Bits & Bytes
Barwon Health gets set to upload discharge summaries Geelong’s Barwon Health is working on the functionality to upload discharge summaries to the PCEHR, which it plans to do through its BOSSnet clinical information system. Barwon Health’s CIO Ann Larkins said while it was connected through the National Prescription and Dispense Repository (NPDR), it had not yet achieved the eDischarge capability. There are now over 200 public hospitals, both large and small, in Queensland, NSW, South Australia, Tasmania and the ACT to have PCEHR discharge summary capability. Some of those connected hospitals also have the ability to view a patient’s PCEHR either from within clinical software, or in the case of Queensland through its The Viewer portal. Ms Larkins said Barwon Health was very much in the project initiation stage and was just kicking off, but would be allowing its clinicians to upload discharge summaries directly through its BOSSnet clinical information system rather than through the Healthcare Information and PCEHR Services (HIPS) application designed by SA Health and licensed to NEHTA. “We are doing it through BOSSNet because we already have that functionality built in for medications, which have been going up directly to the PCEHR from BOSSnet for the best part of a year,” she said. “We will use that same build to get discharge summaries up as well.” South Australia is using HIPS for its metropolitan hospitals, which have been uploading discharge summaries since last year. NSW is predominantly using clinical information systems, including Emerging Systems’ EHS at St Vincent’s Hospital and the Cerner system used in many other public hospitals.
Exploit vulnerabilities found in CDA do not affect PCEHR core: expert The discovery of a set of vulnerabilities that could potentially lead to malicious content being added to clinical documents created using the clinical document architecture (CDA) standard is not a likely threat to the security of the PCEHR, a CDA expert says. In early April, US physician and programmer Joshua Mandel revealed that he had discovered that certain style sheets used to display CDA documents in many commercially available electronic health record systems in the US could potentially leave those EHRs vulnerable to attacks from malicious code attached to CDA documents. The vulnerabilities are of concern to Australian vendors of EHRs and secure messaging services, which also transfer CDA documents, as well as to the operators of the PCEHR, as CDA is used for all of the clinical documents uploaded to the system. Australian CDA expert Grahame Grieve said Dr Mandel had found the problem in some EHR systems that are in production use, and traced it to an HL7-designed style sheet, derivations of which are used by many EHR vendors as well as in the PCEHR to render CDA documents for viewing.
Mr Grieve said the problem was not an attack on the CDA itself but on the ‘transform’ used to view it. “Technically, CDA is a static XML form that converts it to HTML form that you can write in the browser,” he said. “The way you create this vulnerability is that you insert some content into the CDA that activates during the transform and does things that you do not expect once the HTML is loaded in the browser. So this is not an attack on CDA itself – it is an attack on the transform that people use to view the CDA.” Mr Grieve said that in his opinion, while there was the potential to exploit this vulnerability, the threat profile for the PCEHR was very low. “The PCEHR itself or any other CDA exchange system are completely
unaffected by this. The issue only arises when that transform runs and the documents are displayed ... The PCEHR core itself is not affected. “You can’t just sit at home and try hacking this. You’ve basically got to compromise a certified system. Now that is possible, but it’s much harder work than running scripts that pursue known exploits.” He said there were concerns for software vendors outside of the PCEHR context, including for secure messaging vendors that use filebased transfer to transfer documents from clinical systems to message delivery systems. However, if a hacker wanted to attack the PCEHR, there were much more
Pulse+IT Magazine - Australasia's first and only eHealth and Health IT magazine.