Raising the security bar

The Department of Human Services (DHS) has stipulated more stringent requirements licensed software developers working on e-health cloud security. Here’s what healthcare providers need to know.  

Privacy is a cornerstone of the healthcare sector, and one that is increasingly under threat. While patient information itself is innately sensitive, the larger issue in the world of cybercrime is the high value that data commands.

Why the health sector is vulnerable

In Australia, the health sector consistently encounters more data breaches than any other industry, according to the Office of the Australian Information Commissioner (OAIC) — most of which are malicious or criminal attacks, followed by human and system error. OAIC is responsible for the Notifiable Data Breaches scheme that currently requires agencies and organisations regulated under the Privacy Act 1989 to report data breaches to both OAIC and the affected individuals.

The only way to guarantee patient privacy is to provide adequate levels of security. In most industries the aim in securing information is to keep it hidden and unreachable, but in the healthcare sector patient information must be accessible to multiple parties; medical practitioners, specialists, hospitals, Medicare and private health funds. Security in this instance means creating an environment that permits access without unduly creating points of vulnerability throughout the chain.

For companies and healthcare services engaging with the Department of Human Services (DHS) and participating in the e-health program, the bar for cloud security has recently been raised.

As healthcare software developers increasingly use cloud services to support digital transactions, the DHS has developed four elevated security requirements designed to safeguard the public and private health system (deemed National Critical Infrastructure) while maintaining the integrity and security of sensitive information.

What to ask your software providers to safeguard your patients’ data

The DHS-issued guidelines for licensed software developers in health care cover the protection of data from unauthorised access by cloud providers’ customers and employees, as well as the handling of security incidents. There are four new DHS security requirements, two of which are mandatory while the other two are regarded as ‘highly desirable’. As a healthcare provider, you don’t need to be up to speed on the specifics of the DHS security requirements, but for your software providers it’s an absolute must.

If you use software within your organisation to connect to DHS and deliver services such as Medicare, PBS, DVA, NDIS, My Heath Record, Aged Care and Childcare, here are the topics you need to discuss with your provider.

1. Ask if they utilise cloud services or store any patient data in the cloud.
2. If the answer is ‘yes’, has their cloud services provider been certified by the Australian Signals Directorate (ASD)?
3. If the answer is ‘no’, ask them if they intend to switch to a certified cloud services provider before the DHS deadline. It may seem like a long way off but the transition to a new cloud services provider is lengthy and can be complex. Most software companies should be actioning — or at least planning — their cloud migration strategy now. DHS will not integrate with software products that are hosted in non-certified cloud hosting environments.
4. It is mandatory to ensure all data is hosted and backed up within Australian jurisdiction. Ask your software provider if their cloud services provider can guarantee that all customer data is located and backed up in Australia. Again, future DHS integration will not be possible without meeting this condition.
5. Ask if your data is housed in a publicly accessible cloud. DHS preference is that all infrastructure and equipment to be utilised by services integrating with the Australian Government is physically separated, publicly unavailable and therefore more secure.
6. Lastly, ask if they can guarantee that their cloud services provider utilises engineers and technical staff that maintain DHS’s defined high security clearances.

There is no privacy without security

Of course every patient has the right to privacy, but there is no privacy without security, and it is the responsibility of all healthcare providers, suppliers and their partners to ensure that patient data is protected.

As OAIC data illustrates, the healthcare industry regularly falls short of its obligations and we must work together to do better. Responsibility is sector-wide, but the new DHS guidelines will prove to be a turning point.

The DHS suggests that some software companies may elect not to comply with its elevated security requirements and cease to operate once the deadline arrives. If your provider intends to take this path, you need to know now, allowing yourself enough time to identify a suitable alternate software partner and ensure a smooth transition.

*Phil Wallace, Head of Customer Experience with Macquarie Cloud Services, is a nationally recognised expert on secure cloud design.

Top image credit: ©stock.adobe.com/au/lucadp