Preface

The Nordic eHealth group forms the basis for ongoing knowledge sharing across the Nordic countries regarding strategic issues within digitalisation in healthcare. Digitalisation is increasingly becoming a central means for supporting the delivery of healthcare services around the globe. The Nordic region is regarded as a frontrunner when it comes to the implementation and use of digital solutions. As part of the Nordic eHealth group work is being carried out regarding indicators and standardization. This report is the result of the indicator work carried out by the subgroup called the Nordic eHealth Research Network (NeRN). The aim of the work of the group is to provide a foundation for benchmarking across the Nordic countries and support policymaking in the countries, hence the subtitle “towards evidence informed policies”.

We hope you will find the report interesting. The work of the group continues building on top of the knowledge gathered in this report.

On behalf of the Nordic eHealth group.

Kenneth B. Ahrensberg, chairman of the group 2017-2019

1. Introduction

The Nordic eHealth Research Network (NeRN) was established by the Nordic Council of Ministers (NCM) eHealth group in 2012. The objective was to develop, test, and evaluate a common set of indicators for monitoring eHealth in the Nordic countries, Greenland, Faroe Islands and Aaland, for use by national and international policy makers and scientific communities to support the development of Nordic welfare.

The results of the network’s first Mandate period (2012–2013) were published in the Nordic Council of Ministers report (1). It contained a methodology for generating eHealth indicators by combining top-down and bottom-up approaches. It also tested the methodology with four common Nordic Indicators, measuring the availability of certain eHealth systems/functionalities and the use of particular functionalities.

The results of the network’s second Mandate period (2013–2015) were also published in a Nordic Council of Ministers report (2). The publication extended the list of common Nordic eHealth indicators, reported lessons learned and recommendations to achieve efficient and easy-to-use benchmarking information. Benchmarking results were presented in the report on altogether 49 common eHealth indicators.

The network’s third mandate period (2015–2017) delivered recommendations for the long-term management of earlier work (3). The research network proposed a system for collecting, analyzing and publishing the effects and benefits of the investment in eHealth and the comparisons between the Nordic countries. Furthermore, the research network analyzed how the network outcomes can be used in a European, WHO, and OECD context. As a third task common indicators that can be used to analyze and compare patients’ and citizens’ use and experiences of eHealth services was identified and presented.

This publication reports the outcomes of the following five tasks

1.1 New analysis of eHealth policies in the Nordic countries

The national eHealth strategies were analyzed and compared in the previous report and as not all countries have issued new strategies on eHealth it has not been suitable to perform a new comparative analysis of strategy documents. Instead an analysis of the impact of policies and governance efforts in the Nordic countries has been performed. An institutional theory approach is applied in the analysis and national representatives for all the countries have been interviewed about key issues. Such a comparative analysis has never been performed before and a significant result is that the institutions behind the national strategies – despite an ambition accelerate the innovation and renewal process - does not contain description or indication about the time perspective or how the achievements will be analyzed, or which institution will be responsible of follow up procedures. The results of the analysis give an overview of issues that need to be solved and improved to reach innovation and sustainability in the area, both at the country level and at the macro level.

1.2 Updating common indicators in accordance with emerging new policy goals

Developing a list of common indicators for monitoring availability, use and outcome of health information technologies in the Nordic countries has been one of the central efforts of the Nordic eHealth Research Network. The approach has been to create a list of indicators mainly based on survey questions used in the individual Nordic countries. The report from this mandate period develop a framework for the indicators to accommodate for the shift of focus in the national policies and contributes to further the development of indicators that can be practically monitored in all the Nordic countries. The update is based on a theoretical model for describing clinical adoption of health information systems. This model defines a set of basic dimensions which are here used to describe aspects that can be monitored by a set of indicators. To each aspect a concrete example of an indicator is presented as well as examples of survey questions where some of them has been used in earlier monitoring activities.

It is concluded that the application of a coherent theoretical framework provides an opportunity to align the surveys done in the Nordic countries to obtain comparable and consistent measures.

1.3 Developing a Nordic model survey to monitor citizen views on eHealth

An initial mapping of citizen surveys within the field of e-health in the Nordic countries was conducted during the period 2015–2017.

During the current mandate period 2017–2019 this work has been followed up through a more detailed examination and comparison of previous national surveys; their content and organization.

And in this chapter a thorough understanding is provided of how and why citizens surveys are conducted in the different partner countries. It is revealed when surveys have been conducted, how they were organized and who the most important stakeholders were. Furthermore, it is considered how the surveys were financed and how sustainable they are.

With regards to future studies it is recommended that the citizen surveys should be coordinated to a higher degree than it is to-day as well as the timing should be aligned. Three overall topics for the structure is recommended: use/nonuse, consequences of use, and expectations for the future. It is important to ensure that the surveys are based in recognized scientific methods and finally a discussion of funding models are desirable.

1.4 Cyber security in the Nordic Countries

The digital infrastructures in all Nordic countries continue to expand and deepen their entanglement with society. The aim is to offer substantial benefits through deeper, wider, and more reliable coverage of data sources. Consequently, the utilization of information technology in the healthcare sector is just as pervasive as in rest of society. However, almost all healthcare data is highly sensitive, and as delivery of health services depends on the integrity, availability, and confidentiality of data – ensuring information security is vitally important.

The aim of this chapter is to establish an understanding of the national and healthcare sector specific security strategies across the Nordic countries. Comparing initiatives at a strategy level can serve as inspiration for strengthening national and local initiatives and may aid in establishing cyber security insight in the Nordic countries.

1.5 Personas for users of indicators of eHealth availability, use and outcome in the Nordic countries

In the effort to develop indicators for measuring availability, use and outcome of eHealth a recurring question is: Who can benefit from the indicators we develop? The target group for policy strategies and evidence of status is very broad and complex. It is a real challenge to ensure that data and information is communicated to the right persons in a comprehensible form. Developing fictional personas can be a way of improving the way we work.

1.6 References

(1) Hyppönen et al. (2013). Nordic eHealth Indicators. Organisation of research, first results and the plan for the future. TemaNord 2013:522. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2013-522

(2) Hyppönen et al. (2015). Nordic e-health Benchmarking. Status 2014 TemaNord 2015:539. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2015-539

(3) Hyppönen et al. (2017). Nordic e-health Benchmarking. From piloting towards established practice. TemaNord 2017:528. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2017-528

2. Impact of the E-health strategies in the Nordic countries – an analysis using Institutional Theory

2.1 Introduction

Institutional theory has traditionally been used to study the impact of policies in public administration (Thoenig 2003; Frumkin and Galaskiewicz 2004; Rigg and O’Mahony 2013; Sorensen 2014) and in organizational fields. Characteristics of these fields include (i) that they adopt similar logic and routines for organizing services to citizens, (ii) that they undergo and gradually adopt a process of institutionalization, (iii) that they perform similar changes and routines for organizing the delivery of innovative services to citizens, and (iv) that they introduce new structures that support the innovation and renewal of the area.

At a macro-level, institutional changes are supposed to be a consequence of the action of regulative, normative and cultural mechanisms that operate at different levels (Di Maggio and Powell 1983; Scott 1995). However, forces that influence and determine the level of impact or changes in an organizational field are: (i) formal and informal rules,(ii) monitoring and enforcement mechanisms, and (iii) systems of meaning that define the organizational context within which individuals, corporations, labor unions, governmental and non-government organizations (NGOs), consulting organizations, professional associations, academic institutions, operate and interact with each other (Campbell, 2004, Scott 1995).

One criticism against institutional theory has been that it serves solely to illuminate or describe institutional structures rather than to critique how power may operate within them and/or how their structures may be steeped in any forms of bias. Institutional theory does consequently not provide insights into the individual motivation that lead people/organizations to behave outside prescribed norms or changes in case that happens.

The e-health area (in which health and social care are included) is a complex industry with practices embedded in various institutional networks and characterized by their own rules, regulations and forms of authority. Furthermore, most health and social care organizations cannot operate independently. The adoption of e-health services is consequently influenced by institutional forces resulting from the relationships that occur between different institutions at different levels (hospitals, nursing homes, labs, pharmacies, consulting specialties etc.) and from the normative pressures from partnering organizations. As such, the e-health area can be considered an institutional environment in which socially defined norms occur and prescribe how to behave and interact with each other in an efficient manner. Moreover, institutional environments in e-health are not static and actors belonging to different institutions have the ability to create change to and within those environments (Coburn, 2004; Woulfin, 2016). Leading consequently to changes in the institutional order of the area (i.e. new comers: entrepreneurships that offer alternative channels of access to the services) and pushing actors to make decisions of a) division of labor and/or division of power, b) reallocation of resources, and c) establishing legitimacy of new institutions of entrepreneurships.

Over the time, norms, policies and praxis become “institutionalized” as they are gradually established via sets of formal rules, programmes for action and implementation of systems. This process of institutionalization gives rise to the formation of institutions, which are primarily associated with stability and establishing rules, beliefs and routines that describe and prescribe reality for organizations (Rigg and O’Mahony 2013). The process of institutionalization can be further influenced by the institutional entrepreneurs and the perception of their value in the innovation and renewal process and on the value of their contribution to the implementation of the policies.

In the e-health area to succeed in integrating services with systems, requires that services and system integration has a positive impact in the quality of care, leaders’ commitment to stimulate organizational learning and acceptation of changes as well as a clear description of the impact and outcomes. Policies and strategies in the area have consequently a strong influence on (i) how actors organize their work (Meyer & Rowan, 2006), (ii) how external actors, as for instance, technology companies’ entrepreneurs influence them, (iii) how organizations that interact in an institutional field, interact with each other and /or (iv) how organizations in an institutional field to some extent are dependent upon each other (Scott, 2001). It seems, consequently, that we pay attention to the e-health institutional contexts if we want to see e-health strategies efforts flourish. Moreover, e-health is in a unique context of pressures, developmental expectations, policy gaps, and infrastructure. This context matters in how successfully health and social care organizations implement large-scale changes as the ones described in the e-health strategies (Buchanan, 2015; Datnow, Park, & Kennedy-Lewis, 2013; Elmore, 2005).

2.2 Aim

E-health policies and/or strategies, which are enacted in the Nordic countries within the same institutional field, aim to innovate health and social care improving quality and facilitating safe and secure access to health and social care services through digital services that innovate and renew the area. In this report, we identify institutional actors, as well as regulative, normative and cultural mechanisms that play an essential role in the realization of the e-health strategies in the Nordic countries.

2.3 Method

A descriptive case study as described by Yin (2014) was performed aiming to elicit better understanding, and to compare and identify the different institutions and actors as well as regulative, normative and cultural mechanisms that play a key role in the institutionalization process of the e-health strategies within the Nordic countries.

Data have been sampled in several steps and from different sources. Besides reviewing of the existing reports or previous publications (policy analysis) related to the case and published in previous reports (Hyppönen et al. (2013), Hyppönen et al. (2015), Hyppönen et al. [2017]), interviews with representatives from the Nordic countries in the Nordic e-health Stakeholder Group (“eHealth Group”) were conducted. The interviews were performed with the representatives of the “Nordic Ministers eHealth Group” by the co-authors of this report. The interviewers used a guide in which a total of 20 questions were asked. Institutional theory principles were used to develop the interview guide. The interviews were performed either by Skype or in situ. The interview guide comprised questions related to regulative, normative and cultural mechanism that contribute to realize core and main issues described in the strategies.

The analysis process of the gathered data followed a comparative case study analysis as described by Yin (2014). Statements from the interviewees were listed in a matrix that allowed comparison of similarities and differences of the findings.

