HealthLink CEO Tom Bowden has written to government chief information officer Laurence Millar seeking a fundamental review by the State Services Commission of current and proposed health sector networking activities.
“For quite some time, the way in which the health sector is networked has been a major bone of contention that doesn’t look like being solved in the foreseeable future,” he writes. “The sector urgently needs a circuit breaker to get things back on track.”
HealthLink is a health systems integrator which provides electronic messaging and security services specifically targeted towards general practices. It runs a virtual private network connecting around 700 organisations.
Bowden says in his letter that health sector automation is being delayed by the distracting influence of unresolved networking issues and that various attempts to influence and control IT strategy are interfering with what should be a relatively logical process.
He identifies two sets of problems: in the short term, he says, there are almost non-existent site accreditation processes to connect to a secure network. Further, there is no register of organisations and individuals with dial-up/remote access, and no plans to implement one. He also claims there is pressure to ignore security risks in order to meet contrived deadlines.
In the medium to long term, he says, there is an inability to understand proposals to put in place a new “connected health” framework.
“No business case has been provided to us, despite repeated requests to see one, nor has any transition plan, despite repeated promises to provide one,” he writes.
Bowden says HealthLink has been told of a $17 million budget approved by Cabinet but that no details have been given.
“We’re still being asked to sell the existing network, despite being shown slides revealing the new one is only six months away. This is yet another bright idea following the failed Next Generation Health Network, which cost nearly $1 million, and the Health Intranet. It is a very confused picture.
“We suspect the needs of public-sector health organisations would be best met via use of the Government Secure Network or by competitive tender involving commercial providers.”
HealthLink provides the largest secure health sector virtual private network in New Zealand. Use of hardware-based VPNs was made mandatory by the Health Information Standards Action Committee (HISAC).
Bowden says HISAC is supposed to look at each application to connect to the network and assess any site-specific security issues. “In practice, HISAC makes no effort to do this, and it is left to VPN providers to make their own risk assessment.
“Even more critical is the looseness with which remote users who connect intermittently to the secure network are managed. We believe this group represents the major vulnerability.
“We have asked HISAC for there to be a register of all parties remotely connected. However, this has been refused.”