This appeared last week:
ADHA starts turning cyber security strategy into reality
By Richard Chirgwin on Sep 12, 2022 6:29AM
iTnews talks to CISO John Borchi.
The Australian Digital Health Agency (ADHA) marked the start of implementing its latest cyber security strategy with a flurry of requests for information (RFIs) late last month.
ADHA CISO John Borchi told iTnews the work program is the first phase in realising the cyber-security plan published by the agency in March this year [pdf].
Borchi said the strategy responds to changes in the threat landscape in recent years.
One of those changes, he said, was demonstrated in how the Log4j vulnerability unfolded.
At first, the ADHA’s expectations were in line with most people in cyber security – the vulnerability would be patched “pretty quickly”.
That turned out not to be the case: security teams in vendors around the world are still discovering dependencies on unpatched software that exposes their systems to Log4j, and will be doing so for some time.
Borchi told iTnews that requires “ongoing vigilance” on the part of organisations like the ADHA, since they’re often in a better position to monitor the hygiene of small partners like GP clinics.
And that’s another change the ADHA sees in its operating environment in recent years – it’s interacting with many more such small third parties and had to adjust its strategy accordingly.
The strategy also has to comply with top-level government imperatives, most importantly the digital health strategy (for example, with its emphasis on the importance of the MyHealth Record), and the cyber security strategy overseen by the Department of Home Affairs.
Protecting the health data honeypot.
Borchi said the foundations of the security strategy are straightforward: “Protecting the healthcare system from adversaries, and protecting the healthcare data of Australians.
“Healthcare data is considered key for criminals, to break into and utilise. So for us the challenge is making sure the threat is kept at bay, while we improve interconnectivity of the healthcare system, with more data sharing, and better information to improve healthcare and patient experiences," he said.
The requests the ADHA took to market in August are designed to establish the “people and processes” needed to execute the strategy. They are:
- To establish and manage a coordination cell for initiatives under the strategy;
- The development of a cyber operating model, which will set down the principles behind services and the “roles, responsibilities and overall remit of the cyber security teams”;
- Enterprise project management office (EPMO) framework support;
- Development of a position paper on cyber hubs; and
- Establishment of a security governance forum.
The aim, Borchi said, is to have frameworks and teams in place to ensure that planning the execution of the strategy doesn’t fall victim to meeting the day-to-day demands of cyber security.
This program of work aims to “set up our team and our collaboration within the partners that we have, so that we are responsive and we work to respond to those priorities, and respond to the challenges over the next two to three years," he said,
More here:
https://www.itnews.com.au/news/adha-starts-turning-cyber-security-strategy-into-reality-585047
Here is a direct link to the strategy document:
Here is the CEO Introduction.
"I am pleased to present the Australian Digital Health Agency’s Cyber Security Strategy 2022 – 25.
The Strategy sets the vision and guiding principles for our cyber security over the next three years. It sets out our approach to and areas for action on cyber security, but will also be regularly reviewed o ensure we proactively adapt to changes in the threat environment and support the secure evolution of digital health.
The Australian Government recognises the importance of cyber security to Australia’s growing digital economy and to the Australian community. Through this Strategy, the Australian Digital Health Agency will build on our strong foundations and elevate our organisational capability to securely deliver better health and wellbeing for all Australians, supported by safe, secure digital systems.
As Australia’s champion for digital healthcare, we are responsible for the development, deployment, and secure operation of critical national healthcare assets, including the personal and sensitive healthcare information of Australians. We take this responsibility seriously.
We are also part of many interconnected IT systems across the health sector and are charged with helping ensure information can be shared quickly and easily across those systems to support best practice healthcare. In doing so we recognise that our work is dynamic, as are the digital and threat environments we work in. The pandemic has reinforced this, underscoring the need to achieve and maintain the future focused cyber capabilities that will enable us to be proactive in how we protect ourselves, each other and the health information of Australians.
