Sunday, October 09, 2011

Has Anyone Else Noticed This Wonderful (?Horrifying) Irony? This is Descending Into Farce!

During the last week we have had the Royal Australian College of General Practitioners (RACGP) announce a new series of security standards for GPs

GPs get prepared for e-health records

The Royal Australian College of General Practitioners has launched revised information security standards and a workbook to ensure GPs are meeting the minimum requirements
The Royal Australian College of General Practitioners (RACGP) has launched revised information security standards and a workbook in order to prepare GPs for the Federal Government’s Personally Controlled Electronic Health Record (PCEHR).
RACGP National Standing Committee e-health chair, Dr John Bennett, told Computerworld Australia the revised standards are more comprehensive than the previous Computer Security Guidelines and have been broken into two components, one for information and the other as the workbook.
“The idea with the workbook is to make it easier for a practice to be able to use the information or recommendations contained in the standards and then to make it aligned to their practice,” Bennett said.
Bennett said it will enable a practice that lacks internal skills or structure to do things such as name a person or persons responsible for the supervision of their information security. It will also allow them to then identify the need to outsource to the right people to do it on their behalf.
“There’s been an increase on the requirements that practices might want to undertake, although it’s fair to say that can be based on their capacity to do so, but for certain things is should be essential,” he said. “GPs should really be running a firewall of some sort in between their system and the outside but it’s amazing how some practices still don’t do that.
“It’s also a response to the federal government’s requirements around the PCEHR; the college knew this was coming and that it will place a greater responsibility upon general practices and get them prepared for the PCEHR.”
He said that GPs will no longer be protecting just their information but also information that could potentially be entered by other parties including the patient.
The revised standards have been in progress for about a year, Bennett said, with the college enlisting the help Edith Cowan University’s Trish Williams who specialises in the security of healthcare systems.
More here:
There is another report here:

RACGP launches e-health security guide

Juha Saarinen

Issues IT security standards to general practitioners.

The Royal Australian College of General Practitioners (RACGP) has launched a new IT security standards guide to help its members keep practice and patient information secure.
The 43-page self-assessment guide (pdf) is the third edition of a document that was last published in 2005.
It contains a check list covering ten categories of IT security. These include appointing a computer security coordinator, documenting the role and training the person in question.
Security policies and procedures should be documented, the guide advises.
More here:
Rather surprising is this from the RACGP web-site - until you read the media release.

Computer and information security standards (CISS)

The RACGP Computer and information security standards (CISS) is a guide to gain an understanding of requirements for computer and information security implementation in general practice.
The CISS is a major revision of the Computer security guidelines: a self assessment guide and checklist for general practice (3rd edition) and has been developed with significant input from the general practice profession.
The CISS covers:
  • governance processes
  • risks to information
  • effective planning
  • appropriate security measures.
The accompanying CISS Workbook is a tool to assist general practice in recording essential information needed to put in place effective computer and information security.
The CISS will be available as a PDF version by the end of October 2011. The CISS Workbook will be available as an MS Word manual with templates to use and adapt to your general practice.
---- End Page:
See here:
The media release - But NOT the standards were released a few days ago:
See here:
So what we have here is a pre-announcement of a document that presumably is already sorted - but for some reason needs to have its release pre-announced. What on earth is going on?
Then from the expert who advised the RACGP on all this we have:

Harbinger of security warns national e-health system

THE vulnerability of Australia’s planned national e-health system to cyber attacks is not being taken seriously enough, according to a WA security academic.
The weakest points of this system are the individual healthcare providers, particularly the small primary care and specialist organisations which make up more than half the connections in the national e-health system.
ECU secau Security Research Centre senior lecturer Trish Williams says the initiative has multiple points of vulnerability that are unlikely to be fully realised until the system goes live.
The $466.7 million plan will digitise and integrate Australia’s patient record databases to allow much greater sharing of patient information, such as allergies, test results and medications, than the current “safe but not particularly useful” paper system.
Dr Williams says the integration of such a big and complex system is far more susceptible to attack than a decentralised paper one because of the communication between diverse healthcare providers, unlike banks where information is securely stored in one domain.
“The integration of individual systems creates greater system susceptibilities,” she says.
The weakest points of this system are the individual healthcare providers, particularly the small primary care and specialist organisations which make up more than half the connections in the national e-health system.
“The mixture of private and public health providers and services results in less overall control. The responsibility for security is delegated to individual healthcare provider organisations,” Dr Williams says.
While big healthcare businesses have IT security staff, small providers do not have these resources and may face significant security challenges.
“These include a lack of time, a lack of funding, and a lack of understanding of the potential dangers and appropriate responses to these dangers,” she says.
Dr Williams says attacks on healthcare systems are increasing, pointing to research indicating 83 per cent of small organisations (with less than fifty staff) had an average of between 14–45 breaches and this rose to 92 per cent of large organisations in 2009.
More here:
So the expert advisor is saying that the PCEHR system will simply not be secure enough and we won’t know how bad it is until the system goes live!
Guess what? The management of overall system security is a core Governance issue for Government but has been filed in the ‘too-hard basket’ and won’t apparently be legislated before the system goes live.
To Ms Roxon who says we are all worrying unnecessarily can I suggest she listens carefully to her own paid experts.
I look forward to a release of the actual Guidelines! What a fiasco.

1 comment:

Ryan Turan said...

I agree with Trish that small practices are a weak link, however we should not discount the exposure of even the largest hospitals. While larger organisations have their own technical staff, I rarely see examples of Australian healthcare providers proving their continually improving alignment with standards such as ISO27001 along with support from the underlying supporting standards such as COBIT.

I have not yet seen RACPG's new standards, but I am concerned when I see healthcare providers breaking away to do their own thing... usually out of frustration.

I would like to see an approach to this similar to PCI-DSS. Form a global council, and design a standard that suits various scales-- from a single practitioner to a global provider. Then, require annual attestation and independent auditing from accredited vendors. PCI-DSS succeeds over just adopting ISO27001 (and by extension HIPAA) because it is practical, based on mitigations to real-world experiences, and has had major involvement from the community. It is practical, due in part to its prioritised list that helps the less mature organisations patch the gaping holes first.

Finally, we need to have evidence of compliance to these standards BEFORE deploying PCEHR.