2.4 Key concepts

For the purpose of this chapter, we outline some key concepts of institutional theory, while focusing on the role of institutions that operate as agents of changes, as a consequence of the national strategies, and establish a shared responsibility among organizations in charge to provide and make services accessible for people, there:

• Actors are the individuals and/or organizations who carry logics and live with the governance structures.
• Governance structures are the rules and norms that dictate how the institutional environment functions.
• Organizational field consists of a series of organisations with similar business, commercial, or public service interests: also included are suppliers of services, resources, and/or products, customers and consumers, government agencies, and other stakeholders (DiMaggio and Powell 1983; Scott 1995, 2004).
• Institutions are primarily associated with stability and establishing rules, beliefs and routines that describe and prescribe reality for organizations (Rigg and O’Mahony 2013). Organizations or actors that deliver good services or products, must appear legitimate by displaying a degree of conformity with the institutional environment with which they interact (Thoenig 2003; Villadsen 2013). Institutions help to provide some degree of stability and continuity with regards to organizational processes (Garud et al. 2007).
• Institutional entrepreneurs act as agents who initiate and actively participate in the implementation of changes that diverge from existing institutions, independent of whether the initial intent was to change the institutional environment and whether the changes were successfully implemented (Battilana et al. 2009: 72). ”Such changes might be initiated within the boundaries of an organization or within the broader institutional context within which the actor is embedded, and might lead to the creation of other communities” (Thoenig 2003 p129) in which new expectations, behaviors, cultural values and beliefs are channeled and stabilized.
• Innovation is a significant positive change. It is a result, or an outcome achieved to solve important problems from a process that involves multiple activities to uncover new ways to do things. Innovations are expected to create bigger opportunities and are critical for the survival, economic growth, and success of a company/organization. Innovation helps developing original concepts, and to identify new opportunities and methods to solve current problems.
• Regulative mechanisms are mechanisms embedded in regulatory processes and include rules and policies that influence future behaviour.
• Normative mechanisms are typically originated in and are applied by actors in professional and standards bodies, non-government organisations (NGOs), consulting organisations, professional associations, academic institutions, etc. and focus on values and norms that introduce prescriptive and obligatory dimensions to social or organisational life (Scott 1995).
• Cultural or mimetic mechanisms are originated in social-constructed symbolic systems, cultural rules and socially shared perceptions and understandings.

2.5 Results

In this section we present first the knowledge acquired from the analysis of the policy documents performed in previous studies (Hyppönen et al. (2015), Hyppönen et al. [2017]). Then we present the outputs obtained from the interviews with the representatives of the Nordic Ministers eHealth Group”.

2.5.1 Acquired knowledge from previous analyses of the policy documents

Previous analyses of the national strategies for e-health in the Nordic countries (2012 and 2017) have shown that all policy documents contained goals and statements about how to empower and activate patients/ citizens in the management of their own health. Furthermore, the documents contain, in general, a large number of statements, and sections about general aims or goals to be achieved grouped into two main sub-groups: 1) healthcare services, 2) health-IT services.

1. Statements and sections about healthcare services: All policy documents contain statements about improving the quality of healthcare services and about improving the effectiveness of the healthcare services. However, while statements about improving the support for healthcare processes are most prominent in the Norwegian and Danish e-health policies, the Swedish document pays more emphasis to using ICT as a tool to instigate change in healthcare organizations.
2. Statements and sections about health-IT (e-health) services: All policy documents contain goal statements about improving access to relevant health information through IT-services and about improving information security and privacy. All policy documents also contain goal statements about making more data available for secondary use. However, it is interesting to note that some differences exist. For instance: (i) the Norwegian and Danish documents laid greater emphasis on this aspect than the policy documents from the other Nordic countries. (ii) Policy documents from Sweden and Denmark put emphasis on improving the usability of the systems. (iii) Statements about improving the IT-architecture were most prominent in the earlier Finnish policy documents (especially in the 2007 eHealth roadmap).

The strategic policies also contain plans, purposes and goals to be achieved as well as descriptions/suggestions of measures to be used. They do not, however, indicate if some of all of the plans and goals will be achieved at the short or in the long run, or if they focus on health or social care. Nevertheless, plans and goals, as described in the policy documents, have shown a correspondence between identified goals and expectations and included questions and aims such as: 1) establish IT architectures and IT-services, 2) standardization activities, 3) enhance information security and privacy, 4) improve access to data for secondary use, 5) establish law and regulatory frameworks, and 6) other country specific goals to be achieved, as for instance, innovation, quality of software, etc.  7) focus on equal access to services, empowerment of citizens, usability and e-health literacy.

1. Plans for establishing IT architectures and IT-services: All policy documents describe measures to be taken for the establishment of common IT- services. Measures to establish IT-services for clinicians are most common in policy documents from Norway and Sweden, while plans and measures to establish patient portals and other IT-services for patients are most prominent in the Swedish, Icelandic and Finnish documents. Measures to establish a common IT-architecture are most often mentioned in the Finnish eHealth roadmap 2007. Measures for common IT-architecture are included in one strategic target in the 2015 Finnish strategy.
2. Plans for standardization: Most prominent in the policy documents from Finland, Sweden, Norway and Iceland.
3. Plans to enhance information security and privacy: Most prominent in the Finnish and Icelandic policy documents.
4. Plans to improve access to data for secondary use: Most prominent in Sweden and Norway. However, there is no mention of information about which strategy will be used to realize or in concrete implement such measures in the policy documents included in the study performed in 2017. In the Finnish 2015 strategy, secondary use of patient data is one of the five target areas, with enactment of legislation on secondary use and measures for developing infrastructure to assist secondary use as key measures.
5. Plans for establishing law and regulatory frameworks: Present in all policy documents.
6. Others country specific goals: Related to specific goals a country considers of importance for the achievement of the goals described in the strategies. As for instance, plans to support innovation mentioned only in the Swedish and Finnish (2015) strategy, plans for enhancing the quality of software implemented and used in the healthcare sector, mentioned in the Finish strategy. The Icelandic strategy mentions the need for EHR systems to be in congruence with law, regulations and applicable standards.

An interesting observation is that all strategies identify the importance of different stakeholders for the realization of the strategies. Clinicians and patients are described as key stakeholders in almost all policy documents. Healthcare leaders and health policy makers are specially identified and mentioned as stakeholders in the policy document from Sweden, Denmark, Norway, Iceland and Finland. IT-service operators and vendors of e-health systems are only mentioned as stakeholders in the Danish and Finnish policy documents, and private vendors of healthcare services are only mentioned in the documents from Sweden and Denmark. Social care service providers (joining the national IT-services) are only mentioned in the Finnish policy documents.

Since 2017 and further it is possible to see that, in addition to describe a series or plans and measures to be developed and implemented, the e-health policies from the Nordic countries reflect the large accomplishments of Nordic e-health policy work in the past. The policies reflect, consequently a growing awareness of the huge enabling and transformative power that lies within well-designed and integrated e-health services, while at the same time recognizing that the largest benefits from e-health are still to be reaped, as for instance:

1. The use of e-health to empower and activate citizens;
2. The inherent shift on the goals of the services as a consequence of the building of citizen-centered e-health services that provide access to knowledge resources, that enable the citizen to see his/her prescriptions or to book appointments online, and enable that the citizens’ digital interface becomes his or her preferred channel for interacting with the healthcare system, i.e. that he or she can be provided with healthcare services through that same digital interface;
3. The strategic importance of making data available to all stakeholders without jeopardizing privacy and trust. Making services more integrated and available is a key issue that can be understood as a reaction to the practice of the past of building health information silos, and the consequences that have raised when the same information is archived in many different systems with similar functionality;
4. The importance of making systems more usable and of building e-health literacy (i.e. the competencies required for using and for making sense of the applications);
5. The potential advantages of building e-health systems that make health personnel better at doing their work by facilitating their interaction with the systems;
6. The need of visualizing the economic benefits from many years of investing in e-health. This aspect is particularly important in the Finnish e-health policies but it is also reflected in the Danish and Norwegian policy documents;
7. The continued interest in (i) improving healthcare services by building and implementing e-health systems and services, and in (ii) becoming better at organizing e-health projects. It is interesting to note that this specific issue is most explicitly highlighted in the Swedish e-health policy documents.

2.5.2 Results from the interviews performed with the members of the e-health group

Regulative, normative and cultural mechanisms that push and pull the institutionalization process of thee-health strategies are described in tables 1 to 3. The Nordic countries are listed in alphabetical order.

Table 1: Regulative mechanisms: indicators and descriptions 

Table 2: Innovation and institutional renewal: Normative mechanisms

Table 3: Structural and institutional changes; Cultural mechanisms

2.6 Comments

The e-health strategies in the Nordic countries do not only aim at the connection of public providers to a working health system, they also describe plans, purposes and goals to be achieved to innovate and renew the e-health area and to reflect the large accomplishments on the policy work in the past at the country level.

Previous studies of e-health advancement have focused on the incompleteness of the reforms carried out, and the need to re-organize and reform the organizations to become a dynamic, decentralized, and market-oriented sector. In contrary to use reforms as a driving force, the e-health strategies developed in the Nordic countries describe visions and missions, opening a series of alternatives that stimulate innovation, renewal and collaboration of stakeholders from the private and from the public sector. The digitalization of services, the use of telemedicine, the implementation of e-prescriptions, the development and implementation of portals, the generic use of health records, the explicit goal to cooperate on the cross sectoral and cross border level by developing standards and synchronized different systems, and the openness for private healthcare providers are some of the initiatives taken in the Nordic countries that have contributed to initiate the development of a coherent synchronized e-health system.

Digitally-enabled service transformations in e-health normally aim to improve service delivery for citizens and patients. Nevertheless, in reality, the complex structure of government institutions, and coevolution of interactions between health and social care organizations and the integration of resources are often identified as the reasons underpinning the inability of the healthcare organization to evolve with the pace of social and technology changes.

In this study we have compared and described the current strategies’ main goals. The comparison of the strategies has shown that even when the strategies, in general, strive after to accelerate the innovation and renewal processes, they do not contain any description or indication about (i) the time perspective of the changes (ii) if some of the goals are expected to be achieved at the short or in the long run, (iii) how the achievements will be analyzed, (iv) which institution will have the responsibility to follow up, evaluate or made the analysis of effects of changes (Except for the Finnish strategy that states that national criteria will be prepared in specific areas and be accounted for in the procurement) (v) which indicators will be used to capture the innovation and renewal of the area. The Icelandic policy has a strategic plan that is updated every year where goals are set in place and means on how to measure those goals to achieve the objectives of the national eHealth strategy. However, that document only exists in Icelandic.

We have also captured the impact of regulative, normative and cultural mechanisms that influence the e-health area, providing deeper insights of the importance and impact of institutionalization processes that actually occur both at the micro and macro level. From these results it can be concluded that there are a series of institutions, formal, as well as informal that influence the e-health context and the organizational field and at the same time contribute to accelerate the innovation and renewal of the area. Furthermore, the existence of institutional entrepreneurships, the existence of organizations in charge to develop and review the strategies as well as the continued involvement and close collaboration with professional organizations, patient organizations and representatives from the industry and from academy, have been an important contribution to achieve if not all, at least some of the major goals described in the strategies.

The outputs from this study, suggest further, evidence on structuration process across various stages, where actors and structures are inherently related in series of interplays that happened through time and space, and that play an important role in the innovation process of the e-health area. The findings are consequently important to complement the existing studies that have been largely focused on technological imperatives and strategic choices. In addition to this, the results of this study show the importance of the e-health strategies and their capacity of being the driving forces behind the expansion of and the transformation of the e-health area in the Nordic countries.

The study provides, in addition to information to analyze the level of advancements reached in the Nordic countries, a tool for comparison and a body of knowledge on the expansion of the goals identified in the strategies. Further, the results give an overview of issues that need to be solved and improved to reach innovation and sustainability in the area, both at the country level and at the macro level.

New goals and new reforms are expected to continue to be carried out to transform the e-health area into a dynamic area in which public and private actors collaborate and deliver e-health services to an active population that has the capacity to manage his/her own health. Consequently, the results obtained in this study can contribute to learn from the experiences achieved, at the moment new goals are developed or before new updates of the current strategies are done at the country level.

There are some methodological limitations in this study. The sampled data are based on interviews with the official representative of the Nordic Ministers e-health group from each country. It can be possible that a large number of interviews with representatives from reference groups, professional associations, patients, representative from the industry and academy, give complementary outputs or possibilities to find alternative interpretations of the outcomes. Despite this restriction, this study gives an overview of the importance of regulative, normative and cultural mechanisms to achieve the goals identified in the strategies.

In future studies it will be necessary to measure the level of goals achievements in relationships with the strategies in each country. It will be also necessary to identify how organizations work to support the organizational communication and interaction challenges that a new and more dynamic institutional order demands. Furthermore, in future studies, it will be necessary to analyze how regulative, normative, and cultural issues contribute to achieve the institutionalization of the policies and its goals and the subsequent stabilization of the area of e-health in each country.

