Technical pitfalls and peculiarities

Switzerland lags behind other countries when it comes to digitised government services. In the health sector, however, things are now set to move forward: From 2020, the electronic patient dossier (EPD) will gradually replace paper-based medical records. It goes without saying that data protection in this sensitive area must be a top priority. And: not everyone is authorized to access the electronic patient data. As a result, many clinics face organizational and procedural challenges. For example, identity management is needed.

With the introduction of the EPD, there will be some changes in user and authorisation management. From April 2020, hospitals will have to operate an identity management system for the first time. Mr. Fuchs, what exactly does this mean for specialists like you?
First of all, two points: Firstly, patients always have sovereignty over access. Patients should therefore have full control over their own data. However, the electronic management of particularly sensitive data is complex. This means, for example, that the service providers must clearly indicate the staff treating them, so that the patients know about their access and can prevent it if they wish. In Switzerland, it is also planned that patients can set positive and negative authorizations for individual reports.

But now to the second point: In general, a distinction must be made between the classic patient record as primary documentation and the new dossier as secondary documentation. When patients are admitted, the EPD must be downloaded from a central directory of the parent community so that it can be supplemented and uploaded again upon discharge. The patient determines which parts of the dossier are visible to which hospitals or doctors, and thus has control over his own data, his electronic dossier. The hospitals and the subsequent participants in the treatment process are legally obliged to be connected to a master community by April 2020.

Do you see any other technical grey areas that are not easy to get to grips with?
One is the transformation of dossiers into secure data repositories. However, there are also less technical problems, such as staff turnover rates, which also pose challenges. From the point of view of user and authorization management, there are two main areas of activity: Firstly, the identification and authentication of medical and support staff for access to the dossier at the root community and the issuing of the necessary identifiers (interface ITI40 according to IHE reference architecture). On the other hand, the transmission of the current and correct personnel data of the relevant medical staff and auxiliary staff to the master community (interface ITI59 according to IHE reference architecture).

Are the hospitals ready for this and what are the biggest obstacles with regard to EPD user and authorization management?
There are hospitals that have already examined many aspects of the EPD in detail, including user and authorization management. Others are still at the very beginning and are realizing what changes the EPD will bring. A major obstacle is the preparation and design of identity management. This is because each hospital employee must be mapped as an electronic identity. This allows the digital management of the associated user accounts in the systems and applications as well as the means of identification, such as badges or SuisseID. This identity must be correctly filled with attributes such as name, profession, title, unique doctor number or institute and regularly transmitted to a master community. All this is only possible with an automated IAM system that can also provide these required qualities and security.

All these requirements necessitate a universal solution for authentication. What do you recommend to hospitals regarding the application programs to be integrated - "make or buy"?
This is really a big, open point at the moment. That's why I don't recommend making a decision on this right now. I recommend that the responsible departments for the issuance of such means of identification be considered internally and that corresponding tasks be provided for in the employee processes for entry and exit, but that no technical procurement be carried out yet. It is also to be expected that a number of providers will still be
In order to ensure that only authorized medical personnel access the EPD, hospitals need an identity management system. If a hospital has the opportunity to act as an identity provider, it can basically decide itself on the process and technology of the means of identification. These means of identification no longer have to be of a physical nature, but can function with apps and smart phones, for example.

Some hospitals already use multi-factor authentication. Under certain circumstances, this can be expanded so that the requirements are met and employees can be equipped with it very flexibly. But the reverse is also true; for smaller hospitals, it may be that this effort and the costs are too high and that they therefore stock up on the free market. Hospital management would do well to carefully examine the various options.

And does the EPD work, are there already projects - at best a conclusion?
Yes, there is. The canton of Geneva launched a kind of "EPD light" as a pilot project and evaluated it in 2017. It turned out that many patients in urban agglomerations are likely to opt for the digital future. Within a short time, around 28,000 patients were registered, which corresponds to around five percent of the Geneva population.

Do you see any other open points that should be clarified next?
If you ask: Timely, systematic planning is the be-all and end-all. It is not only a question of procedural issues when installing the software, it is also a question of defining multiple staff appointments (e.g. as a senior physician and at the same time as an attending physician). Organizational responsibilities must be defined at an early stage. The HR departments are the first to come into focus. HR, IT, physicians and nursing must work closely together. It is important not to view processes as isolated to one department. This would not be effective. Hospitals must ensure, for example, that physicians are as close as possible to the patient. HR, IT, doctors and nursing must work closely together. It is important not to look at processes in isolation for one department. This would not be effective. Hospitals must ensure, for example, that doctors are available as soon as possible.