2nd MOMENTUM Workshop

Download PDF
0 downloads 164 Views 7MB Size Report
Comment
Data management and information security responsibility and measures. Mapping of legal, regulatory and security stakehol
2nd MOMENTUM Workshop Main findings and highlights SIG 3: Legal, regulatory and security issues Ellen K. Christiansen: [email protected] Eva Henriksen: [email protected] Berlin

8 April 2013

The overall work of SIG 3 Work done: Analyzing and systematizing the data (Q no 23-31) First draft of blueprint: 5 February Draft blueprint refined and improved until: Draft sent editors 19 March 2013 Work to be done: Clarifications of facts – champions needed Integration of comments from editorial team Integration of stakeholder feedback Collect comments and input from SIG network on selected parts of the draft Continue literature studies within scope of project Berlin

8 April 2013

2

People involved in SIG 3 Writing team: Ellen K. Christiansen, NST Eva Henriksen, NST Leif Erik Nohr, NST Eva Skipenes, NST

Editorial team: Robert Stewart, NHS 24, Scotland Montse Meya, Fundació TICSALUT

SIG-members (possible editors for selected parts) Nine

“Friends” of the project Four

Berlin

8 April 2013

3

Legal, regulatory and security issues SIG3 has concentrated on the following issues: Are changes of the legal framework for telemedicine needed? Is use of telemedicine without face-to-face contact within the standards for professional responsibility? What are the terms of liability for clinical staff? Are there guidelines for clinical responsibility? Is special training or accreditation required? Did the service described cross any jurisdictions? Did that cause legal problems? Do patients have to give informed consent when telemedicine is used? How? Data management and information security responsibility and measures Mapping of legal, regulatory and security stakeholders Berlin

8 April 2013

4

Legal, regulatory and security issues Most important keywords • • • • • •

Telemedicine legislation Best practice F2F? Accreditation/responsibility/liability Cross border: institutional, regional, national Consent Information security

Berlin

8 April 2013

5

SIG 3- Telemedicine legislation Q 23.1 – Were changes to healthcare legislation a prerequisite for the implementation of your telemedicine service?

• 85% claims «no», 12% «yes» • This is promising, does that mean no problems with the law?

Berlin

8 April 2013

6

SIG 3- Telemedicine legislation Q 23.2 – Have any changes to legislation or other legal rules been made as a result of your particular telemedicine service?

• 92% claims «no», 0% «yes» • No need for changes, noe changes made. Is the legal situation clarified?

Berlin

8 April 2013

7

SIG 3- Telemedicine legislation Q 23.3 – Is it your opinion that further changes in legislation in your country are necessary for wider and easier implementation of sustainable telemedicine services?

• 69% answered «Yes», 19% «No» • How do we explain that, given the previous answers?

Berlin

8 April 2013

8

If Yes: Changes needed Liability issues, accreditation, clarification of security framework, and legal clarification in general Need for a sustainable reimbursement system Changes of legislation regarding co-payment (Who should bear the costs of equipment at home?) (Israel) Data protection and mobile equipment (Spain) Who pays for second opinion? (Sweden) Data exchange protocols (?) (Slovenia) Legislation should be changed to support targetbased medical care (?) (Estonia) Berlin

8 April 2013

9

Legal and regulatory issues as impediments for implementation of TM Literature support • •

• • • •

COM(2012) 736 final Communication from the Commission, Brussels 6.12.2012, p 5 SWD(2012) 414 final Commission staff working document on appliccability of the existing EU legal framework to telemedicine services COM(2008)689 final Communication from the Commission, Brussels, 4.11.2008, p 8 Legal frameworks for eHealth, Global observatory for ehealth series – Volume 5, WHO 2012, p 25 National eHealth Strategy Toolkit, WHO, ITU, ISBN 978 92 4 154846(WHO), ISBN 978 92 61 140519(ITU), 2012 Brownsell, Ellis: Ready, Steady, Go: A telehealth implementation toolkit, University of Sheffield, NHS national Institute for Health Research Berlin

8 April 2013

10

Telemedicine legislation Initial thoughts: • The legal framework should be reviewed in each country and certain paramount principles laid down, e.g. concerning liability, best practice assessment and reimbursement • One ought to start a process deeply rooted in the national health authority system and pick out some representative and wanted routine telemedicine services and analyze them with regard to possible legal hindrances. This can be a starting point for discussing the need of necessary adaption and amendment of the legislation Berlin

8 April 2013

11

SIG 3- Accreditation Q 24.1 – Was specific accreditation of health care personnel legally required to implement your service?

• 19 % answered «Yes», 69 % «No», 4% for some health care personnel • The «Yes» and «Partly» has to be further investigated and linked to the services at stake

Berlin

8 April 2013

12

SIG 3 – Responsibility/liability Q 24.2 – Is there a clear distribution of responsibility for legal liability among the healthcare providers that participate in the delivery of your telemedicine service?