Further, future studies will need to expand the institutional theory perspective and sample data and knowledge on how organizational motives can be transmitted into the inter-organizational field thereby influencing normative pressures for change. The results of this study show that it is imperative that future studies focus on how or if the Nordic countries can develop collaborative efforts, generic goals and strategies that can contribute to transform and innovate the e-health into a modern and dynamic Nordic sector. For this, it will be necessary to develop tools to compare and analyze the level of advancement of the area, as well as to identify indicators to capture constraints and push factors that reduce passivity to institutional pressures for change in the different countries. Because of the publicly financed health care systems in the Nordic countries, the changes will be of high coverage on a national basis. Issues as side effects and unintended consequences of changes and reforms, business models that include payment and reimbursement issues, effects of pluralism in the welfare system, the importance for the micro and macro level of the mechanisms behind the expansion of reforms, as well as ethical and security issues are some examples of the key issues that need to be analyzed in future studies aimed to compare outputs, level of advancement, and effects of the implementation of e-health strategies.

2.7 References

Battilana, J., Leca, B. and Boxenbaum, E. (2009), How actors change institutions: Towards a theory of institutional entrepreneurship, The Academy of Management Annals, 3,1: 65–107. ‏Available at: https://doi.org/10.1080/19416520903053598

Björck, F. (2004) “Institutional Theory: A New Perspective for Research into IS/IT Security in Organizations,” Proceedings of the 37th Annual Hawaii International Conference on System Sciences, Hawaii. Available at: https://doi.org/10.1109/HICSS.2004.1265444

Buchanan, R. (2015). Teacher identity and agency in an era of accountability. Teachers and Teaching, 21(6), 700–719. Available at: https://doi.org/10.1080/13540602.2015.1044329

Campbell, B., Thomson, H., Slater, J., Coward, C., Wyatt, K., and Sweeney, K. (2007) “Extracting Information from Hospital Records: What Patients Think About Consent,” Quality and Safety in Healthcare, 16, 6, 404–408. Available at: https://doi.org/10.1136/qshc.2006.020313

Coburn, C. E. (2004). Beyond decoupling: Rethinking the relationship between the institutional environment and the classroom. Sociology of Education, 77(3), 211–244. Available at: https://doi.org/10.1177/003804070407700302

Covaleski, M.A., Dirsmith, M.W., and Michelman, J.E. (1993) “An Institutional Theory Perspective on the DRG Framework, Case-Mix Accounting Systems and Healthcare Organizations,” Accounting, Organization & Society, 18, 1. Available at: https://doi.org/10.1016/0361-3682(93)90025-2

Datnow, A., Park, V., and Kennedy-Lewis, B. (2013). Affordances and constraints in the context of teacher collaboration for the purpose of data use. Journal of Educational Administration, 51(3), 341-362. Available at: https://doi.org/10.1108/09578231311311500

De Corte, J., Roose, R., Bradt, L. and Roets, G. (2018). Service Users with Experience of Poverty as Institutional Entrepreneurs in Public Services in Belgium: An Institutional Theory Perspective on Policy Implementation SOCIAL POLICY &ADMINISTRATION ISSN 0144-5596 DOI: 10.1111/spol.12306 VOL. 52, NO. 1, January 2018, 197–215. Available at: https://doi.org/10.1111/spol.12306

DiMaggio, P. J. (1988), Interest and agency in institutional theory, In L. Zucker (ed.), Institutional Patterns and Organizations, Cambridge, MA: Ballinger, 3–21.

DiMaggio, P.J. and Powell, W.W. (1983) “The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields”, American Sociological Review, 48, 147–160. Available at: https://doi.org/10.2307/2095101   

Frumkin, P. and Galaskiewicz, J. (2004). Institutional isomorphism and public sector organizations. Journal of Public Administration Research and Theory 14(3), 283–307. Available at: https://doi.org/10.1093/jopart/muh028

Hyppönen et al. (2013). Nordic eHealth Indicators. Organisation of research, first results and the plan for the future. TemaNord 2013:522. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2013-522

Hyppönen et al. (2015). Nordic e-health Benchmarking. Status 2014 TemaNord 2015:539. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2015-539

Hyppönen et al. (2017). Nordic e-health Benchmarking. From piloting towards established practice. TemaNord 2017:528. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2017-528

Meyer, J. W. and Rowan, B. (1977). Institutionalized organizations: Formal structure as myth and ceremony. American Journal of Sociology 83(2), 340–363. Available at: https://doi.org/10.1086/226550

Oliver, C. (1991) “Strategic Responses to Institutional Processes”, Academy of Management Review, (16), 145–179. Available at: https://doi.org/10.5465/amr.1991.4279002

Yin RK. Case study research: design and methods. Thousand Oaks, CA: Sage Publications, 2014.

Rigg, C. and O’Mahony, N. (2013), Frustrations in collaborative working. Public Management Review 15(1), 83–108. Available at: https://doi.org/10.1080/14719037.2012.686231

Thoenig, J-C. (2003), Institutional theories and public institutions: Traditions and appropriateness. In G. Peters and J. Pierre (eds), Handbook of Public Administration, London: Sage.

Scott, R. (1995), Institutions and Organizations, Thousand Oaks, CA: Sage.

Selznick, P. (1957), Leadership in Administration, New York, NY: Harper & Row.

Tolbert, P. S., and Zucker, L. G. (1999). The institutionalization of institutional theory. Studying Organization. Theory & Method. London, Thousand Oaks, New Delhi, 169-184. Available at: https://doi.org/10.4135/9781446218556.n6

Woulfin, S. L. (2016). Duet or duel? A portrait of two logics of reading instruction in an urban school district. American Journal of Education 122(3), 337-365. Available at: https://doi.org/10.1086/685848

3. Update on indicators outlined in the last report

3.1 Introduction

3.1.1 Status of evaluations in NeRN

This chapter presents the results of the third task set to the NeRN network: Updating a list of common indicators in accordance with the new policy goals.

The eHealth indicators used until now form a good basis for monitoring, however there is a need to develop a framework for the indicators to accommodate for the shift of focus in the national policies, and to further the development of indicators that can be practically monitored in all the Nordic countries.

The update is based on a theoretical model for describing clinical adoption of health information systems. This model defines a set of basic dimensions which are here used to describe aspects that can be monitored by a set of indicators.

The national surveys that earlier have been presented have not been updated with a frequency that allows for further comparison among the Nordic countries. It is therefore hoped that the indicators and the example of questions presented here can be the core of future national evaluations. Furthermore, it is important to note that several of the proposed questions have been validated in earlier studies.

3.1.2 Evaluation frameworks

According to Price and Lau (2014), any effect of an e-health system hinges upon the adoption of the system. They describe adoption as the process that “involves the multitude of activities, decisions, and evaluations that encompass the broad effort to successfully integrate an innovation into the functional structure of a formal organization”. According to the same researchers, an adoption model provides a simplified and limited explanation of the complex process of integration over time. They have developed a Clinical adoption meta-model (CAMM) with four dimensions that relates to the situation after a system has been implemented.^{[1]This model has been discussed in an earlier report from the Nordic eHealth research network (Hyppönen et al. [2013]).} The dimensions also depend on each other: An e-health system must be available before it can be used. Likewise, use is needed before we can hope that the system has an impact on clinical or health behaviors which only then can begin to impact clinical outcomes (Price and Lau 2014).

Figure 1: The Clinical Adoption Meta-Model (Price and Lau 2014)

3.1.3 Knowledge on effects and outcomes of e-health systems

The Electronic Medical Record Adoption Model (EMRAM) from HIMSS is a widely used metrics for the adoption of e-health in hospitals. Currently HIMSS is also developing an adoption model for use in non-hospital/ambulatory settings. The model put emphasis on IT-systems and functionalities, but focuses less on use, clinical behavior or healthcare outcomes. Even if the EMRAM model has become a widely used tool for benchmarking and setting targets when implementing health information systems, the use of EMRAM has contributed little to the understanding of the effect of e-Health systems on healthcare organisations.

3.1.4 Update on knowledge on effects of IT-systems in general

From IT-research outside the healthcare domain, we know that many IT-systems and services have a network effect. This means that the value of a system lies in its ability to establish relations between the users. Now that IT-services are distributed across the internet, we see a consolidation and a “the winner takes it all” effect at the same time as the home-grown / in-house systems gradually disappear. Also, large vendors increasingly seek to create value from all the data that is being generated. This tendency is likely to spill over to the health-it industry.

3.1.5 Indicator development questions

Given that e-health services increasingly are becoming available through the internet, that Nordic e-health policy makers wish to engage and empower the patients/citizens and that they want the patients/citizens to engage with their healthcare providers via the internet, we have the following indicator development questions:

• which indicators are suited for monitoring the on-going transformation towards a digitized and networked interface between the patient and healthcare providers?
• which indicators allow us for monitoring the empowerment and activation of the patients?
• which indicators will allow us to monitor IT-support for generating knowledge from data and building learning healthcare systems?

3.2 Results and discussion

The CAMM model defines four dimensions for clinical adoption of health information systems over time. The four dimensions availability, system use, clinical behavior, and outcomes are presented in the following. From the experience of monitoring the development in the Nordic countries supplementary aspects and sub-aspects are elaborated and described. For each sub-aspect a number of specific exemplary questions are proposed. Many of these questions have been used in specific surveys in one or more Nordic countries and some have even been validated in specific studies (Hyppönen et al. 2019).

3.2.1 Availability

Price and Lau (2014) define the Availability dimension as “ability for the end users to interact with a health information system (HIS)”. Availability includes user access, system availability and availability of content in the system.

If we adopt the CAMM model to assess the impact of e-health policies in the Nordic countries, indicators on availability will be most relevant to systems and services that are to be implemented as a result of the policies. Aspects could include availability for clinicians, patients/citizens as well as for researchers. Aspects could include access to information as well as to knowledge (e.g. terminology services, decision-support and other knowledge-based services). More detailed aspects and potential indicators are outlined in the table below.

Table 4: Aspects, sub-aspects and indicator examples for the availability construct

3.2.2 System Use

System use is defined as “the interactions with the HIS by intended end-users” (Price and Lau 2014). System use has two aspects: Use of the system and user experience.

In the context of NeRN, we have access to a set of true and tested indicators through the usability and user experience surveys that have been developed and validated in Finland (Viitanen et al. 2011, Kaipio et al. 2017, Hyppönen et al. 2019). Surveys including many of the same measures have also been conducted recently in Denmark and Iceland. Translation of the same indicators for use in the other Nordic countries will allow for a structured cross-country comparison and a continuation of the study can contribute to knowledge of how usability and user experience develops over time. The same relates to the citizen surveys that have been conducted in Denmark, Norway, and Finland and that are to be developed and conducted in Iceland and Sweden as well (see chapter 4). Nordic e-health policies put great emphasis on making systems more usable. This includes making systems more useful, trustworthy and pleasant to use for the health professionals as well as the patients and the citizens.

Table 5: Aspects, sub-aspects and indicator examples for the System Use construct

3.2.3 Clinical/health behavior

The CAMM model defines clinical/health behavior as “meaningful adaptation of clinical workflows or health behaviors that are facilitated by the HIS”. According to Price and Lau, aspects of clinical behavior change include productivity changes and changes in specific clinical activities. Impacts on productivity can be both positive and negative and can relate to healthcare organizations as a whole. Clinical activities behaviors relate to clinicians as well as to patients.

In the context of NeRN, the usability and user experience surveys that have been developed and validated in Finland (Viitanen et al. 2011, Kaipio et al. 2017, Hyppönen et al. 2019) also encompass questions about clinician’s behavior. The Nordic e-Health policies all include great emphasis on making systems more usable in order to change the behavior of the clinicians. The clinical behavior includes aspects on primary use of data as well as secondary use of data. In particular the secondary use of data can be evaluated on macro-, meso-, and micro level. This includes the clinicians input of data for monitoring quality and productivity issues as well as making use of the data to monitor personal performance.

Table 6: Aspects, sub-aspects and indicator examples for the Clinical/health behavior

3.2.4 Clinical outcome

In the CIMM model, clinical outcomes are defined as “the impacts attributable to the adoption of the HIS”. The model defines five aspects of clinical outcomes: patient level outcomes, provider level outcomes, organization level outcomes, population level outcomes, and cost outcomes (Price and Lau 2014).

In the earlier NeRN activities outcome measures have not played a significant role, mainly due to the methodological challenges in establishing causal relations or even correlation between eHealth initiatives and reliable outcome measures. This specifically relates to patient level outcomes and provider level outcome. Patient level outcomes are more specifically discussed in chapter 4. In terms of organizational level outcomes, a few issues can be pointed out e.g. improved documentation quality, integration of clinical information and management data. However, it is at the same time complicated to obtain reliable data to characterize the improvement or express the benefits of enhanced data-integration.

