, particularly in relation to healthcare utilisation and expenditure. As a result, for example, in the absence of IHIs, the HIPE dataset cannot track accompany patients between hospitals.
In the private sector, providers offer insufficient insight into the total care and types of care that they undertake. This acts as a barrier to the development of a comprehensive and resilient HIS in Ireland.
However, the adoption and integration of eHealth solutions gathered some momentum. For instance, eReferrals and ePrescriptions are now established components of the Irish healthcare system. The Irish National Epilepsy Electronic Patient Record and the Electronic Patient Record (EPR) have transformed care pathways and enhanced contact between patients and clinicians. This acts as a template for further expansion to wider patient populations in the pursuit of a national EHR. Once this is established, as illustrated by England’s OPENSafely platform, data analytics platforms can deliver insights for patients, clinicians, and policymakers to help plan and deliver improved care.
Telemedicine
The pandemic has also had a disruptive impact on engagement with the healthcare system. As a result, telemedicine has rapidly established itself as a central pillar both of healthcare in Ireland and beyond. Telemedicine consultations are now occurring almost as regularly as inperson consultations in both primary and acute care settings. Figures emerging from NHS England indicate that the proportion of telemedicine consultations has increased from 14 per cent to 40 per cent since the onset of the pandemic. While the data is less complete in Ireland, the Irish Medical Council has indicated that similar increases have occurred.
Amid this swell in digital health, a considerable challenge exists in relation to the security of personal data. The Council of Europe acknowledged this in its Digital solutions to fight Covid-19 report in which it notes: “The quantum leap in the digitalisation of our lives requires that measures adopted by governments during the health crisis uphold the protection of individuals with regard to the processing of personal data.” To this end, data protection will be the constituent factor in delivering patient trust in digital healthcare solutions. This will, to have some degree, been undermined by the recent HSE data breach in which a cyberattack exploited vulnerabilities to expose patient data in an attempt to extract a ransom payment.
Conclusion
Informed by its findings, the ESRI report outlines six key policy recommendations relating to HIS, health data infrastructure and health informatics. These are:
1. that a national HIS is developed, leading to the comprehensive adoption of the IHI and a national
EHR across both the public and private healthcare systems;
2. that health data infrastructure be robust, structured and rigorous, encompassing data from both public and private providers;
3. that data protection and cybersecurity measures are aligned with relevant legislation and the
GDPR;
4. that investment in current and capital ICT and eHealth be continued;
5. that digital health literacy be enhanced to ensure that the public, including vulnerable cohorts, understands the benefits of eHealth and can access eHealth services; and
6. that the healthcare workforce is acknowledged as fundamental to the successful integration of a HIS.
What can we learn from the HSE and Department of Health ransomware attacks?
Ireland appeared to be shaken to the core by the recent cyberattack on the HSE and the Department of Health, but once past the initial shock, it is time for an in-depth look at the Irish cybersecurity infrastructure and whether such attacks could not have been anticipated, detected, or prevented.
In 2017, the National Health Service (NHS) in the United Kingdom came to a standstill because of an attack by the notorious WannaCry ransomware that paralysed their computers. The recovery was long and cost the NHS £92 million, but were any lessons learned on this side of the Irish Sea? Let’s have a quick look at the details we know and how the matters could have been handled differently.
It has been reported that 700 gigabytes of the HSE’s data was allegedly exfiltrated by the cybercriminals. Given that the data is stated to be of a sensitive nature, content aware data leak prevention (DLP) could have been useful in preventing the movement of such data. Content aware DLP software aims to prevent intentional (and accidental) leakage of sensitive data by first identifying the data (using some rules written by the administrator) and then controlling who can access the data, how they can interact with it (and when), and where it can be moved.
The utilisation of a cloud sandboxing solution can also be effective in combating ransomware infections and zero-day threats. A properly configured cloud sandboxing product will temporarily pause the execution/opening of any unknown files until they are analysed in an operating system in the cloud. If a file is found to be malicious, execution is stopped and the file removed, with detections being provided to all the other endpoints on the network. If the file is benign, it will be allowed to run. Sometimes the most effective way of detecting what a piece of unknown software will do is to simply let it run and monitor its behaviour. It’s obviously too dangerous to do this on protected network hence the utility of cloud sandboxing solutions.
Given that the reports suggest the attackers “lived” in the network for approximately two weeks, it must be asked if the HSE's security team were utilising an endpoint detection and response (EDR) solution. EDR products aim to detect the movement and actions of attackers in a protected network by reporting seemingly innocuous events to security teams for analysis. Things like the commands they would have run, the files they would have changed, the login attempts they would have made, etc. These actions when flagged by a proper solution should ring alarm bells for any security operation centre analyst and trigger an immediate investigation. In short, a correctly configured EDR solution would have flagged events typical with lateral movement to analysts.
ESET Ireland continuously stresses the importance of a thoroughly planned defensive posture and a multi-layered approach to cybersecurity. While there is no such thing as 100 per cent security, by applying comprehensive preventive measures, the bar can definitely be raised to an extent that makes it a lot harder for cybercriminals to carry out major disruptions.
ESET Ireland T: 053 914 66 00 E: info@eset.ie W: eset.ie