This Cyber Security Strategy sets out our coordinated, holistic approach to uplifting capability across the Agency in response to this changing cyber environment. It also provides a clear plan to meaningfully support Australian healthcare providers and health technology partners to protect themselves and the critical health information they too hold.
Cyber security is not a technical niche. Everyone at the Agency and in the healthcare community has a part to play. Our success will be underpinned by our security culture, secure business practices and by our behaviours – at home and at work. It will be defined by our dedication to change and willingness to embrace the challenges ahead. The spirit of innovation and passion to improve the health and wellbeing of Australians animates the Australian Digital Health Agency.
Our cyber security must also embody this spirit so that together we can set a new standard for secure innovation, continuous improvement and digital health reform in Australia.
Amanda Cattermole, PSM
CEO"
This seems to be the guts of the plan and what they actually plain to do….(p 13 of 22)
Regulatory and Legislative Changes
The Australian regulatory landscape is also continuing to evolve
in response to trends in the cyber threat environment. Changes to legislation
will further shape the role the Agency plays in securing Australia’s
digital health ecosystem.
- The Agency continues to monitor and support the ongoing review of the Privacy Act 1988 (Cth). This includes the introduction of the Online Privacy Bill to encourage harmonisation and interoperability of privacy and security obligations between My Health Records Act 2012 (Cth) and the Privacy Act 1988 (Cth). This will ensure that all digital innovation is equipped with strong security, privacy, and clinical safeguards.
- The strengthened security and privacy protections introduced by the Trusted Digital Identity Bill will enable secure and streamlined access to both public and private sector services forming part of the digital health ecosystem.
- The Agency has prioritised recommendations outlined in the My Health Records Act Review, including increased monitoring of healthcare and service providers’ compliance with legislative requirements to effectively manage shared cyber security risks.
- The Agency will support the recent and anticipated amendments to the Security of Critical Infrastructure Act 2018 (Cth) and the Ransomware Payments Bill 2021 (Cth) with a program of awareness and education initiatives to ensure that critical infrastructure assets and critical infrastructure sector assets within the digital healthcare ecosystem are aware of their cyber reporting and management obligations and receive the appropriate level of cyber security support from the Agency. As an organisation operating in a critical infrastructure sector, the Agency is equally focused on a strong internal and external cyber security risk management.
- The Australian Government is seeking to strengthen and coordinate the management and operation of its IT networks through the establishment of Cyber Hubs. This centralisation aims to consolidate cyber security services across Australian Government Agencies.
So we have a 22 Page Strategy with 3+ pages essentially blank and the rest in huge type where the main activities are monitoring what others are doing and essentially no externally focussed activity to assist the other actors in the Digital Health Space to do much better. This applies especially to all the end points which access the #myHR.
I really can’t see much in the way of real activity and progress and I am pretty sure this is another piece of ADHA Shelfware!
The CEO Introduction to the Strategy is really a very rich example of ‘bureaucratic waffle’ that really goes nowhere and really might have been written by some automated sentence generator. Can anyone see any concrete outcomes flowing from this?
As I have read this the question that I struggle to answer is “Just who would notice or care and what difference would it make if it did not exist”?
Indeed with this sort of output can the same question be asked of the ADHA itself?
What do you think?
David.
Reads like most organisational cyber Secuirty strategies and plans. Digital health it seems only exists in the MHR system. Better to leave this sort of thing to the Australian Cyber Security Centre.
ReplyDeleteWhat a load of empty rhetoric and vacuous management speak.
ReplyDeleteThe four focus areas
1. Structure and governance
2. Security Culture
3. Workforce Investment
4. Capability and Proportionality
won't actually achieve much in the way of cyber security
The Next Steps section is empty of anything approaching a plan. There's not a single measurement or goal that can be evaluated. A strategy without a plan isn't a strategy, at best it's a wish-list.
Cybercx (the consultants who probably wrote most of the document - ADHA obviously doesn't have the expertise to decide its own security strategy) must have had a wonderful time trying to get ADHA to make the strategy meaningful. Sadly, they appear to have failed.