Table 7: Aspects, sub-aspects and indicator examples for the clinical outcome

3.3 Conclusion

The third task set to the NeRN network was to update a list of common indicators in accordance with the new policy goals. However, only one country has in the past period repeated a survey-based measurement of a number of indicators for availability and use. Hence there are no new data on the indicators to present and compare.

An update of the list of indicators has been achieved by applying a theoretical framework to evaluate the availability, system use, clinical behavior, and outcome of the situation after a system has been implemented. Many of the aspects outlined by the theoretical framework have been a part of the monitoring activities in the Nordic countries. However, the application of a coherent theoretical framework provides an opportunity to align the surveys conducted in the Nordic countries to obtain comparable and consistent measures.

3.4 References

Hyppönen et al. (2013). Nordic eHealth Indicators. Organisation of research, first results and the plan for the future. TemaNord 2013:522. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2013-522

Hyppönen, H., Kaipio, J., Heponiemi, T., Lääveri, T., Aalto, A.M., Vänskä, J. and Elovainio, M. (2019). Developing the National Usability-Focused Health Information System Scale for Physicians: Validation Study. Journal of medical Internet research, 21(5), 21(5):e12875. Available at: https://doi.org/10.2196/12875

Kaipio, J., Lääveri, T., Hyppönen, H., Vainiomäki, S., Reponen, J., Kushniruk, A. et al. (2017). Usability problems do not heal by themselves: National survey on physicians’ experiences with EHRs in Finland. International Journal of Medical Informatics. 2017 Jan 1;97:266–81. Available at: https://doi.org/10.1016/j.ijmedinf.2016.10.010

Price, M. and Lau, F. (2014). The clinical adoption meta-model: a temporal meta-model describing the clinical adoption of health information systems. BMC Med Inform Decis Mak. 2014 May 29;14:43. Available at: https://doi.org/10.1186/1472-6947-14-43

University of Victoria. eHealth observatory: The Clinical Adoption Meta-Model http://ehealth.uvic.ca/methodology/models/CMM.php

Viitanen, J., Hyppönen, H., Lääveri, T., Vänskä, J., Reponen, J. and Winblad, I. (2011). National questionnaire study on clinical ICT systems proofs: Physicians suffer from poor usability. International Journal of Medical Informatics. 2011 Oct 1;80(10):708–25. Available at: https://doi.org/10.1016/j.ijmedinf.2011.06.010

4. Developing a Nordic model survey to monitor citizen views on eHealth

4.1 Introduction

eHealth services for citizens are electronic services and applications used by citizens/patients for promoting health, welfare and selfcare; for improving access to healthcare services; and for enhancing information flow between healthcare services and citizens (Hyppönen, 2018). The aim of conducting a citizen survey is to evaluate the eHealth services for citizens regarding availability, use, barriers, benefits, needs, perceptions and attitudes towards e-Health/welfare services now and in the future.

To our knowledge, surveys on eHealth in a citizen perspective are project based, scattered, and conducted with irregular frequency in the Nordic countries as well as internationally.

An initial mapping of citizen surveys within the field of e-health in the Nordic countries was conducted by the Nordic e-Health Research Network during the third mandate period 2015–2017 (Hypponen et.al. 2017).

During the current mandate period 2017–2019 this work has been followed up through a more detailed examination and comparison of previous national surveys; their content and organization.

To provide an understanding of how and why citizens surveys are conducted in the different partner countries we have agreed on a number of questions during our meetings, and asked all countries to answer the following questions:

1. When have citizens surveys been conducted in the different Nordic countries?
2. How were the surveys organized – enumeration?
3. Who were the owners of the surveys – stakeholder(s)? (government; institution/organization; institutions).
4. How were the surveys financed?
5. How sustainable are the surveys?
6. Financial sustainability.
7. Organizational sustainability.
8. What is the main focus of the surveys and the content sustainability?
9. What is the quality/power/impact?

As it will be stated, the Nordic countries have different practices regarding frequency, topic of the citizens surveys, as well as how the surveys are organized, owned and financed. By disseminating and making these differences visible we hope to encourage discussion of whether more synergy among the Nordic countries’ citizens surveys are expedient to bring knowledge that can further the future design and planning of eHealth in the Nordic countries to the needs of its citizens. Obviously, we may also be able to encourage international discussions on how eHealth affects citizens. As for now three different ownership constellations can be identified.

• Project organized surveys - public funded and owned but conducted semi-independent of the eHealth authorities. (Sweden and Finland);
• University anchored and private funded - independent of eHealth implementation authorities (Denmark and Norway before 2019);
• eHealth authorities/Directorate design, finance, and conduct the survey (Iceland and Norway 2019).

4.2 Comparison of the organizing and content of citizen surveys on eHealth in the Nordic countries

4.2.1 Organizing of the surveys

Q1: When have citizens surveys been conducted in the different Nordic countries?

Denmark
The National surveys on Danish citizens’ expectations and perspectives on eHealth are conducted bi-annual. The first was done in 2013, and its design was inspired by Canadian and Australian studies of consumer experience with eHealth. The second survey in 2015 and the third in 2017 were further inspired by questions posed in national surveys from Norway and Finland. The fourth survey is planned to take place in autumn of 2019.

Norway
National surveys on use of eHealth in the Norwegian population were conducted in 2000, 2001, 2003, 2005, 2007, 2013 and 2019.

Sweden
The first national survey on use of e-health in the Swedish population is planned to be conducted in autumn of 2019.

Finland
National citizen surveys on eHealth have been conducted in 2014 and 2017 in Finland, and the third national survey will be conducted in 2020

Iceland 
National surveys on citizens´ use and experience of using eHealth services have not been conducted yet in Iceland. However, plans have been made to conduct the first national citizen survey on the use of eHealth in the fall of 2019. The questionnaire will build on recommended indicators by NeRN.

Q2: How were the surveys organized – enumeration?

Denmark
The survey is a research-based activity, designed by the Danish eHealth Observatory researchers from Aalborg University. The administration is done by a private Danish poll agency (Megafon). The questionnaires were pilot tested each year. The surveys are combinational using both email and telephone. The selected respondents are part of Megafon’s citizens’ panel reflecting the Danish adult population with respect to age, education and geographic distribution.

Norway
In the period 2000–2013 the first six surveys were conducted by an independent research institute (Norwegian centre for e-health research, former Norwegian centre for telemedicine), whereas the last survey in 2019 was designed and conducted by the national authorities (eHealth Directorate).
All surveys were conducted by national poll agencies.
In the first five surveys samples were representative of the Norwegian population, interviews were conducted by telephone and questionnaires were validated through piloting and international research collaborative practices, including translations by dual-focus approach.
In the 6th and 7th surveys samples were reduced to including internet users only.
In the 7th survey a new questionnaire was developed by national authorities in collaboration with a private consultancy agency.

Sweden
The first National Citizen Survey on eHealth usage is planned to be conducted in the fall of 2019. The questionnaire was developed by Karolinska Institutet and Linköping University on behalf of the Swedish eHealth Agency. This work was based on the previous work within the NeRN network. The Swedish eHealth Agency will be responsible for the survey. Data collection and analysis will be done by Statistics Sweden. The target population will sample from the whole population of citizens 18 years and older.

Finland
The surveys were conducted on national level (representative sample of 4,000 citizens) in 2014 and 2017 as mail surveys + digital reply option. The next survey will be conducted in 2020. The surveys have been validated through piloting and via using questions from international surveys. The 2014 (first) survey was conducted as a stand-alone survey, THL commissioned a national polling agency. A questionnaire was developed using as background variables questions from the THL national citizen health, welfare and service use survey. The eHealth variables were developed in collaboration with the citizen and patient association and exploiting national and international research. The (2017) second eHealth survey was integrated as a module into the health, welfare and service use survey, conducted by THL. This collaboration is foreseen to continue in 2020.

Iceland
The first National Citizen Survey on eHealth usage will be conducted in the fall of 2019. The National Centre for eHealth unit within the Directorate of Health will be responsible for the survey. It has yet to be decided whether the target population will only include users of the National Citizen Health Portal or a sample from the whole population of citizens 18 years and older.

Q3: Who were the owners of the surveys – stakeholder(s)? (government institution/organisations/institutions)

Denmark
The survey data are owned by the Danish E-health-observatory and the researchers that have been involved in designing the survey questions. The Danish E-health Observatory comprise of researchers from Aalborg University and the University of Southern Denmark.

Norway
The first six surveys were conducted and owned by an independent research institute, the Norwegian Centre for e-health research (NSE). The 2019 survey is owned by the public health authorities, the Norwegian Directorate of e-health. 

Sweden
The survey data are owned by the Swedish eHealth Agency but can be used by Karolinska Institutet for research purposes.

Finland
The survey data are owned by the National Institute for Health and Welfare.

Iceland
The Directorate of Health will be the owner of the survey.

Q4: How were the surveys financed?

Denmark
The surveys are financially supported by the Danish E-health-observatory, which has monitored eHealth implementation in Denmark for many years e.g. the national implementation of the Electronic Health Record (EHR) and the national monitoring of clinicians use of health informatics in their daily practices. The Danish E-health-observatory generates funds to do research activities from the surplus from the conference fee payed by participants attending an annual conference. This is possible because the Danish E-health-observatory is a non-profit organization following the public sector regulation of university activities.

Norway
Five out of seven surveys were financed internally by the institutions conducting them, two of the surveys conducted by NSE (2005 and 2007) were financed by external research funding (EU research funding).

Sweden
This first survey is funded by the Swedish eHealth Agency. Further surveys and sustainability of both content and organization are under discussion.

Finland
One of the projects in the program Ministry of Finance program developing public e-services in Finland (SADe 2010–2015) was targeted at public social and healthcare e-service development SADe-SoTe (Hannele Hyppönen, Päivi Hämäläinen, Jarmo Reponen (eds.) (2015). Funded by this project, a national survey of citizens’ views of e-health and e-welfare was conducted in 2014 for the first time in Finland (Hyppönen et al. 2014). The survey was conducted as a stand-alone survey, using selected variables from citizen surveys in other countries.

The second citizen survey on eHealth was conducted in 2017, co-funded by the Ministry of Social affairs and Health and National Institute for Health and Welfare (THL) as a mid-term assessment of the strategy. The eHealth survey scales were integrated into an ongoing Finnish survey related to citizens health, wellbeing and service use. The survey will continue in 2020, with permanent funding from the Ministry. (Vehko et al. 2019) as the assessment of strategy goals and as steering a way ahead.

Iceland
There will not be any extra funding for the Directorate of Health for conducting the national citizen survey.

Q5: How sustainable are the surveys?

(i) Financial sustainability

Denmark
Financially the Danish surveys are sustainable as longs as the Danish E-health-observatory gains a surplus on its conference activities and as long as researchers involved do have research time to allocate to the activity. Or to put it differently, the surveys depend on very vulnerable funds.

Norway
The surveys have been organized as separate projects, funding has been a mix of internal funds from the NSE and external research funding, and for the last survey the Directorate of e-health has funded the project. 

Finland
Financially the survey has been project-based, relying on the funding from the Ministry of Social affairs and Health. A project contract for funding 2020 data collection and reporting has been made with the Ministry of Social Affairs and Health, with a stipulation to prepare shift to make the project-based eHealth surveys as a permanent activity of THL.

Iceland
The Directorate of Health will be funding the national citizen survey. There is no specifically earmarked governmental funding for the survey.

(ii) Organizational sustainability

Denmark
The Danish E-health-observatory has financed the survey, meaning that it is an independent semi-formal organization as described above. Designing and planning the survey has been attended to Danish Universities and university researchers.

Norway
There has been a change in ownership of the surveys in Norway, going from independent research to state owned surveys.

Finland
The Finnish surveys have been planned and conducted by THL.

Iceland
The Directorate of Health will be responsible for conducting the survey and hence be the sole owner of the citizen survey in Iceland.

4.2.2 Content of the surveys

Q6: What is the main focus of the surveys and the content sustainability?

Denmark
The surveys have been designed by eHealth researchers using scientific standards for social science methodology. All surveys have repeated basic indicators, but it has been important to add new indicators and omit others to comply with the development in digitalization. E.g. we no longer ask about availability of internet connection and we have started to ask for experience with patient generated health data. Selected survey results have been disseminated at conferences and in scientific journals.

