I recently found this article online at itnews.com.au
(I haven't read much of their content - but it looks up-to-date and across various issues affecting IT in Australia).
This article is about a talk by ADHA chief information security officer Anthony Kitzelmann to the Technology in Government conference, early in August 2017. I haven't been able to find actual transcripts of this talk, so the quote below is rather second hand (or perhaps third hand).
The quote that gets my attention is "But one of ADHA's biggest challenges is working out what an applicable standard for digital health in Australia looks like in lieu of any prescriptive documentation.
“Is the ISM an appropriate standard? Is the ISO standard applicable? HIPAA regulations out of the US? Which one works, which is fit for purpose?” Kitzelmann said.
An internal review conducted in the lead-up to the policy switch to opt-out e-health records found that there were elements of all these standards that could apply to Australia’s e-health ecosystem.
More importantly what came out of the review process was that ADHA needed to change its focus and move to a risk-based governance model.
“If we have a large jurisdiction that has 130,000 employees and a massive investment in their health strategy, we’d expect them to sit [high up] in terms of their security performance,” Kitzelmann said.
“But how do we measure when it’s a general practice run by a husband and wife, the husband is the GP and the wife is the receptionist, IT support and nurse at lunchtime? What do we expect them to do to protect citizen records in an appropriate way? And how do we help them get that balance?
“Because we know quite well they’re going to be sitting on a Windows XP machine that has vulnerabilities up the kazoo, and that it’s going to be a point of egress into the national system that we need to mitigate and manage.
"[However] we also need to understand that it’s irresponsible of us to say ‘you need to be on Windows 10, patched within 24 hours, and running this AV software’ - it’s just not going to happen.”
I've been around General Practice for well over a decade, and I can honestly say that I have never seen a General Practice as described above.
Sure there are still some (many) solo GP Practices, especially in the bush, but the ones that I have seen have fancy IT setups, not a Windows XP machine in sight. I've seen many solo GP practices with Server 2012R2, and Windows 10 Pro networks. The only time that I've seen Windows XP in the last eight or so years was as a thin client for a Remote Desktop Server, running Server 2008R2 or newer. Hardly a security risk, unless the RDP session becomes compromised.
And this statement comes from the same Government department who can't get Secure Messaging Clients to talk to each other, making us install multiple messaging clients to be functional.
The same government who bought us PKI dongles that only work on outdated systems, now to be replaced with a password accessible PRODA logon, when many will just save the password in their browser.
This same Government Department thinks that Administrative staff do not need access to MyHealth Records, doesn't provide training / test patients, or allow testing from our own software installations. I think these people have it backwards.
I believe that GP Practices want to get IT security right, and the Government is not doing enough.
Workcover in Queensland (and in other states except perhaps SA) rely heavily on fax as the medium of communication. Many of the public hospitals are starting to send reports back to GPs electronically, but most still require a fax for information going to them, even though they use a fax-to-email and email-to-fax service.
Comments are closed.