I am a consultant, and I mainly do work for the public sector in Norway. For six years my work has primarily been focused on digital identity, authenticating health personell in particular. But, during this time I have also been involved in solving an interestingly tricky problem:

How can we effectively share health information between different health personell in different organizations?

There are obviously several technical answers to this question. Some of the answers are seemingly both feasible, effective and a good idea - until the next big thing comes along. Perhaps some day we will save everything in an unstructured blob and have an AI sort things out. Can’t wait for that one..

On the other hand, the underlying complexity of health information adds to the problem. Knowing which information is relevant to share at different times is not easy. Some types of health information are snapshots in time and totally irrelevant in three weeks, while other types of information are important pieces of the puzzle that is needed to give the patient the correct treatment.

The complexity of complex diseases

Statistics show that patients with comorbidity or multimorbidity accounts for a disproportionately large part of the total amount of care given by the health care system in Norway.

“Some estimates show that roughly 80% of all the resources are spent on about 20% of the patients, who are typically co- or multimorbid.”

These co- or mulitimorbid patients often use several health care providers. This greatly increases the need for enabling the sharing of health information. It also adds a load to the allready stated problem, because some of these patients have large amounts of data distributed across the different organizations. In some cases more than 30.000 documents. Searching and choosing the relevant pieces of information in those cases is tricky - at best.

My semi-humble opinion

The fundamental problem doesn’t lie within the ones and zeros, nor the complexity of health information.

It lies in the murky world of trust: The governing laws and juridical system, the responsibilities, the agreements, the knowledge about how processes and routines are carried out in the organizations that communicate with each other. The security measures and mechanisms that are in play, and how securely the systems and interfaces are designed, built and deployed etc.

Without trust between the different actors we won’t be able to share a single thing. Regardless of the technical solutions or our capability to acheive semantical interoperability.

In other words: the answer to the question is about as clear as mud. So for this blog post I’ll explain how I perceive trust, and why I believe trust to be the most fundamental issue that needs to be solved before we are able to effectively share health information between different actors in Norway.

How trust can be modeled and built is material for a later post…

Trust you say?

What is trust anyway?

This is one of my favorite quotes - allegedly from E. Hemingway:

“The best way to find out if you can trust somebody is to trust them”

I interpret this quote to mean that trust is not a binary thing, it is a decision.

And where there is need for a decision, there is always underlying uncertainty.

Because, when there is no uncertainty you don’t really need to make a decision. In other words: when all the facts are known, you don’t need to decide anything. The decision is given.

The caveat is that you won’t know wether the decision was good or bad until you gain some experience with the party you’ve decided to trust. It’s possible that you’ll make the wrong decision, but you won’t know until you’ve tried.

So, to trust something or someone is a decision that is based on facts you have about the party you need to trust, in addition to previous experiences you or others have had dealing with the same party.

The health sector in Norway - a primer

Since the title of this blog post contains the words health information, I think it is time to give some context.

But first a true story from my life.

Shut up and give me the morphine!

I experienced how health care systems don’t talk to each other when I suffered an acute and intense back-pain last year. A suprisingly effective lack of systems interoperability forced me to tell my story over and over again - which is rarely a good thing unless the story is really funny or interesting. In my case the story could be summed up in these three words: “give me morphine”.

My close encounter

Here is a concise recount of what happened after about half an hour of intense pain and nearly shitting my pants:

1. Call 911 (113 in Norway)
2. Ambulance arrives with health personel
3. Tell ambulance personnel what’s wrong
4. Get morphine
5. Transported to emergency
6. Repeat what’s wrong to the emergency doctor
7. Transferred to hospital (in the same building)
8. Repeat what’s wrong to the hospital doctor
9. Repeat what’s wrong to other hospital doctor
10. Get more morphine until able to stand and walk

Interestingly, there were three different EHR systems into play (sic!) and none of them were interested in speaking with each other.

I would have preferred that they had trusted each other more…

Health sector vs. the law

Since health information is personal data and is considered sensitive, all health care providers with EHR systems are responsible for processing health information.

Counteracting legislation or a perfect mix?

The health care providers in Norway actually have three layers of law to understand and to comply with:

• EU (GDPR)
• Public management legislation
• Health care legislation

With GDPR in play, the organizations have two good reasons to keep the health information safe and secured:

• Loosing it or giving access to the wrong people or organizations might be very expensive.
• They might loose the trust of their patients if it becomes known that their most sensitive information has been accessed by someone that might use it for other purposes than treatment (e.g. an employer, an insurance company etc).

On the other side of the coin, the health care legislation actually require the organizations to give health personnel access to patient health records when they are needed for treatment, regardless of wether they work within the same organization or for a different organization.

The organizations are obligated to share health information, but they better not share it with someone who doesn’t need it for treatment of a patient.