Norway
The first six surveys were designed by researchers and conducted according to scientific standards, i.e., social science methodologies, including a standard validation of questionnaires and analysis. The design, from questionnaire to analysis and dissemination, was anchored in three research questions underpinning all surveys; (i) what are the patterns of use and non-use? (ii) what are the consequences of such use? and (iii) what are the populations expectations with regard to provision of e-health services? The scientific validity is reflected in the dissemination of the survey results, which included scientific journals quality controlled by peer review. 

The 2019 survey draws from previous surveys in Norway and other Nordic and European countries. The survey was designed by a consultancy agency in collaboration with national authorities.

Sweden
The survey questionnaire will build on surveys conducted in the other Nordic countries and indicators recommended by NeRN.

Finland
The citizen eHealth survey is conducted as a module in a national health, wellbeing and service use survey. The eHealth researchers have a limited impact on change in the background (independent) variables. The dependent variables (outcome variables, eHealth variables) focus on eHealth use, barriers of use, benefits of eHealth and eHealth service needs. These variables are kept as constant as possible, with additions/omissions of well-argued selected items.

Iceland
The survey questionnaire will build on surveys conducted in the other Nordic countries and indicators recommended by NeRN.

Q7: What is the Quality/power/impact?

Denmark
The Danish survey was initiated back in 2013 as a research activity, financially supported by the Danish eHealth Observatory. The results have been disseminated at the annual Observatory meeting (+600 participants) as well as in papers in journals, at international conferences, book chapters, university teaching etc. In addition, selected results from the first two surveys (2013–2015) were additionally published as technical reports at the Danish Center for health informatics web page.

Norway 
The first surveys were initiated by researchers and authorities (the 1999 Directorate of health and social affairs) in collaboration. The results from the first 6 surveys followed a dissemination plan which included targeted dissemination to selected multiple audiences; the scientific community were reached through scientific publications and presentations (journals, conferences, seminars, teaching), national and local health authorities, practitioners in the sector and patient organizations were reached through a combination of scientific channels (papers, conferences), popular science channels (conferences, commentaries in media) and inclusion of results in seminars, meetings and relevant intervention- and evaluation projects where these target groups participated. The wider audience (i.e., the Norwegian population) were reached through the press (press releases, commentaries in national and local newspapers).

The 2019 survey was published by the owner (e-health directorate) on their website and presented in meetings and conferences.

Finland
The first survey was requested by the Ministry of Finance, the next surveys by the Ministry of Welfare and Health. The first survey impacted the Social and Health care digitalization strategy in form of the publication and consultation requests. The second survey results have generated requests for presentations in multiple seminars and Ministry working groups. The databased results have raised a lot of interest, and are used in the national and regional decision making and in universities as training material for social and health care students.

Iceland
The aim is to publish the results from the citizen survey on the website of the Directorate of Health, in journals and give presentations. The results could be used to further improve the National Citizen Health Portal and its user experience.

4.2.3 National contexts - Other stakeholders that collect data on citizens and e-health

Denmark
Statistic Denmark

Danish Health Data Directorate

The Danish Consumer Council

Sundhed.dk

Norway 
Difi (Directorate of public management and eGovernment)

Dips (private vendor of e-health services)

Finland
In Finland, there are at present two online systems that host at least some eHealth indicator data. The first current host for eHealth indicator data is the national health information system (Kanta). This hosts statistics on the diffusion and use of national health information services. The data are real time and available in Finnish, Swedish and English.

The second reporting system is the online database reporting system of the National Institute for Health and Welfare (THL). The system is hosting an increasing amount of statistical and survey data and making it available for flexible use online. One set of statistics directly relevant for monitoring eHealth outcomes is the AvoHILMO statistics (Hyppönen et al 2017).

Iceland
The Directorate of Health conducts surveys on health every 3rd year but has not yet conducted a survey on citizens use of eHealth.

4.3 Recommendations for the future

Based on our work on summarizing and discussing the initiatives within the area of citizen e-health surveys across the Nordic countries the Nordic e-Health Research Network has the following recommendations:
 

• Citizens surveys on eHealth in the Nordic countries should be coordinated, i.e.; questionnaires and timing of surveys should be aligned.
• Questionnaires should be structured along three overall topics:
  • use/ non-use,
  • consequences of use, and
  • citizens expectations for the future.
• There should be open opportunities for each country to develop - specific questions to address particular challenges/ potentials in the current national contexts.
• To ensure validity the development of both questionnaires and analysis should be based on scientific methods.
• To ensure financial sustainability a discussion on funding models should be initiated. 

4.4 References

Hyppönen et al. (2017). Nordic e-health Benchmarking. From piloting towards established practice. TemaNord 2017:528. Copenhagen: Nordic Council of Ministers. Available at: https://doi.org/10.6027/TN2017-528

Hyppönen, H. (2018). Citizen experiences of e-health services: Willing and able? eHealth and Telemedicine conference 15.-17.3.2018, Viking Mariella. Available at: https://www.slideshare.net/THLfi/citizen-experiences-of-ehealth-services.

Hyppönen, H., Hämäläinen, P. and Reponen, J. (eds.) (2015). E-health and e-welfare of Finland - Check point 2015. Report 18/2015. FinnTelemedicum and National Institute for Health and Welfare. Available at: https://www.julkari.fi/bitstream/handle/10024/129709/URN_ISBN_978-952-302-563-9.pdf?sequence=1

Hyppönen, H., Hyry, J., Valta, K., and Ahlgren, S. (2014). Sosiaali- ja terveydenhuollon sähköinen asiointi - Kansalaisten kokemukset ja tarpeet. Raportti 33/2014, Terveyden ja hyvinvoinnin laitos, Helsinki. Available at: http://urn.fi/URN:ISBN:978-952-302-410-6

Vehko, T., Ruotsalainen, S. and Hyppönen, H. (eds.) E-health and e-welfare of Finland: Check Point 2018. Report 7/2019, FinnTelemedicum and National Institute for Health and Welfare. Available at: http://urn.fi/URN:ISBN:978-952-343-326-7

Publications based on the Danish survey data:

Bertelsen, P. and Tornbjerg, K. (2014) Undersøgelse af borgernes anvendelse af sundheds-it i 2013, DaCHI, Aalborg Universitet.

Petersen, L.S. and Bertelsen, P. (2016) Undersøgelse af borgernes perspektiv på sundheds-it i 2015, DaCHI, Aalborg Universitet.

Bertelsen, P. and Tornbjerg, K. (2015) Danish Citizens' Expectations to the Use of eHealth, p. 78–82 Studies in Health Technology and Informatics, Vol. 208. IOS Press.

Bertelsen, P. S. and Petersen, L. S. (2015) Danish Citizens and General Practitioners' Use of ICT for their Mutual Communication, p. 376–379 Studies in Health Technology and Informatics, Vol. 216. IOS Press.

Petersen, L. S. and Bertelsen, P. S. (2016) Patients perception of Clinicians use of ICT during patient consultation in the different sectors of Danish healthcare, Exploring Complexity in Health: An Interdisciplinary Systems Approach., p. 680–684 Studies in Health Technology and Informatics, Vol. 228. IOS Press.

Petersen, L. S. and Bertelsen, P. S., (2017) Equality Challenges in the Use of eHealth: Selected Results from a Danish Citizens Survey, p. 793–797 5 s. Studies in Health Technology and Informatics Vol. 245. IOS Press

Publications based on the Norwegian survey data:

Andreassen, H., Bujnowska-Fedak, M. M., Chronaki, C. E., Dumitru, R. C., Pudule, I., Santana, S., . . . Wynn, R. (2007). European citizens' use of E-health services: A study of seven countries. BioMed Central Public health. Retrieved from http://www.biomedcentral.com/1471-2458/7/53 or https://doi.org/10.1186/1471-2458-7-53

Andreassen, H. K., Wangberg, S. C., Wynn, R., Sørensen, T., and Hjortdahl, P. (2006). Helserelatert Internettbruk i den norske befolkningen. Tidskrift for den norske legeforening, 126 2950–2952.

Andreassen, H. K. W., Silje C, Wynn, R. S., Tove, and Hjortdahl, P. (2006). MEDISIN OG VITENSKAP-Aktuelt-Helserelatert bruk av Internett i den norske befolkningen. Tidsskrift For Den Norske Lægeforening, 126(22), 2950–2953.

Kummervold, P. E., Chronaki, C. E., Lausen, B., Prokosch, H. U., Rasmussen, J., Santana, S., . . . Wangberg, S. C. (2008). eHealth trends in Europe 2005-2007: a population-based survey. J Med Internet Res, 10(4), e42. Available at: https://doi.org/10.2196/jmir.1023

Sørensen, T., Andreassen, H., & Wangberg, S. (2014). Prosjektrapport. E-helse i Norge 2013. Retrieved from

Wangberg, S., Andreassen, H., Kummervold, P., Wynn, R., and Sørensen, T. (2009). Use of the internet for health purposes: trends in Norway 2000–2010. Scandinavian journal of caring sciences, 23(4), 691–696. Retrieved from http://onlinelibrary.wiley.com/doi/10.1111/j.1471-6712.2008.00662.x/abstract.

Wangberg, S. C., Andreassen, H. K., Prokosch, H. U., Santana, S. M., Sorensen, T., and Chronaki, C. E. (2008). Relations between Internet use, socio-economic status (SES), social support and subjective health. Health Promot Int, 23(1), 70–77. Available at: https://doi.org/10.1093/heapro/dam039

5. Cyber security in the Nordic Countries

5.1 Introduction

The digital infrastructures in all Nordic countries continue to expand and deepen their entanglement with society, aiming to offer substantial benefits through deeper, wider, and more reliable coverage of data sources. Consequently, the utilization of information and communication technology (ICT) in the healthcare sector is just as pervasive as in rest of society. However, as almost all healthcare data are directly classifiable as highly sensitive, and because delivery of health services depends on the integrity, availability, and confidentiality of those data – ensuring information security is vitally important.

Information security is the term used for addressing all issues related to ensuring the safeguarding of information – regardless of how this information is stored, managed, and utilized. Cyber security focuses on protecting information and systems against threats posed through its availability through information and communication technology. Thus, cyber security not only focuses on protecting data, but also on defending technology in itself. To simplify terminology, we use the term “cyber security” in this chapter to cover both information and cyber security.

Not all cyber security incidents are a product of criminal intent. Thus, cyber security not only deals with malicious actions, but also with safeguarding against unintended consequences accidentally induced by suppliers or end-users. Furthermore, recent incidents with large-scale cyber-attacks such as WannaCry and NotPetaya have shown that although health services may not be the intended targets, their broad threat exposure through employees and diverse information systems mean they are easily caught in the line of fire and fall victim to untargeted network attacks.

Internet-based network attacks have been around for many years. However, the growing pervasiveness, connectedness, and reliance of information technology has bolstered public awareness in the importance of information and cyber security. In recent years, we have seen this awareness emerge at a policy level as information security strategies become more widespread, and increasingly mandatory.

One such initiative is the directive on security of network and information systems, known as the NIS Directive, from the European Commission which entered into force in 2016, and requires member states to include the directive into national legislation by 2018 [1]. Most notably, the NIS Directive obligates member states to define a national strategy for the security of network and information systems, establish a Computer Security Incident Response Team (CSIRT), a national NIS authority, and appropriate security measures for a number of identified essential services – including the health sector.

This growing awareness and attention to information security at all levels in society, in a networked and borderless world, poses a relevant case for comparing national security initiatives in the Nordic countries. Thus, the aim of this chapter is to establish an understanding of the national and healthcare sector specific security strategies across the Nordic countries. Comparing initiatives at a strategy level can serve as inspiration for strengthening national and local initiatives and may aid in establishing cyber security insight in the council.

5.2 Methods

As cyber security is a new addition to the NeRN work, the preliminary goal of the working group was to establish a common understanding of issues pertaining to this field. To establish a shared understanding of the security landscape, and aid in the identification of relevant content for comparative analysis, several cyber security presentations were delivered during network meetings. Strategies, reports, and additional documents were collected by the working group, and used as a corpus for analysis.

To conduct the analysis, first a coding framework was devised based on a review of the evaluation framework for national cyber security strategies by the European Union Agency for Network and Information Security (ENISA – wwww.enisa.europa.eu) [2]. Furthermore the strategies were assessed using guidelines from the International Telecommunication Union’s Guide to developing a national cybersecurity strategy [3]. These sources comprised the aspects by which we assess the various national and sector specific strategies as depicted by Figure 2. This analysis is conducted on a backdrop consisting of the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity [4], and the Cybersecurity Capacity Maturity Model for Nations (CMM) by the Global Cyber Security Capacity Centre, evaluate the cybersecurity capacity from five dimensions [5].

