Tuesday, July 23, 2013
Another Warning To Take EHealth Security Seriously. The Risks Are Rising With The NEHRS/PCEHR.
This appeared a day or so ago:
HEALTH providers need to instil a culture of security when safeguarding their medical data to avoid becoming the weakest link in the national eHealth system, according to Edith Cowan University (ECU) researchers.
Security experts at ECU’s Security Research Institute say security is not well regarded by medical professionals and is usually an afterthought they are reluctant to invest time and money in.
“Security as part of requirements engineering is now seen as an essential part of systems development in several modern methodologies,” senior lecturer Mike Johnstone says.
“However, medical systems are one domain where security is seen as an impediment to patient care and not as an essential part of a system.”
He says this attitude makes developers less likely to include advanced security protocols into their products.
“Unfortunately, most software is insecure. This is due to the tension between functional requirements [as seen by a customer] and security requirements [which often are not],” Dr Johnstone says.
“Security is often relegated when shipping dates approach because developers know clients see functionality and don’t think about security as much.”
ECU senior lecturer Trish Williams says the weakest point of the upcoming national eHealth system is with the end users such as health practices and hospitals.
She says there is no security culture among medical practitioners which keeps it from becoming an integral part of operations.
“Medical systems appear especially problematic as their primary focus is patient care and security is either assumed or ignored,” she says.
I have to say all this is totally correct. As far as what to do about the issue this is a very good place to start - and it was only updated a few weeks ago.
The second edition of the RACGP Computer and information security standards (CISS) provides general practices with information and recommendations that will raise awareness of contemporary security issues and help protect against potential exposure to loss of sensitive data.
The CISS provides general practice with a framework for evaluating risks, and guidance and solutions to improve competency and capacity in computer and information security. This edition includes additional information to support GPs and their practice teams develop policies that relate to participation with the Personally Controlled Electronic Health Record (PCEHR).
The Computer and information security templates enable general practices to build a comprehensive suite of computer and information security policies and procedures. This document is designed in an interactive PDF format; for practices to download, fill out and save electronically.
This project has been funded by the Australian Government Department of Health and Ageing.
The page with (free) download links is here:
Well worth a look and some consideration.
Posted by Dr David More MB PhD FACHI at Tuesday, July 23, 2013