Letter: Information security a critical requirement in Health Network
- 06 July, 2008 22:00
First, let me confirm that the security and privacy of a person’s information within the Health System is a critical requirement on which the Ministry of Health are not prepared to compromise.
The standards used by the Health network are clear and have been used successfully for a number of years, including the period following the introduction of a network interconnect between HealthLink and Telecom in approximately 2003. The same standards are being used for the new neutral interconnection point provided by Datacom, who was the successful supplier selected by representatives of Telecom, TelstraClear and HealthLink. During May, HealthLink decided not to sign the interconnection agreement due to the security issue alluded to, but not identified in, the article of 30 June.
HealthLink’s Tom Bowden has made it clear in communications to the Ministry that it is the configuration of the LAN’s security in the GP’s practices and other similar private organisations, not the security of the Health Network itself, that is at issue.
HealthLink has provided some suggested approaches to the Ministry of Health that include such things as requiring these independent commercial organisations to get all changes to their network, including the addition of new servers or devices, approved by an appropriately certified person. I would suggest that this seems somewhat draconian and unnecessary.
However, we do agree with Bowden that revisions to the standards are necessary and HISAC (Health Information Strategy Action Committee) established the Health Information Standards Organisation (HISO) Authentication and Security Expert Advisory Committee (or EAC for short) in September 2007.
This committee has met regularly to propose the new security standards that will update the Health Network Code of Practice. This committee drew representatives from the health sector and suppliers, including Bowden from HealthLink who has regularly attended these meetings.
In mid-June 2008 the EAC requested the ministry to develop the certification criteria and network security standards as part of the Connected Health programme. The team is now working on this important piece of work.
In the meantime, we remain puzzled about HealthLink’s unwillingness to participate in the neutral interconnect point given their involvement in the existing interconnect, the establishment of this new interconnection and their regular participation in the EAC.
As you are aware, Bowden has sent a fax to all his 3,500 customers including a return letter addressed to me but faxed to HealthLink. Despite repeated requests for Mr Bowden to forward these letters so we can respond directly to them to clarify our position, to date this hasn’t happened.
In closing, I note that HealthLink is very likely to tender for a number of the services that will make up the new Health Network, standards for which are being developed by the Connected Health programme. To be fair to all organisations tendering for this work, releasing commercially sensitive information about our budget positions or timings to one potential participant in the tender process as a result of an Official Information Act request is inappropriate.
deputy director-general, information directorate, Ministry of Health