Figure 2: Analysis framework

The national strategies were first evaluated based on codes devised from the ENISA framework by coding strategies according to occurrence of the following four objectives:

• Awareness – Aiming to enable knowledge of cyber security issues.
• Collaboration – Seeking to foster internal (national) partnerships as well as external relations.
• Monitoring – Strengthening projection of resources and tracking threats.
• Support – Allocating necessary resources to establish sustainable conditions for cyber security through legislative actions, allocation of resources, ethics, and advisory support for key societal functions so as the police force.

After an initial round of coding, sub-groups where added to the four objectives to enable a deeper understanding of the nuances of each objective.

Figure 3: Objective sub-groups

Additionally, strategies were coded to highlight input resources made available for the implementation of the strategy, core activities through which the outputs and outcomes are pursued. Outputs as direct results of program activities such as reports, improved frameworks, capabilities, response plans and training programs. Depending on the perspectives of the initiatives, results can be classified either as outcomes on a short to medium term, or as long term (10+ years) as impacts.

5.3 Materials

Initially, a map of national strategies, health sector specific strategies, relevant secondary reports, and threat assessments was compiled by the research network

Table 8: Overview of strategic corpus

It was not possible to identify and retrieve all types of material for all the Nordic countries. This does not necessarily indicate that a given type of document is non-existent, although it does point to the difficulty in acquiring the information.

5.4 National Cyber Security Strategies

The aim of national cyber security strategies (NCSS) is to inform society of its position in a complex information dependent landscape, and to make a statement of how to face the challenges on a political, governmental, and societal level.  One intended effect is to establish an awareness of the potential consequences of threats, thereby incentivizing pre-emptive actions and adequate responses [1]. The globalized nature of information technology results in a homogenous treat landscape. Still, different capabilities and circumstances renders variances in risk. The NCSS’s are therefore developed on the basis on each Nordic country’s own security objectives and national interests.

In general, the purpose of NCSS’ is to induce trust amongst participants in digital markets by raising awareness, strengthening collaboration, and boosting resilience. Thereby strengthening the nation’s overall level of security to become more competitive and attractive markets for business, and to further the continuation of the technologic development. As strategies go, the cyber security strategies are often statements of intent and aim, rather than dissemination of specific initiatives and activities.

5.4.1 What is typically included in a strategy

As the Nordic countries are in the forefront of societal digitalization, their ICT infrastructures are highly dependent on existing in a secure and well-functioning digital arena. An important part of the strategies is therefore the identification of vulnerabilities and threat assessments in the existing cyber domains and establishing a better understanding of the consequences of breaches and breakdowns. However, they also act as ethical guidelines, support statements for businesses, research and innovation, and assurance of compliance with international standards and legislation.

A general tendency in the NCSS’s, is that each nation has formulated a few, very broad, overall benchmarks as the foundation of their strategy. All the initiatives, inputs, outputs, objectives, activities, outcomes and impacts supports one and/or more benchmarks. A comparative analysis of the NCSS benchmarks for the five countries showed, in the same manner as the threat landscape, that they are predominantly homogenous. The benchmarks vary among the nations in frequency and emphasis, but overall, they can be summarized into the following dimensions: strengthening competencies, collaboration, everyday safety, resilience and legislation.

Table 9: Mapping of benchmarks

5.4.2 Similarities and differences of national strategies

All NCSS’s are founded on the basis of EU’s directives and the strategies all emphasizes on the importance of external collaboration. The incentives for the countries collaboration in the ICT domain can be explained by the facts that there are no country borders on the internet and therefore if one EU-country has been hacked, it can have a “spill-over” effect of negative consequences on the other EU-countries.

5.4.3 Ethics

The balance between safeguarding and utilization of confidential citizen and healthcare information has always been closely tied to ethical considerations. We observe that this issue is addressed somewhat differently by individual countries. Sweden greatly emphasizes the importance of maintaining democratic values in the digitalized society, while also protecting population health, rule of law, human rights and individual freedom. A similar tone is found in the strategies from Finland and Iceland which highlight human rights as basic rights, but also point to the fact that a well-functioning ICT infrastructure is a mean to promote freedom of speech. The Norwegian and Danish approaches are slightly different, with more focus being placed on the matter of ensuring citizens that the digital solutions and services are trustworthy and safe to use.

5.5 Analysis of objectives

The benchmarks reviewed in Table 9 map well with the Objectives metric from the ENISA framework we utilized for coding the strategies. The objectives are shown in Figure 4 for each country, with each objective type as a ratio of total code registrations for the country, e.g. 30% of all code highlights for the Norwegian strategy belonged to the Collaboration category. As the publication date of the strategies span more than five years, a direct comparison is not feasible. However, we observe that across all countries and objectives; Collaboration and Support are the two objectives most strongly weighted, followed by Awareness. Monitoring, of both assets and threats, are the least mentioned objective.

Figure 4: Ratio of coded objectives in national strategies

This is likely because monitoring is the most tangible objective, and thus also the most dynamic aspect of all four objectives. Monitoring is instead addressed in implementation plans and security requirement specifications. Furthermore, although network attacks and threats know no borders, the NCSS should be read into the context and history of each nation. I.e., in both Sweden and Finland, the strategies are a piece of a broader preparedness plan.

5.5.1 Assessment of Activities, Inputs/Outputs, and Short vs. Long-term aims

Due to the different target audiences and recency, the distribution of the remaining codes used in the strategy analysis are very diverse. Regarding activities listed in the strategies, some are of establishing character, e.g. in Denmark the strategy intends to “establish a single digital solution for the reporting of ICT security incidents”. While other activities seek to standardize, e.g. in Sweden; “there is a need to carry out activities such as performing risk assessments, mapping security-sensitive assets and determining levels of protection with associated security measures based on and supported by a common model for systematic cyber security efforts”.

Looking at the distribution of phrases coded as either outcomes (short-term effects) or impacts (long-term effects), all countries balance short and long-term outcomes. Of all countries, the Swedish strategy most strongly emphasized long-term effects. This is stated as intent to safe-guard Swedish interests in the “context of a large number of processes encompassing political, legal and technical aspects. It also requires better coordination and dialogue between relevant stakeholders nationally”.

The NCSS varies substantially with regards to how directly they address resource allocation. In Denmark, Norway, and Finland this is partly specified as sectoral responsibilities, while also being supported by financial resources nationally. E.g., the Danish strategy states that 1.5 Bn. DKK will be invested in strengthening information and cyber defenses.

Across all NCSS’, responsibility to maintain safety and security is explicitly stated as being shared across all participants, both private and public. Thus, the private sector/business community have a responsibility to conducts assessments, implement, uphold, and invest in cyber security. How much this effort is supported by government, or directly includes the business community varies.

5.5.2 Maturity of strategy development

Utilizing the CMM tool [5], the general state of maturity of the strategy development across NCSS’ is deemed to be established^{[1]Maturity stages ranges from; Start-up, Formative, Established, Strategic, and Dynamic.} as all strategies mention objectives that to varying extent are being realized by specific initiatives. More consideration regarding allocation of resources, and more specific declaration of performance indicators would lift the maturity level.

In this regard, it is important to differentiate between the maturity of strategies, and the actual maturity of national cyber security and resilience. E.g., all Nordic countries have national Computer Security Incident Response Team (CSIRT) and have established international partnerships to share knowledge of incidents.

All NCSS’ touch on the CMM strategies as well, but with different emphasis. In Denmark, a lot of attention is given to developing cyber security knowledge and encouraging a culture of responsibility. An example of this is through “Initiative 2.2 – Information Portal” that promise to establish a dynamic resource and information platform for citizens, businesses and authorities alike. Whereas the Swedish strategy is more specific with regards to supporting enforcement of legislative frameworks.

5.6 Cybersecurity strategies in Healthcare

Health care stands out amongst the six other sectors defined in the NIS directive due to its inherent openness, as its very nature is to embrace and service public needs through open institutions. Furthermore, the majority of health care workers have direct access to the core information systems that are essential to the daily operation of health care services. This is necessary as availability of information is crucial, but it also poses one of the major jeopardies as the risks of compromising integrity and confidentiality is amplified.

In this section, we compare the reports and guidelines intending to improve information and cybersecurity in the Nordic countries. Unfortunately, it was not possible to identify publications from all countries; leaving us with a review of Sweden, Norway and Denmark (see Table 8). The three publications from these countries are vastly different in their scope, intent, and targeted audience. Nevertheless, we strive to provide a comparison of their stated objectives as these direct us toward the overall aim of each publication.

5.6.1 Format and intended audience

Comparing format and intended audience, “Bransjenorm for informasjonssikkerhet og personvern i helso- og omsorgstejenesten” from Norway is more akin to a continuously revised guideline, more than a strategy report. One of Bransjenormen’s intended uses is as a document of agreement between suppliers and the health sector. Thus, we find recommendations for how to correctly handle information security while safeguarding the integrity of citizens through a number of requirements such as establishment of data life cycle and classification protocols for handling sensitive information. E.g., “The company must maintain a list of all ICT equipment. This includes desktop computers, laptops, cell phones, servers, networking equipment etc”.

From Denmark, the strategy “En styrket, fælles indsats for cyber- og informationssikkerhed”, is considerably more oriented towards the policy level through its listing of four tracks each including initiatives related to prediction, prevention, detection, and response. E.g., all members of staff in the healthcare sector are required to receive training in cyber- and information security. This strategy report is structured to convey complex and far reaching initiatives, of which many remain financially unsupported. Finally, the Swedish health care vision for e-health from 2016, is less operational than the Danish strategy, but conversely provides a more value-driven approach with more emphasis on the importance of safeguarding the confidentiality of citizen health data. E.g. “The starting point in regulatory work in e-health, is to balance rights or interests such as protection of personal integrity, quality, security, and efficiency”.

5.7 Comparison of objectives

Figure 4 plots the ratio of codes assigned to each category for Denmark, Norway and Sweden. Here we clearly see the impact of the temporal scope of each publication as the long-term vision set forth by Sweden foregoes any focus on the aspect of awareness, as this is pointless in a 10-year timespan where technology diffusion is hard to grasp.

Figure 5: Ratio of coded objectives

Another obvious characteristic from Figure 5 is the low frequency of Collaborative objectives in the Norwegian guideline. However, referring to the purpose of Bransjenormen as an information security guideline for requirements between a technology supplier and a provider of health services, collaboration can be stated as the principle underlining the entire document. The operational aspects of Bransjenormen is also evident through its extensive references to legislation and standards, both internally nationally, and at an international level, e.g., with references to the General Data Protection Regulation from the European Union. The safeguarding of personal sensitive information is also referred to as a key component in future initiatives (Nasjonal e-helsestrategi 2017–2022). 

The extent of the Danish strategy in terms of scope and audience is best exemplified through the even distribution of code categories, but also its focus on the entire stakeholder group consisting of citizens, clinicians, IT professionals, local and national Computer Security Incident Response Teams. The latter is currently receiving substantial focus and support in Denmark, both in terms of support for the top-level National Center for Cybersecurity, and with regards to the establishment of a decentralized cyber- and information security unit.

Provider-patient confidentiality has always been a fundamental part of health care. Still, ICT related security concerns might not be at the forefront of clinicians’ daily agenda. To remediate this, training and campaigns seek to boost awareness. Still, dedicated support structures are needed to fully secure the ICT environment. This aspect is elaborately covered in the Danish sector strategy with an illustration of management, roles and responsibilities in case of a cyber security crisis. Similar initiatives is mentioned in the Norwegian e-Helse strategy for 2017–2022, but less detailed.

5.8 Measuring security and threats

In parallel to the policy and management driven initiatives seeking to formulate strategies for information and cybersecurity, there is a need to gauge the depth and effectiveness of the initiatives. To achieve this, several countries have published reports on indicators for measuring information and cyber security. These indicators are typically grouped in a number of top-level categories, e.g., in the Danish report “Målepunkter for informationssikkerhed” with three groups:

• People – indicative of the effectiveness of the security measures which depends on human activities, attitudes, behaviour, and organizational culture.
• Processes – covers the effectiveness of procedural guidelines and instructions.
• Technology – assess the effectiveness of security measures dependent on technology.

These groupings have their offset in the ISO 27001 standard, which guides the standardization of information security management systems.