What is mine is yours - or was it the other way around?

In Norway all health care services are free of charge, which is damned phantastic. Come join us if you want great health services, enjoy paying high taxes, crave lousy weather and good looking swedish waitors.

Ok, so free of charge is perhaps not entirely correct.. Most health services are publicly funded, which actually means that we pay for it through taxes. I still think the concept is pretty awesome though, and I do pay my taxes with pride - knowing that one day I will probably be on the receiving end.

Where would you like to have your vasectomy done, sir?

All inhabitants of Norway have several rights that grant them freedom to choose certain aspects of their use of the health care sector:

• The general practitioner scheme (fastlegeordningen): Every inhabitant has the right to have a GP, and the municipalities are responsible for providing their inhabitants with their own personal doctor-person.

• The right to choose the place of treatment (fritt behandlingsvalg): If you have heard about a hospital somewhere far from where you live that has prettier nurses and better doctors than your local hospital, you can choose to be treated there.

These are great features, but these rights also require health information to flow between different businesses, which again requires the systems to interoperate.

The health regions and categories

The public health sector in Norway is split into four health regions:

• the northern region (aka Mordor)
• the middle-part-of-norway region (aka “the best region in the country”)
• the western-part-of-norway region
• the southern-and-eastern-part-of-norway region

These four regions provide services that are divided into two main categories:

• The specialist health care services - basically the hospitals
• The primary health care services - where you’ll find the GPs and nursing and care, etc.

If you are both healthy and lucky you’ll never get any value back from the taxes you’ve paid. If you are like most people though, you get to enjoy the services from two or more of these providers several times during your life.

The business model

All of these providers are organized as individual organizations/companys. Some of them are subsidiaries of the regional organization, others are subsidiaries of municipalities, and others again are independent and privately held.

The system landscape

National systems and infrastructure

We have some national systems in different flavours. We also have other national stuff that is useful, like common infrastructural components, a dedicated separate membership-based network called “Helsenettet”, a dedicated CERT for the sector and a common national code of conduct.

Local and regional EHR systems

The health information is largely produced and stored in the local or regional EHR systems, and is seldom shared across organizational boundarys.

Every health care provider is responsible for providing their health personnel with suitable EHR systems, where they are required to register relevant and neccessary information about the patients they treat and details of the treatment they are given. Every organization choose their own system. And, these systems can be quite different from each other depending on the type of health services they provide.

Do systems have personality traits?

The local systems are quite introvert. They just really like to keep to themselves, and rarely talk to others. There are several reasons for this, many of which are historical: most of these systems were built at a time where it actually was illegal to share health information outside of the business boundaries - unless there were very good reasons for doing so.

Manual vs Automatic

Todays practice of sharing health information is mainly done through messaging or by some physical medium. This practice has an advantage that at the same time is a great disadvantage: it requires manual processing - someone has to do something and/or make a decicion. This obviously doesn’t scale..

Instead, we want to be able to search and request information across organizational boundaries automatically, e.g. by having the EHR systems consume APIs.

I know.. This isn’t exactly rocket science. We’ve had web based APIs for decades, but when it comes to GDPR and the health legislation there isn’t a whole lot of room for error. And the rules and laws are not easy to understand when you put them into the perspective of sharing health information.

Deciding to mistrust

To sum up why I think trust is the most fundamental issue to solve I have hand crafted a numbered list containing a few of the issues that lead to mistrust.

1. Who bears the responsibility if health information is stolen? The delivering part or the consuming part? Here the law is as unclear and interpretable as it probably should be.
2. The organizations choose to not trust each other. Why? Don’t the other organizations know what they are doing?
3. With what precision should we authenticate the health personnel?
4. With what precision should we authenticate the organizations?
5. Some health personnel might be up to no good, how can we stop them before they snoop around in their neighbors health records?
6. Some health personnel might be up to no good, how can we detect that they have snooped around in their neighbors health records?
7. Which doubious security mechanisms are in play? Perhaps the guys who consume services are using nOAuth or nOIDC? noTLS? Poorly implemented authentication? Home grown crypto algorithm/crypto libraries? Home grown PKI?
8. Are the health personnel using poorly implemented or really old EHR systems leaking like a tea strainer?

There are individual answers to all of these questions. And yes, some of the answers can be combined to form what is referred to as a common “trust framework”. But it often turns out that the obvious answers aren’t as obvoius as one might assume.

An example is eID for physical and legal entities. What if the requirement is some ridiculously high LoA, but the user is authenticated through one or several federation gateways. What happes with the LoA after five hops through five different gateways? Does the identity still comply with the LoA? Do all these gateways take their security equally serious?

Goodbye

Well, it was good to finally get this off my chest. I plan to write about how trust can be modeled and realized in a future post.

In the meantime, have a great day and thank you for reading!