Help or Hindrance: the Practicality of Applying Security Standards in Healthcare

The protection of patient information is now more important as a national e-health system approaches reality in Australia. The major challenge for health care providers is to understand the importance information security whilst also incorporating effective protection into established workflow and daily activity. Why then, when it is difficult for IT and security professionals to navigate through and apply the myriad of information security standards, do we expect small enterprises such as primary health care providers to also be able to do this. This is an onerous and impractical task without significant assistance. In the development of the new Computer and Information Security Standards (CISS) for Australian General Practice, a consistent and iterative process for the interpretation and application of international standards was used. This involved both the interpretation of the standards and the application of knowledge to create a practical but acceptable level of security for the primary healthcare environment. From a security perspective such practical application of standards poses the dichotomous challenge (and criticism) of how much security is sufficient versus how much can the primary healthcare environment manage. This paper describes the path of development from standards to implementation using the CISS as an example. It is concluded that more practical assistance is required by the security profession to support the national e-health initiative if Australia is to provide a safe and secure healthcare environment.