Another frequently used framework for structuring initiatives is the Confidentiality, Integrity, Availability heuristics. In the Swedish report “En bild av landstingens informationssäkerhetsarbete 2018” by Myndigheten för samhällskydd och beredskab (MSB) [7], these three traits are rooted in the utilization of various technical support tools:  Domain Name System Security Extension (DNSSEC – Integrity) to reduce the risk of phishing attacks, Transport Layer Security (TLS – Confidentiality) to encrypt traffic properly, version 6 of the Internet Protocol (IPv6 – Availability) to ensure capacity for continued network growth. These three areas were assessed on selected web-sites for all Swedish regions using automated testing. This approach was found to be an effective mapping of the overall state of information security in the regions. Although a few regions scored high despite spending few staff resources on information security, the general picture is that results from the automated test is positively associated with allocated resources.

Turning our attention to the threat landscape, in addition to measuring security capabilities, trends in threat perception point not only to external hazards, but also to internal risks through weak points and shortcomings.

In Norway [8] the recommended countermeasures largely seek to improve preventive capacity through segmentation, access control, and application whitelisting. Awareness and a more widespread culture of security, and deeper insight into the software, hardware and information inventory, is recommended as the main approach to reducing the risk of unintended disclosure and exposure. Similar proposals are present in Finland where the annual Information security (Tietoturvan vuosi) report by the Finnish Transport and Communications Agency and the National Cybersecurity Centre. Here outsourced services or other 3rd party dependencies is emphasized as a main threat – similar to the threat posed by lacking of visibility into one’s own information systems.

In July 2018, the Danish Center for Cyber Security published an assessment of the threats facing the health sector – focusing on the threat from cyber espionage, crime, activism, and terror. While the risk of targeted destructive attacks is deemed low, risk of intentional breach of research and treatment data is very high. This assessment is in line with the current political climate with few offensive military engagements and a high focus on research and innovation.  Espionage campaigns, on the other hand, are typically driven by financial incentives, and can have long-term negative effects on public opinion in the trustworthiness of participating in sharing their personal health data.

Although there are substantial differences in how the national assessments of threats, strengths and weaknesses are presented to the public in general, all assessments and reports stress the importance of improving risk and threat awareness through education and persistent everyday focus on adversarial actions.

5.9 Conclusion and Future directions

During the last mandate period, cyber- and information security was included as a new dimension of relevance to the Nordic eHealth Research Network. As such, one of the main aims of this work has been to identify future actions and initiatives of relevance to the research network.

In this chapter, we have presented the main aims and points of the available national cyber- and information security strategies. A table of strategies, assessments, and supporting documents has been compiled. It is possible that some material may have been missed, especially from Iceland and Finland. Future work should seek to rectify this concern.

In conclusion, we observe a trend towards cyber security strategies becoming more substantial and tangible. Consequently, national strategies are broadening their recipient scope by becoming more oriented towards citizens as well as decision makers. In evaluating health sector specific approaches, we found considerably different approaches from Norway, Denmark and Sweden. These differences may serve as inspiration in every national council and strategic working group. The coding framework used in the strategy analysis can be used as an offset for investigations into the operationalization of strategies through interviews with decision-makers and managers. Common to all the reviewed threat assessments and indicator suggestions, it is evident that the majority of challenges are related to the aspect of humanity. Tightening the line requires an unwavering and continuous focus on education and a heightened awareness on a daily basis.

Additionally, as a part of the Danish indicator survey of clinician use of health IT systems, three new questions were added to investigate how clinicians relate to IT security through their awareness, attitude, and behavior towards information security awareness. Results from the survey are currently being analyzed to establish the validity of the questions, and to probe for any correlations between clinical profession, region of employment, overall satisfaction, and information security awareness. These questions can be refined and adjusted to be included in the surveys in other countries.

5.10 References

[1] E. Parliament, DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, 2016.

[2] "European Union Agency for Network and Information” Security", An evaluation Framework for National Cyber Security Strategies, 2014.

[3] I.T. Union, GUIDE TO DEVELOPING A NATIONALCYBERSECURITY STRATEGY, 2018.

[4] N.I. of S. and Technology, Framework for Improving Critical Infrastructure Cybersecurity, 2018.

[5] G.C.S.C. Centre, Cybersecurity Capacity Maturity Model for Nations ( CMM ), 2016.

[6] Sweden, Nationell strategi för samhällets informations- och cybersäkerhet, 2016.

[7] M. för samhällsskydd och Beredskap, En bild av landstingens informationssäkerhetsarbete 2018, 2018.

[8] N. Helsenett, Situasjonsbilde 2018, 2018.

6. Personas for users of indicators of eHealth availability, use and outcome in the Nordic countries

In the effort to develop indicators for measuring availability, use and outcome of eHealth a recurring question is: Who can benefit from the indicators we develop? The target group for policy strategies and evidence of status is very broad and complex. It is a real challenge to ensure that data and information is communicated to the right persons in a comprehensible form. Developing fictional personas can be a way of improving the way we work.

Personas are fictional characters, that we created based upon our knowledge in order to represent different types of users. This can help us to direct our research to develop indicators of eHealth availability, use, and outcome in the Nordic countries. The creation of the personas will help us to better understand the users’ needs, experiences, behaviors, and goals. The process can help us to step out of our own narrow outlook and point out the aspects of indicator development that we must encompass. Furthermore, it will help us to choose the most effective channels of communicating the results that we produce.

6.1 Persona development

In the following, we outline the characteristics of the personas currently identified.

The characters are:

• Citizen
• Patient
• Clinician
• Policy Maker
• Industry CEO
• Politician
• Health institution manager
• Researcher
• IT Professional.

The personas and their characteristics were developed over a long period of time. They are the result of many years of experiences from research, brainstorming, discussions and workshops. The workshops helped enable the alignment of the personas use in the Nordic countries, because the NeRN researchers all took turns on working on and added their knowledge to each of the personas created.

For personas to be a helpful tool in identifying indicators, is it important to make a detailed characteristic of the personas, which makes it easy for the user to imagine how this specific persona is as a whole. The personas are therefore described by their demography, biography, questions asked, technological abilities, goals, and fears/challenges. Demography is a short description of their age, education, occupation and family situation. This provides the basic foundation of the persona. The biography goes a bit deeper into the persona and provides us with more information about their personalities. The next paragraph, Questions asked, contains questions that the persona could pose in different situations and in relating to different matters. They have been added to personas, to provide an extra dimension to the persona-design, to make the user pay attention to any possible conflicts that could occur both short and long term. The next section, technological proficiency, describes how proficient the personas can use different kinds of technology and tells us something about how much they are using it. This gives the user an idea how and which channels to use in order to communicate with the specific persona.

Goals and fears are incorporated as a way for the persona-design user to identify how and where their research/policies align and/or differentiate from the end-users (Arthur McCay [2017]). Lastly, each persona is associated with a number of relevant current, or future, indicator aspects. The number of indicators identified varies among the personas e.g. we have identified zero-two indicators for the Patient Greta. Which tells us that there is not necessary any indicators what she would be interested in.

6.2 Using persona design

As mentioned in the introduction, the persona design helps widening the perspective of the researcher when they are taken into consideration both in order to encompass and target the research in an effective manner.

The persona design also functions as a great tool for policy making. Not only do the personas offer a more concrete way of focusing a specific policy to a segment, it also helps the policy makers to be aware of possible pitfalls that could occur in the implementation process or the policy´s practical function. Or put in another way, making policies with a design thinking approach, such as Personas, may help the policies to become more user-centered and applicable (Beatrice Andrews [2013]).

In a practical manner, the persona-design is done by asking the following questions: “If the system/technology/research/policy are to be successful, which persona is most essential/critical to please? And where/with whom does it conflict?” (Jeff Patton (2010)

The design of personas is a dynamic and agile process. As the work with developing indicators and writing strategies new issues emerge and add new aspects to the personas. In this report we have included nine different personas. However, we have further discussed e.g. different patient- or citizen groups with chronic diseases or with family carer obligations. New personas with other roles can be developed in the future.

6.2.1 Citizen

Biography

Silje Works as a controller in the pharma industry and lives a busy life. While managing the daily needs of her closest family, Silje also engages with the caretaking of her extended family. Generally, Silje is satisfied with the healthcare system, but she values access, control, and transparency. She categorizes herself as having a generalized trust towards authorities and the society, but at the same time she is not afraid to ask question and double checking the answers afterwards.

Questions asked:

- How do I make sure that my family gets the best possible care?

- Something about data security. 

Goals:

• Well-functioning, easy to use, access to her own healthcare data, as well as the data from selected family members in one single point of access.
• Access to treatment and appointments for all selected family members.
• Control and transparency of her own data managed by the healthcare system.
• Insight into quality indicators of all relevant healthcare institutions.
• To participate as a citizen in further improvement of the healthcare system.
• To enhance her own health to stay strong an able as much as possible.

Fears/challenges:

• Fears missing valuable information concerning the treatment of family members.

• She does not fear loss of privacy but is more afraid of losing overview of her data.
• She thinks the development and implementations of eHealth solutions are way too slow.
• She would like to see a quicker progress on PRO and personal apps.
• Fear that she misses out of getting important information about her mother’s health, because the information was communicated on a different “channel/media”.

Indicators:

• PRO and personal apps.
• Upcoming functionalities.
• Indicators of patient appointment functionality.
• Possibility of expressing needs and wishes of new functionality.
• Citizen usability.
• Healthcare data access.
• Data control. 

6.2.2 Patient

Biography:

She lives in her own home. Had a fall accident and was hospitalized.

Greta cannot manage her appointments on her own.

With respect to Greta’s legal competence the two daughters do not agree. Anna thinks her mother should be legally in charge, and that she should continue to live in her own home.

Silja thinks that Greta should not be legally in charge and that she should move to a nursing home in her neighborhood. She can manage her radio and TV set, and a land line telephone, but not mobile or smart phone, computer or tablet. Greta has a high level of trust in authorities.

Questions asked:

- What services are available for me?
- What is going to happen?
- Who can help me at this point?
- How do I and my daughters get information? Via which channels?

Goals:

• To feel safe.
• To be as little as a nuisance as possible for her daughters and caretakers.
• To experience as few healthcare handovers as possible.

Fears/challenges:

• Easily confused, Greta has a low confidence in data safety and IT in general.
• Fears losing ability to live independently and taking care of herself.
• Fears losing herself to Alzheimer, and death.

Indicators:

• Anything related to her condition.
• Indicators to assist with selection of care facilities.

6.2.3 Clinician

Biography:

Sigurd has spent many years perfecting his skills in cardiology. Doing so, he has worked at a number of hospitals, larger as well as small ones. Sigurd has management responsibilities in his department and is engaged in a number of smaller research projects on the side. When he is not on duty, Sigurd often works from home to get things done. Sigurd is slightly skeptical of information systems in health care, and often experiences frustration with communication channels.

Questions asked:

- How good and efficient is our department compared to similar departments in other hospitals?

- How do I engage with patients when they are not admitted or in direct treatment?

- Are my patients getting better? What are the latest guidelines? How do I access clinical data nationally for my research?

- Can I trust the data and results I’m getting?

Goals/important issues:

• Reliable health information systems – stability, security and confidentiality are important.
• To deliver the best possible quality of services – medical measures, access to clinical guidelines.
• High usability – access to data, user friendliness, shared information (medication), HIE, notes, prescriptions.
• Intelligent warnings or alerts – medical interventions, allergies, abnormal test results.
• To work in a healthcare system where patients are satisfied with the treatment their given, which also includes communication, reduced waiting time, and comprehensive information.
• Insight into treatment outcomes, quality control data.
• To do his work with the least amount of friction imposed by information technology.

Fears/Challenges:

• That patient data in different health sectors are not being shared and used to provide the best possible treatment for patients.
• To be unjustifiably accused of malpractice by patients squeezed by the healthcare system.
• To mishandle his management responsibilities due to lack of insight.
• To not get accurate, timely and proper information regarding his patients.
• To be incapable of engaging with patients in a manner that is helpful and easily available to them.
• Attention to the time from expressing alteration wishes (e.g. to EHR) to actual change.

Indicators:

• Ease of use.
• Integration between systems.
• Value of data gathered in clinics.
• Survey of how e-health works in real life (channel to express views).
• What’s in it for me data.
• Time from expressing alterations to actual change.

6.2.4 Policy Maker

Biography:

He has good analytical skills; he drafts policy papers and needs data to compare.

He could use a good monitoring database with annual assessments of reporting of data (nationally and regional).

