E-health security spooks AusCERT

Beverley Head
Wednesday, 02 March 2011 13:26

IT Policy - Government Tech Policy

Leading security group AusCERT has raised concerns about the safety of the Personally Controlled Electronic Health Record (PCEHR) which Australians will be able to sign up for starting next year, and which is the cornerstone of the Government's proposed e-health initiatives.

Speaking at Kickstart 11 this week, Kathryn Kerr, AusCERT's manager for analysis and assessments, said that to date there was not much information available about the operation of the PCEHR but she believed patients would be able to nominate who would have access to that record, providing access to the record for themselves, health professionals, family members or carers.

'What we don't know is, are they accessible by patients anywhere and anytime?' which according to Ms Kerr could pose a real security problem.

AusCERT, which is based at the University of Queensland, was until 2010 Australia's national Computer Emergency Response Team, after which the role was taken over by the Government owned CERT Australia. While no longer the official national CERT, AusCERT's concerns about a fundamental element of the national e-health strategy should prompt serious consideration.

Until a clearer picture emerges about the operation of the PCEHR, the security issues it may pose remain to some extent a matter of conjecture.

The National EHealth Transition Authority - Nehta - which has the lead on the e-health initiatives has a concept of operations document (the ConOps) which is intended to provide an understanding of how the PCEHR will work. According to Nehta; 'Stakeholders had the opportunity to discuss the PCEHR at a number of roundtable forums held in October 2010 preceding the Government's national eHealth conference in November 2010.  These meetings have continued in early 2011.

'Nehta is currently working with the Commonwealth on a package of material based on the Con Ops that can be used in the first round of public consultation on the PCEHR,' according to a Nehta spokeswoman - but to date that ConOps has not been made publicly available.

Even so Nehta is continuing the progress the programme.  For example IBM was this week confirmed as the winner of a $23.6 million contract to design and build the system which will allow Australian health professionals to securely access and exchange electronic health information and provide an audit trail detailing who accessed what and when.