Nehta releases security framework

Beverley Head
Tuesday, 06 December 2011 17:22

IT Policy - Government Tech Policy

The National E-health Transition Authority (Nehta) has released the security and access framework that sets out how health information should be collected, stored and accessed - a critical step in its bid to win consumer support for the personally controlled electronic health records which Australians can sign up for starting mid-2012.

Details of the National eHealth Security and Access Framework (NESAF) which was unveiled today by Nehta are currently only available to vendors registered with the Nehta website.

The heart of the framework however is understood to be descriptions of the standards and protocols organisations should use when writing e-health systems, which have been compiled as a toolkit to help organisations design and develop health related computer systems.

According to Nehta, NESAF provides conceptual and implementation guidance for managing the control and monitoring of access to personal health information and also provides an audit trail to track how personal health information is collected, transmitted and accessed. The security and privacy of the overall e-health system is expected to play a significant role in influencing whether or not Australians choose to sign up for a Personally Controlled Electronic Health Record (PCEHR).

The NESAF will operate in tandem with the National Authentication Service for Health (NASH) which is currently being constructed by IBM. IBM won the $23.6 million contract in March to develop an access authentication framework using Public Key Infrastructure (PKI) and secure tokens - probably in the form of smartcards - which will ensure that only legitimate individuals can access information stored in PCEHRs.

The Royal Australian College of General Practitioners has welcomed the introduction of the new security framework saying that it expects NESAF will; 'Bring some clarity to this.' Dr John Bennett the chair of the RACGP national standing committee on e-health said that although he had not been able to view the framework itself which is presently on a vendor-only part of Nehta's website, he expected it would bring a bit more certainty for organisations looking to establish systems ready for the PCEHR to be installed.

He said he understood that NESAF had been constructed based on the same international security standards which had also informed the development of the RACGP's own Computer and Information Security Standards and accompanying workbook which was released in October to help GPs navigate computer security issues.