• Only 50% answered «Yes», 12% respectively «partly» or «No», 27% «Don’t know» • «Uncertainties regarding legal liability leads to uncertainties regarding delegation of tasks and priorities in action.»

Berlin

8 April 2013

13

SIG 3- Responsibility/liability Q 24.3 – Are liability and/or responsibility issues barriers to large scale implementation of your telemedicine service?

• 69% answered «No», 19% «Yes», 12% «Don’t know» • This is a surprise, needs discussion and literature search, because these issues are often listed as barriers for implementation • To the «Yes» answers: How? (Needs to be investigated)

Berlin

8 April 2013

14

SIG 3- Telemedicine legislation Q 24.4 – Does your service cross any borders relating to any legal authorities? Please tick all relevant options

• 46 % answered that their service crossed no borders. 27 % answered respectively «Yes, organisational borders» and «Yes, national borders»

Berlin

8 April 2013

15

SIG 3- Telemedicine legislation Subquestion Q 24.4: Were any conflicts of law identified as a result of crossing borders?

• 85 % answered «No», 8 % (1) «Yes», 8 % did not know • The «Yes»: Crossing organisational, regional and national borders (Would be interesting to investigate more in detail)

Berlin

8 April 2013

16

SIG 3- National guidelines for clinical responsibility and liability - F2F Q 25.1 – Is it within the framework or standards of professional responsibility for a doctor to treat patients via telemedicine (without F2F contact) in your country?

• 31 % answered «Yes», 46 % «No»

• Needs clarification (ask national champions) as respondents from one country in several cases answered this question differently • This is important, because we need to define if treatment of patients can be delivered via telemedicine services Berlin

8 April 2013

17

SIG 3- National guidelines, clinical responsibility Q 25.2 – Are there any national guidelines or recommendations regarding distribution of clinical responsibility between the health care professionals when they use telemedicine services?

• 62% answered «No», 23% «Yes», 15% «Don’t know» • To be discussed with champions due to different answers from the same country Berlin

8 April 2013

18

SIG 3- National guidelines, legal liability Q 25.3 – Are there any national guidelines or recommendations regarding distribution of legal liability between institutions involved in telemedicine services?

• 65% answered «No», 12% «Yes». 23% did not know. • Has to be further investigated due to divergent answers from respondents in the same country (champions!)

Berlin

8 April 2013

19

SIG 3- Consent, ethical approval and concerns Q 26.1 – Do patients have to give their explicit and informed consent in order to receive the telemedicine service?

• 58% answered «Yes», 35% «No». 8% did not know • Surprising?

Berlin

8 April 2013

20

SIG 3- Consent, ethical approval and concerns Subquestion 1, Q 26.1 – In the event that patients have to give their informed consent, how do they do it?

• 80% answered «Written» consent, 13% «Oral», 7% «Not relevant» • The vast majority give written consent (12 respondents from 7 countries)

Berlin

8 April 2013

21

SIG 3- Consent, ethical approval and concerns Subquestion 2, Q 26.1 – How is information about the telemedicin service provided to the patients?

• 73% answered «Written», 60% «Oral», 27 «Electronically», 7% «Not relevant» • 5 respondents provide information in all three ways

Berlin

8 April 2013

22

SIG 3- Consent, ethical approval and concerns Q 26.2 – Has the telemedicine service been assessed by an ethical commitee at any time?

• 58% answered «Yes», 31% «No», 12% «Don’t know» • Many services are based on former research projects, others have been assessed by ethical commitees on national, regional, local or institutional level

Berlin

8 April 2013

23

SIG 3- Consent, ethical approval and concerns Subquestion Q 26.2 – If yes, did the ethical committee have any comments or reservations related to legal, regulatory or security issues?

• 80% answered «No», 20% «Don’t know» • One comment: «The transmission of personal data between patient’s home and hospital should be protected in a highest achievable level.»

Berlin

8 April 2013

24

SIG 3 – Data management Q27.1 – Is it obvious to you which organisation or individual is responsible for the security and legal standards of your telemedicine service?

77 % yes – 23 % no + don’t know Nearly one fourth of the respondents does not know who is responsible for the security and legal standards. Those responsible for telemedicine services need to know who to consult in order to sort out which requirements are applicable and to which degree they are implemented, and to whom they should report breach of security and legal requirements. Berlin

8 April 2013

25

SIG 3 – Data management Q27.2 – Has a data controller been identified?

77 % yes – 23 % no + don’t know This is related to the previous question: if it is obvious who is the responsible body for security and legal requirements of the service, it should also be obvious who the data controller is. The numbers of yes/no answers are equal, but some respondents have answered no to the first question and yes to the second. This might indicate that they have misunderstood one of the questions. Berlin

8 April 2013

26

SIG 3 – Data management Q27.3 – Did you have to make any changes to your normal data management procedures to implement your telemedicine service?

