Why Australia\u27s e-health system will be a vulnerable national asset

Connecting Australian health services and the e-health initiative is a major talking point currently. Many issues are presented as key to its success including solving issues with confidentiality and privacy. However the largest problem may not be these issues in sharing information but the fact that the point of origin and storage of such records is still relatively insecure. Australia aims to have a Personally Controlled Electronic Health Record in 2012 and this is underpinned by a national network for e-health. It is this very foundation that becomes the critical infrastructure, with general practice the cornerstone for its success. Yet, research into the security of medical information has shown that many general practices are unable to create an environment with effective information security. This paper puts together the connections of e-health and the complex environment in which it is positioned. A discussion of how this critical infrastructure is assembled is presented, and the key vulnerabilities are identified. Further, it addresses how security may be approached to cater for this diverse and complex environment. From a national security and critical infrastructure perspective, as medical records are part of society’s critical infrastructure, the most effective system attacks are those on the points of highest vulnerability. In our current health system infrastructure those points are the data collection and records retention areas of individual medical providers. Progress towards changing this situation is key to its success

Help or hindrance The practicality of applying security standards in healthcare

The protection of patient information is now more important as a national e-health system approaches reality in Australia. The major challenge for health care providers is to understand the importance information security whilst also incorporating effective protection into established workflow and daily activity. Why then, when it is difficult for IT and security professionals to navigate through and apply the myriad of information security standards, do we expect small enterprises such as primary health care providers to also be able to do this. This is an onerous and impractical task without significant assistance. In the development of the new Computer and Information Security Standards (CISS) for Australian General Practice, a consistent and iterative process for the interpretation and application of international standards was used. This involved both the interpretation of the standards and the application of knowledge to create a practical but acceptable level of security for the primary healthcare environment. From a security perspective such practical application of standards poses the dichotomous challenge (and criticism) of how much security is sufficient versus how much can the primary healthcare environment manage. This paper describes the path of development from standards to implementation using the CISS as an example. It is concluded that more practical assistance is required by the security profession to support the national e-health initiative if Australia is to provide a safe and secure healthcare environment

Is Cyber Resilience in Medical Practice Security Achievable?

Australia is moving to a national e-health system with a high level of interconnectedness. The scenario for recovery of such a system, particularly once it is heavily relied upon, may be complex. Primary care medical practices are a fundamental part of the new e-health environment yet function as separate business entities within Australia’s healthcare system. Individually this means that recovery would be reliant on the self-sufficiency of each medical practice. However, the ability of these practices to individually and collectively recover is questionable. The current status of information security in primary care medical practices is compared to the needs of information security in a broader national e-health system. The potential issues that hamper recovery of a national system are the poor understanding of security at the end-user level currently, and the lack of central control. This means that in this environment where independence is promoted, the major concern is national coordination of recovery from a major incident. The resilience of a medical practice to cope with a cyber-security incident is important. Resuming normal activity within an acceptable time frame may be vital after a major attack on Australia’s infrastructure

Cloud security: A case study in telemedicine

Security as part of requirements engineering is now seen as an essential part of systems development in several modern methodologies. Unfortunately, medical systems are one domain where security is seen as an impediment to patient care and not as an essential part of a system. Cloud computing may offer a seamless way to allow medical data to be transferred from patient to medical practitioners, whilst maintaining security requirements. This paper uses a case study to investigate the use of cloud computing in a mobile application for Parkinson Disease. It was found that functionality took precedence over security requirements and standards

Cloud security: A case study in telemedicine

Security as part of requirements engineering is now seen as an essential part of systems development in several modern methodologies. Unfortunately, medical systems are one domain where security is seen as an impediment to patient care and not as an essential part of a system. Cloud computing may offer a seamless way to allow medical data to be transferred from patient to medical practitioners, whilst maintaining security requirements. This paper uses a case study to investigate the use of cloud computing in a mobile application for Parkinson Disease. It was found that functionality took precedence over security requirements and standards

