E-veselība Latvijā

E-health in Latvia
E-HEALTH IN LATVIA
No.2.4.1-7/2014 | Riga, 2015 |
1
E-health in Latvia
Audit Report
Does the Project “E-health in Latvia” is a Step towards the Right Direction?
Expediency Audit “Information Systems in Healthcare”
The audit was carried out in accordance with audit task No. 2.4.1-7/2014. of the Third
Audit Department
Dated 31 March 2014.
2
E-health in Latvia
Cover images from websiteswww.sadanduseless.com, www.vmnvd.gov.lv.
SUMMARY
Objective
The objective of the audit was to verify

whether the work carried out by the Ministry of Health and the National Health Service for
implementation of e-health is efficient, productive and guided towards attainment of the
determined objectives;

whether the funds invested in the project “E-health in Latvia” are used in an economical
and productive manner.
Motivation
The expediency audit was carried out taking into account topicality of implementation of ehealth, noting that although in accordance with the planning document e-health must be
implemented by the end of 2015, and taking into account the funds of 14.5 million euros have
been invested during the last nine years, none of the e-health services is available for users,
although all the providers of healthcare services must begin to use the e-health information
system as of 1 January 2016 (in out-patient and in-patient treatment, for digital entries for
referrals, digital prescriptions, and sick leave certificates).
Main Issue of Audit
Does the service e-health has been implemented so as to attain its objective: promote more
effective provision of healthcare services?
Audit Tasks
To verify, whether the planning documents of the Ministry of Health related to implementing ehealth services are justified and topical.
To verify, whether e-health has been implemented in accordance with the extent, deadlines
and financial resources stipulated in the guidelines and implementation plan.
To verify, whether in the developed e-health information systems security of data and high
protection level of personal (patient) data are ensured.
To verify, whether supervision of implementation of e-health has been effective.
Audit Methods
Requirements of the external regulatory enactments were analysed and mandatory
requirements were identified.
The policy implemented in the e-health and monitoring of its implementation, as well as
activities carried out by National Health Service in implementing the policy were assessed.
Conformity of the e-health system to the data security and personal (patient) data protection
requirements was assessed.
The results of surveys were analysed.
3
E-health in Latvia
Source documents presented by the Ministry of Health and National Health Service were
verified.
Interviews with the responsible officials of Ministry of Health and National Health Service were
conducted.
4
E-health in Latvia
Main Conclusions (see full content of conclusions at pp. 100)
In order to promote more effective provision of healthcare services, the project “Ehealth in Latvia” implemented by the Ministry of Health is a step towards the right
direction, since it supports healthy lifestyle, thus providing an opportunity for patients
to gain better control of their health, will provide valuable and accessible information,
thus promoting justifiable decision making and facilitating more efficient provision of
healthcare services, will issue prescription medication thus promoting more efficient
provision of services to patients at pharmacies.
However, the e-health policy developed by the Ministry of Health will not be
implemented within the initially planned scope and deadline, thus the objective of
this policy – to promote more effective provision of healthcare services will be
attained only partially.
As previously noted, it is necessary and important for the society that the objectives of
the project “E-health in Latvia” are attained, but already at the initial implementation
stages of the project there were significant deficiencies (mistakes) discovered: lack of
involvement of field professionals in development of the project; repeated change of
authority responsible for implementing the project, and inefficient project
management due to lack of necessary supervision of the project.
The Ministry of Health has timely prepared the planning documents on development of eAlthough the Ministry of Health has prepared the planning documents for implementing ehealth, during the last nine years the documents have not been updated and does not
correspond to the current situation.
health, since in healthcare rapidly increased use of information and communications
technologies, however, in preparation of the planning documents field professionals were not
involved, and in-depth impact assessment, study and analysis of healthcare were not carried
out.
The prepared planning documents – guidelines “E-health in Latvia” and implementation plan for
2008-2010 do not correspond to the current situation, all the activities stated in the guidelines
are not being developed, financing is not in accordance with the planned amount and
deadlines, as well as priorities in implementation of e-health have changed.
As the Ministry of Health has not updated the plan for implementation of guidelines, the
developer of the project – National Health Service in 2015 is implementing activities of the
project pursuant to the plan for implementation of guidelines for 2008-2010, which was
Although since the e-health project was commenced nine years ago (since 2007) and the
Ministry of Health has invested 14.5 million euros in the project, as of 1 April 2015 e-health
information system and planned e-services were not available for users.
prepared in 2007.
5
E-health in Latvia
Despite that the Ministry of Health started to implement the e-health policy at the same time
as other European countries, including Estonia, due to too passive implementation of the ehealth policy Latvia is significantly behind the Estonia and in 2013 was in the second last
position in implementation of the e-health policy among European countries. The factors
causing such low assessment are the following:
 Until 2015 46% of activities planned in the guidelines have not been commenced;
 The deadlines of projects have been significantly extended for several times – from the
initial implementation deadline in 2010 to 1 December 2015 (only for e-prescription
information system) and even for longer periods;
 Until 1 April 2015 none of the planned 26 e-services were available for users outside the
premises of National Health Service, even in the test environment, as well as there is a risk
that as of 1 January 2016 some of the 31 e-services will not be available for users.
Despite that the Ministry of Health had the financing to provide that the solutions of the
stage I of the e-services project are available for use (in production environment) within the
planned term, i.e., as of 2013, however, in practice the e-health information system is not
available for users, and the Ministry plans to partially put the e-health system in service as of
2016, thus the financial benefits of 3 million euros, which were estimated by National Health
Service have not been saved and used for provision of other healthcare services.
In the opinion of the State Audit Office, there is a risk that the e-health information system
will not gain popularity among inhabitants and providers of healthcare services, since the ehealth system is not understandable and available for everyone.
Although the deadline for implementation of the project “E-health in Latvia” is near, activities