27 % yes – 58 % no – 15 % don’t know If yes: One change mentioned was the establishment of or improvement of security policies including responsibilities and authorization regime for access to certain data. Some of the respondents reported that they had to establish new infrastructure for gathering and exchange of personal health information.

Berlin

8 April 2013

27

SIG 3 – Data management Literature support Directive 95/46/EC (Personal data protection) EHMA: “Legally eHealth”. Study on Legal and Regulatory Aspects of eHealth UK: Guidance for shared records Sellars & Easey: Electronic health records: data protection issues in Europe. In: BNA International World Data Protection Report.

[Place]

[Date]

28

SIG 3 – Risk assessment Q28.1 – Has an assessment of risks to the information security been performed, i.e. risks to confidentiality, information integrity or availability?

73 % yes – 27 % no + don’t know This indicates that there may be a requirement for risk assessment in most of the regions answering the questionnaire. (Is it a requirement in all countries, like it is in Norway?) Q.35, SIG 4 – asks whether they have methods in place for risk management of devices and/or systems of the telemedicine service (e.g. to ensure effectiveness, security and safety). Berlin

8 April 2013

29

SIG 3 – Risk assessment Literature support ISO 27002 ISO 27799 ISO 27005 ENISA’s web site on Risk Management

[Place]

[Date]

30

SIG 3 – Security issues Q29.1 – Does the telemedicine service give a healthcare professional or other health service employees access to patients’ health information?

58 % (15) yes – 35 % no – 8 % don’t know More than one third of the respondents states that their service does not give access to patients’ health information. This indicates that the term “access to patient’s health information” is not interpreted in the same way by all respondents. Listening to and viewing patients via video conference systems also implies access to patients’ health information. – We would assume that nearly all of the 26 services imply access to patients’ health information. Berlin

8 April 2013

31

SIG 3 – Security issues If Yes – which methods of authentication are used to obtain access to the telemedicine service, including the patients’ health information?

It seems that this question was not answered by those where the reported service is based on video conferencing. Most video conference services have no direct authentication method. Berlin

8 April 2013

32

SIG 3 – Security issues Q29.2 – Is the user automatically logged out from the system/service after a certain idle time (i.e., does the application time out)? 77 % yes – 8 % no – 15 % don’t know Timeout is one of several precautions to prevent access from unauthorized persons. It is used in the services described by three fourth of the respondents. However, this is not suitable for all types of services. For infrastructure services like a health network or a call centre, it is not obvious to close the service in periods of no traffic.

Berlin

8 April 2013

33

SIG 3 – Security issues Q29.3 – Is the data transfer (i.e., the communication) encrypted? 77 % yes – 12 % no – 12 % don’t know Q29.4 – Is the communication performed via a VPN connection? 50 % yes – 35 % no – 15 % don’t know Only three of the respondents have answered “no” or “don’t know” to both questions. This means that 23 of the 26 respondents (88 %) have answered “yes” to either “encrypted communication” or “use of VPN” or both. Berlin

8 April 2013

34

SIG 3 – Security issues Q29.5 – Is all access to the system/service logged? 81 % (21) yes – 0 % no – 19 % don’t know If Yes – Does anyone inspect the logs?

71 % (15) yes – 5 % no – 24 % don’t know The purpose of having logs can be questioned, if they are not inspected. Logging is important for discovering unauthorized access – in retrospect. Logging helps indirectly, as a warning or a “scarecrow”. Berlin

8 April 2013

35

SIG 3 – Security issues Literature support The European eHealth benchmarking III study Vaibhav & Brewer: Telemedicine Security: A Systematic Review

[Place]

[Date]

36

SIG 3 – Privacy training Q30.1 – Have all personnel had privacy training?

73 % (19) yes – 27 % no + don’t know If Yes – How often is the training repeated?

58 % (11) “on request” – 5 % (1) never – 21 % (4) don’t know

Berlin

8 April 2013

37

SIG 3 – Security issues Q30.2 – Are staff contracts and insurance in your organisation adequate for covering their use of your telemedicine system(s)? 50 % yes – 15 % no – 35 % don’t know Input needed...

Berlin

8 April 2013

38

SIG 3 – Privacy training Literature support US Department of Health and Human Services Books and training programs E-learning courses

[Place]

[Date]

39

Legal, regulatory and security issues Highlights Legal hindrances are exaggerated. Lack of clarity concerning reimbursement is the real problem The significance of liability and/or responsibility-issues are played-up, there is no need for guidelines The difference between services including patient consultations and not - need for classification of services Consent: Telemedicine services are so special that a separate consent is necessary in addition to the general consent to medical treatment given from the patient Skills in privacy and information security are not good enough when so many of the respondents are unaware of who is responsible for data security of their telemedicine service. Berlin

8 April 2013

40