A conceptual framework for secure mobile health

Mobile health is characterised by its diversity of applicability, in a multifaceted and multidisciplinary healthcare delivery continuum. In an environment of rapid change with the increasing development of mobile health, issues related to security and privacy must be well thought out. The different competing tensions in the development of mobile health from the device technologies and associated regulation, to clinical workflow and patient acceptance, require a framework for security that reflects the complex structure of this emerging field. There are three distinct associated elements that require investigation: technology, clinical, and human factors. Each of these elements consists of multiple aspects and there are specific risk factors to be addressed successively and co-dependently in each case. The fundamental approach to defining a conceptual framework for secure use of mobile health requires systematic identification of properties for the tensions and critical factors which impact these elements. The resulting conceptual framework presented here can be used for new critique, augmentation or deployment of mobile health solutions from the perspective of data protection and security

Cloud Security meets Telemedicine

Medical systems are potentially one domain where security is seen as an impediment to patient care and not as an essential part of a system. This is an issue for safety-critical systems where reliability and trust are essential for successful operation. Cloud computing services offer a seamless means to allow medical data to be transferred from patient to medical specialist, whilst maintaining security requirements. This paper uses a case study to investigate the use of cloud computing in a mobile application to assist with diagnostics for patients with Parkinson Disease. It was found that the developers of the app ignored security requirements and standards, preferring to focus on functionality

A conceptual framework for secure use of mobile health

Mobile health is characterised by its diversity of applicability, in a multifaceted and multidisciplinary healthcare delivery continuum. In an environment of rapid change with the increasing development of mobile health, issues related to security and privacy must be well thought out. The different competing tensions in the development of mobile health from the device technologies and associated regulation, to clinical workflow and patient acceptance, require a framework for security that reflects the complex structure of this emerging field. There are three distinct associated elements that require investigation: technology, clinical, and human factors. Each of these elements consists of multiple aspects and there are specific risk factors to be addressed successively and co-dependently in each case. The fundamental approach to defining a conceptual framework for secure use of mobile health requires systematic identification of properties for the tensions and critical factors which impact these elements. The resulting conceptual framework presented here can be used for new critique, augmentation or deployment of mobile health solutions from the perspective of data protection and security

What does security culture look like for small organizations?

The human component is a significant factor in information security, with a large numbers of breaches occurring due to unintentional user error. Technical solutions can only protect information so far and thus the human aspect of security has become a major focus for discussion. Therefore, it is important for organisations to create a security conscious culture. However, currently there is no established representation of security culture from which to assess how it can be manoeuvred to improve the overall information security of an organization. This is of particular importance for small organizations who lack the resources in information security and for whom the culture of the organization exerts a strong influence. A review of multiple definitions and descriptions of security culture was made to assess and analyse the drivers and influences that exist for security culture in small organizations. An initial representation of the factors that should drive security culture, together with those that should only influence it, was constructed. At a fundamental level these drivers are related to a formulated response to security issues rather than a reaction to it, and should reflect the responsibility allocated in a secure environment. In contrast, the influences on security culture can be grouped by communities of practice, individual awareness and organizational management. The encapsulation of potential driving and influencing factors couched in information security terms rather than behavioural science terms, will allow security researchers to investigate how a security culture can be fostered to improve information security in small organizations

What does security culture look like for small organizations?

The human component is a significant factor in information security, with a large numbers of breaches occurring due to unintentional user error. Technical solutions can only protect information so far and thus the human aspect of security has become a major focus for discussion. Therefore, it is important for organisations to create a security conscious culture. However, currently there is no established representation of security culture from which to assess how it can be manoeuvred to improve the overall information security of an organization. This is of particular importance for small organizations who lack the resources in information security and for whom the culture of the organization exerts a strong influence. A review of multiple definitions and descriptions of security culture was made to assess and analyse the drivers and influences that exist for security culture in small organizations. An initial representation of the factors that should drive security culture, together with those that should only influence it, was constructed. At a fundamental level these drivers are related to a formulated response to security issues rather than a reaction to it, and should reflect the responsibility allocated in a secure environment. In contrast, the influences on security culture can be grouped by communities of practice, individual awareness and organizational management. The encapsulation of potential driving and influencing factors couched in information security terms rather than behavioural science terms, will allow security researchers to investigate how a security culture can be fostered to improve information security in small organizations