carried out by the Ministry of Health to popularize, inform and estimate the users have not
been sufficient, since:
 Roughly 17% of medical personnel do not have access to computer with internet
connection at place of work;
 Up to 41% of medical personnel have only average or weak computer skills and ability to
use internet;
 Only 11% of medical staff and pharmacists are sufficiently informed of the project;
 Within the scope of a pilot project e-health services available at website www.latvija.lv have
been used by only 9% of the inhabitants (the e-services were available as of 13 August 2010
until 1 October 2013);
 47% of inhabitants have a general knowledge of the e-health project and the planned eservices, and in average only 11% are informed of the planned benefits.
Since the Ministry of Health has not updated the plan for implementation of guidelines for
It has been discovered that during the project there has been a lack of planning activities,
and management and control have been ineffective, resulting in wasteful and unproductive
use of 760 thousand euros of the funds granted for the project.
2008- 1010, the actual implementation costs of certain e-health activities significantly differ
6
E-health in Latvia
from the estimated costs, that is, in the costs stated in several items are by 81% smaller than
estimated, and in other items up to 127% greater than planned.
The total actual costs of activities managed by National Health Service exceed their total
estimated costs for 154,364 euros, and towards the deadline of the project the actual costs
tend to increase.
Due to incomplete procurement documentation or development of inefficient e-health
solutions, as well as due to delayed implementation of e-health, there is a risk that improving
the initially developed e-health solutions funds of 48,406 euros have been invested
inexpediently.
During implementation of the guidelines funds of 196,292 euros have been invested
inexpediently, for instance, for financing conception and development of technical
specifications for the activities, which are not being continued any more.
There is a risk that the objectives of the e-health projects co-financed by European Regional
Development Fund will not be attained, thus the funds of 11,352,647 euro, invested in
projects may be recognised as used inexpediently.
Implementation of the e-health projects co-financed by European Regional Development Fund
is not in conformity with requirements stipulated in the European Community legislation, since
although the term for all the stage I projects was due in December 2014, final assessments of
the projects were rescheduled several times, and taking into account that successful
implementation of the stage II project is closely related to the results achieved during stage I,
there is a risk that during the final assessments it will be concluded that objectives set for the
projects have not been reached.
During the audit it was established that until 1 April 2015 the development of the required
data security and personal data protection solutions of e-health information system were
not completed, and there is a risk that the system will not be completed also until 1 January
2016, when all the providers of healthcare services will be obliged to use the system.
Despite that security of data within the context of e-health was initially recognised as crucial,
National Health Service has for a long period remained at the initial state of implementation of
the e-health information system security management, and has not yet drafted all the
necessary regulatory enactments establishing provisions for information systems safety
management, including provisions for risk management, testing continuity of activities and user
management standards.
National Health Service has not commenced registration of processing of natural person data of
e-health information system in the Data State Inspectorate, it will be possible to commence
registration only after all the aforementioned regulatory enactments will be developed, as well
as there is a risk that during registration and pre-registration inspections deficiencies may be
identified, which have not been previously discovered and which may require additional period
for elimination.
Security audits of the e-health information system have been carried out only in test
environment system with limited functions and without involving systems security manager,
also National Health Service has not yet summarised and assessed the results of external
security audits and at the highest level identified deficiencies and submitted to the
National Health Service has failed to provide preconditions for high security level of
7
protection of patient data.
E-health in Latvia
management of the institution recommendations for eliminating the deficiencies, providing an
action plan, deadlines and defining responsible persons.
All the medical data of all patients are by default freely accessible in the e-health information
system for all medical personnel without assessment of all the actual needs and necessity of
access to such detailed information and is in contradiction with recommendations of the
European advisory body, thus at the beginning increasing the number of unjustified processing
of data resulting that society will not be willing to trust the service.
Also, currently there are very limited opportunities patients to restrict access to their personal
data – they have to choose whether trust their medical data to all the medical staff or restrict
access to all of them.
As of now National Health Service has not been able to independently in systematically large
volume identify all the cases of unjustified processing of natural person data and act
accordingly, since:
 Audit trail creation and identifying functionality does not operate to full extent;
 Effective control mechanism and clear criteria have not been developed, it has not been
established, how to identify unjustified processing of data in audit trails, lists of data
processing events at risk are not being created thus detailed analysis is not performed.
In the opinion of the State Audit Office, there is a risk that quality, accuracy, and credibility
of information available at the e-health information system may be doubted, since National
Health Service avoids responsibility by delegating it to medical institutions.
Although National Health Service as the manager and operator of e-health system is
responsible for quality of data and for activities carried out by the persons who performs
processing of data, the Service is planning to delegate several responsibilities to the medical
institutions themselves, thus avoiding responsibility for several significant functions, such as
granting, control and annulment of user rights for medical institution employees, accuracy and
justifiability of patient medical data collected in e-health system. As a result, the users do not
have any technical barriers for access to all the patient medical data, a doctor even may annul
information entered by other doctor.
Supervision and control of e-health implemented by the Ministry of Health has not been
sufficiently effective.
The Ministry of Health has not prepared all the informative reports on progress of
implementing e-health policy pursuant to the regulatory enactment of the Cabinet of Ministers,
as well as due to ineffective supervision the project is being implemented too slowly without
seeking solutions to all the identified problems, and the financing has been invested
inexpediently.
8