He is process focused and pragmatic, but subject to regulatory framework (limitations and obstacles). He is a policymaker for more places: Local, regional, and national levels. David is very detail oriented in every aspect of his life. He would rather have too much information than too little. In his spare time, he likes to spend time with his child and go fishing.

Questions asked:

- Do the institutional frameworks put constraints on political and legal issues?
- Policy evaluations and follow-ups?
- Are we lagging behind?

Goals:

He wants clear messages and needs focused information.
Outcome focused on:

• Clinical data.
• Economic data.
• Quality data.

He has a big need for knowledge about things that work.
He requires knowledge-based facts – e.g. knowledge about international trends.

Indicators would support him with data on:

• Patients preferences.
• Contextual aspects: Type of care, technological infrastructures, administration systems etc.
• Benchmarking data.

Fears/challenges:

• National/regional/local level – how are the policy goal implementations progressing, what are the differences between regions.
• Afraid of being misunderstood and making decisions based on misinformation.

Indicators:

• International benchmarking.
• Privacy: Attitudes, cost, access.
• ICT integration.
• Patients benefits (= impact): Access, use, benefits satisfaction.
• Quality and outcomes.
• Cost/benefit.

6.2.5 Industry CEO

Biography:

Alice lives in a non-European country but travels a lot to Scandinavia as several of her business clients are situated there. During her travels she spends her time reading up on the latest developments and business-related challenges within her markets. Alice is driven and works long hours. Only uses private healthcare.

Questions asked:

- What new opportunities do I see in the immediate and far future?

- What are the overall trends of the market?

- Are there any risks we should be aware of in particular?

- How is my system performing in relation to other systems? (benchmarking), how can I improve my competitiveness?

Goals:

• Develop a deep understanding of health systems
  • What they are.
  • How they should change.
  • How e-health systems can facilitate change.
• Manages conflicting demands from different deep pocketed customers.
• To create a competitive, market-leading, product. Interested in scalability – from 250 to 25,000 users.
• Wants to prove value from using the system (=> monitoring) – means that vendor will need allowance to access systems.
• She wants reputation control to avoid vendor blaming.
• Wants to obtain some of the value that lies in the data that are stored in the system to extract knowledge from data – e.g. population health management, predictive modelling.

Fears/challenges:

• Losing market shares.
• Bad publicity for products deployed at customer sites.

Indicators:

• Actual use.
• Perceived value of the system.
• Technical reliability and robustness.
• Benchmarking vendors.

6.2.6 Politician

Biography:

Herlof has been the minister of Health for the last two terms that his party has been in government. He went into politics twenty years ago with a main interest in the field of labour market politics. But after some years his interest moved towards the health sector and health in general. He believes in the good in people but also that they need a push in the right direction. Despite of his idealistic beliefs, he still knows that there is a need for making the health sector more efficient to deal with the future challenges. In his spare time, he likes to spend time with his wife and go hiking.

Questions of concern:

- How can I get the fastest possible results with a minimum cost?
- Knowing how national health data are relevant for international research projects?

Goals:

Wish to initiate changes in the use of ICT in a good way. Engaged in promotion of family values and healthy living.

• Is interested in good stories in specific areas:
  • International benchmarking.
  • Security and safety for individuals.
  • Save more lives.
  • More health for every Euro/Krone spent.
  • Patient outcomes.
• Wants that every deviation and breach in security must be documented.
• Wants an overview of safety cultures, resources spent on safety and security.
• To be reelected for another term.

Fears/Challenges:

• Holistic use of ICT solutions – system integration.
• The effects of using eHealth – dissemination.
• Reducing travel and transport expenditures for patients and health providers.
• Reducing the length of stay in hospitals.
• Improve empowerment of patients.
• National/regional/local level - how is my region doing in relation to other regions/ national level in respect to national goals.
• Not making a positive change.

Indicators

• Outcome measures:
  • users
  • economy
  • patients
  • efficiency
• Overview of investments
• Database on log AND surveys
• Comparable information
• Overview and arguments
• Longitudinal – monitor progress
• National and international data

6.2.7 Health institution manager/CEO

Biography:

Nette is very thorough, competitive and ambitious as a person. She is relatively new in the position as a CEO, but she has been working as CEO at another hospital for many years, which has made her familiar with the daily challenges present at a hospital. She has a natural flair for numbers and a great interest in the process of optimization workflows.

Questions of concern:

- What are the needs for services within my region?
- How are our services meeting the needs, what is the performance level of my institution in relation to other organizations/ national level (cost and effectiveness) how do clients use the services?
- How can the services be developed further to improve their competitiveness?

Goals:

• Analytics of indicators – used as decision support.
• Staff perception of useful systems.
• Balance staff and customer satisfaction.
• Patient satisfaction.
• Patient’s access to own EHR.

Fears/challenges:

• Regulatory concerns (IT-security).
• Report upwards (regional administration and politicians).
• Budget cuts and whimsical politics.
• High cost of IT employees:
  • Operations
  • Maintenance.
• Lack of collaboration, and challenges with communication among primary and secondary providers.
• Privatization of healthcare, regionally and internationally.

Indicators

• Compare/benchmark to other hospitals.
• Basic indicators – economics
  • IT cost
  • Collaboration.
• Indicators are tools for discussion.
• Analytics of (meta)indicators.
• Help to find relevant indicators (What to analyze).
• Quick access to different indicators.

6.2.8 Researcher

Biography

Gunnar is involved in multiple research projects within eHealth services. He utilizes his engagement in research for teaching as well as for networking with fellow researchers nationally and internationally.

Questions asked

- What are the most recent findings within my research fields? How can I make my own contributions visible and accessible to my peers?
- Where and how do I get access to data about patients?
- What threats and risks should I be aware off in my work?

Goals

• To publish scientific papers and reports on his research work.
• To keep up to date with recent developments within his field.
• To collaborate with colleagues internationally.
• To utilize indicators in his work, and contribute to their development.

Fears/Challenges

• Violating the confidentiality of the research data he has access to.
• Basing his work on obsolete data.

Indicators

• Patient reported outcomes.
• Patient involvement.
• Information technology use.
• Effect and outcomes of technology use.

6.2.9 IT professional

Biography

• Does not have a great interest in indicators. Is not really aware if they can help him in running the local projects.
• He is rarely confronted with what is happening outside his own region.
• When he communicates with others it is by means of new media channels such as sms, snaps, e-mail.
• Prefer graphic communication of large datasets. He would never read a full report.

Questions asked

- How is my system performing in relation to other systems?
- How can I improve my system?
- What is state of the art within the areas of my IT projects?

Goals

• To manage his projects successfully, including sharing information regarding the capability and strengths of the delivered solution.
• To stay informed of latest developments within his field and domain.
• To deliver informative and easy to comprehend presentations regarding the state and end-goal of his ongoing projects.
• To deliver projects in compliance with legislation, policies, and industry standards.
• To understand the expectations and needs of the project stakeholders.

Fears/Challenges

• Failure to reach project deadline.
• Failure to meet stakeholder expectations.
• Delivery of a system that does not comply with requirements, including those of legislative and cyber/information security character.
• He is challenged in understanding the clinical work context of the users.

Indicators

• Availability indicators.
• Use indicators.
• Usability indicators.
• Technology diffusion benchmarks to other regions.

6.3 References

Arthur McCay (2017): How to Create A Persona In 7 Steps – A Guide With Examples. Available at: https://uxpressia.com/blog/how-to-create-persona-guide-examples (Last read 31/7-2019)

Beatrice Andrews (2013): Using personas to make better policy. Policy Lab Blog. Available at: https://openpolicy.blog.gov.uk/2013/08/08/using-personas-to-help-improve-policy-making/  (Last read 31/7-2019)

Jeff Patton (2010): How Pragmatic Personas Help You Understand Your End-User. Available at: https://www.stickyminds.com/article/how-pragmatic-personas-help-you-understand-your-end-user (Last read 31/7-2019)

7. Summary and conclusions

7.1 The impact of E-health strategies in the Nordic countries

In Chapter two, the analysis with the offset in Institutional Theory has proven to provide useful insight into the differences in the governance of eHealth in the Nordic countries. There is good reason to continue this path and expand data collection in individual countries with multiple interviews so that more details can be found in the analysis. Ehealth in the Nordic countries are still in the startup phase, but many practices have found to be deeply incorporated in the system already. A more detailed continuation of the institutional approach, can help in establishing an evidence based baseline for making concrete political decisions in each of the Nordic countries.

7.2 Indicator update

In Chapter three, the model-based approach to developing indicators has the advantage of improving the sustainability and utility of indicators. This may also improve the ability to compare indicators measured in individual countries better. Future work should focus on the continuation of enabling the indicator framework to also support the monitoring of individual countries’ specific national strategies, thereby also helping to make the start-up strategies “evidence informed”.

7.3 Citizen survey

In Chapter four, it was outlined that an important step has been taken to harmonize the surveys across countries – there are now many parameters that are measured in the same way in each country. It is still desirable to find a solution to who will be responsible for the collection of data and how it should be financed nationally. Longevity is crucial in this field, and addressing the challenges of sustainability is important in order to secure the future work of e-health monitoring and development in the Nordic countries.

7.4 Cybersecurity in the Nordic

Chapter five is the first step in working towards a better understanding of the cyber security landscape in the Nordic countries from a political strategic outset. The main objective was to identify future initiatives in this field by clarifying the status quo. The comparison of the Nordic countries cyber security strategies revealed distinct differences, and similarities, in how each country emphasized the same objectives. Future work should focus on the implementation challenges objectives, and how each country prioritize their cybersecurity effort.

About this publication

Nordic eHealth Benchmarking

Towards evidence informed policies

Christian Nøhr, Arild Faxvaag, Chen Hsi Tsai, Guðrún Auður Harðardóttir, Hannele Hyppönen, Hege Kristin Andreassen, Heidi Gilstad, Héðinn Jónsson, Jarmo Reponen, Johanna Kaipio, Maja Voigt Øvlisen, Maarit Kangas, Pernille Bertelsen, Sabine Koch, Sidsel Villumsen, Thomas Schmidt, Tuulikki Vehko and Vivian Vimarlund

ISBN 978-92-893-6524-6 (PDF)
ISBN 978-92-893-6525-3 (ONLINE)
http://dx.doi.org/10.6027/temanord2020-505

TemaNord 2020:505
ISSN 0908-6692

© Nordic Council of Ministers 2020

Disclaimer

This publication was funded by the Nordic Council of Ministers. However, the content does not necessarily reflect the Nordic Council of Ministers’ views, opinions, attitudes or recommendations.

Rights and permissions

This work is made available under the Creative Commons Attribution 4.0 International license (CC BY 4.0) https://creativecommons.org/licenses/by/4.0.

Translations: If you translate this work, please include the following disclaimer: This translation was not pro-duced by the Nordic Council of Ministers and should not be construed as official. The Nordic Council of Ministers cannot be held responsible for the translation or any errors in it.

Adaptations: If you adapt this work, please include the following disclaimer along with the attribution: This is an adaptation of an original work by the Nordic Council of Ministers. Responsibility for the views and opinions expressed in the adaptation rests solely with its author(s). The views and opinions in this adaptation have not been approved by the Nordic Council of Ministers.

Third-party content: The Nordic Council of Ministers does not necessarily own every single part of this work. The Nordic Council of Ministers cannot, therefore, guarantee that the reuse of third-party content does not in-fringe the copyright of the third party. If you wish to reuse any third-party content, you bear the risks associ-ated with any such rights violations. You are responsible for determining whether there is a need to obtain per-mission for the use of third-party content, and if so, for obtaining the relevant permission from the copyright holder. Examples of third-party content may include, but are not limited to, tables, figures or images.

Photo rights (further permission required for reuse):

Any queries regarding rights and licences should be addressed to:
Nordic Council of Ministers/Publication Unit
Ved Stranden 18
DK-1061 Copenhagen
Denmark
pub@norden.org

Nordic co-operation

Nordic co-operation is one of the world’s most extensive forms of regional collaboration, involving Denmark, Finland, Iceland, Norway, Sweden, and the Faroe Islands, Greenland and Åland.

Nordic co-operation has firm traditions in politics, economics and culture and plays an important role in European and international forums. The Nordic community strives for a strong Nordic Region in a strong Europe.

Nordic co-operation promotes regional interests and values in a global world. The values shared by the Nordic countries help make the region one of the most innovative and competitive in the world.

Nordic Council of Ministers
Nordens Hus
Ved Stranden 18
DK-1061 Copenhagen
pub@norden.org

Download more Nordic publications from www.norden.org/publications