What does DTA’s new Secure Cloud Strategy mean for healthcare?
The Digital Transformation Agency (DTA), set up to improve people’s experience of government services, has set out new requirements as part of a new Secure Cloud strategy, bringing more change around privacy and security policies for all industries including healthcare.
The new requirements demand Australian software companies to complete a compliance process and accreditation before they’re able to roll out third-party services.
The mandatory policy applies to any third-party that uses cloud services to connect with the Department of Human services (DHS) – this encompasses services such as My Health Record, Medicare, National Disability Insurance Scheme (NDIS), Pharmaceutical Benefits Scheme, and other forms of care.
Macquarie Cloud Services Head of Customer Experience Phil Wallace said the move aims to lift security protecting sensitive health data and payments platforms, which is vital for healthcare as it’s responsible for more mandatory data breach notifications than any other sector.
“Because of the sensitive nature of healthcare data, the DHS has always had to meet heightened security standards. The policy has two mandatory requirements, being DHS certification and that cloud providers must use sovereign Australian onshore solutions,” he said.
“Cloud solutions can be complex and distributed by nature. By helping the industry move to new, more secure onshore secure standards, it removes the threat that one link in the healthcare supply chain could compromise sensitive data and payments for all users.”
Wallace said a secure cloud strategy policy puts in place standard processes for organisations to follow, to enable an industry-wide compliance obligation.
“Health technology is complex; products may be subject to a whole range of standards and protocols, some of which are still being defined. Getting the critical area of data storage security right enables organisations to start concentrating on the protocols in their practice.”
Medical Software Industry Association (MSIA) CEO Emma Hossack agreed with Wallace, adding that privacy of patient information is critical for healthcare providers.
“In the event that providers are using web-based solutions – and this will become increasingly common – then security of transmission and storage of health information is no longer a nice to have; it is essential. There is no privacy without security,” she said.
According to Hossack, associated problems in the healthcare space aren’t to do with software, but rather, how it’s deployed and the security protocols around it.
“It includes allowing multi parties to ‘share’ an individual’s password, which negates the benefit of access logs and weakens security and privacy,” she said.
“This comes down to training; it’s an area which the MSIA will work with the Australian Digital Health Agency on this year to encourage all health organisations to continually train staff on the use of software – both in terms of functionality and security.”
Hossack said this move is just the start of improving privacy and security in healthcare.
She suggested that various divisions of healthcare band together to educate the industry about the changes.
“Change takes time. Education about the importance of security for consumers’ privacy by the government and the whole health industry is the best way to overcome the challenge. Education by colleges and other peak bodies like the Practice Managers Association and nursing bodies responsible for accreditation and standards is also key.”
Greenlight ITC CEO Mike Smith said policy is important, but healthcare providers that aim to achieve them on their own, with limited resources and constant change, will find it challenging.
The managed service provider and cloud support partner to software companies servicing the healthcare sector has worked with medical billing experts and other healthcare software companies on compliance.
“Many healthcare users face challenges just sustaining current operations in the face of aging assets, rising costs, the war for talent and growing complexity. When healthcare providers partner with local experts for compliant solutions, everybody wins,” Smith said.
Smith said there are a number of other initiatives healthcare providers can take. They include:
- Keeping abreast of new legislation or changes
- Actioning on changes as soon as possible to allow as much time as possible for adjustment
- Keeping customers and partners informed of changes throughout
- Identifying efficiencies to offset rising costs
- Incorporating other requirements like monitoring and backup when teaming up with a partner.
“New legislation, constant change and more distributed modes of care are making it harder for practitioners to concentrate on helping people. Organisations should look to offload such compliance and security burdens to specialists, so they can free resources to help more people,” he added.