September 28, 2022
The Australian Digital Health Agency (ADHA) marked the start of implementing its latest cyber security strategy with a flurry of requests for information (RFIs) late last month. ADHA CISO John Borchi told iTnews the work program is the first phase in realising the cyber-security plan published by the agency in March this year [pdf].  Borchi…

The Australian Digital Health Agency (ADHA) marked the start of implementing its latest cyber security strategy with a flurry of requests for information (RFIs) late last month.

ADHA CISO John Borchi told iTnews the work program is the first phase in realising the cyber-security plan published by the agency in March this year [pdf]. 

Borchi said the strategy responds to changes in the threat landscape in recent years.

One of those changes, he said, was demonstrated in how the Log4j vulnerability unfolded.

At first, the ADHA’s expectations were in line with most people in cyber security – the vulnerability would be patched “pretty quickly”.

That turned out not to be the case: security teams in vendors around the world are still discovering dependencies on unpatched software that exposes their systems to Log4j, and will be doing so for some time. 

Borchi told iTnews that requires “ongoing vigilance” on the part of organisations like the ADHA, since they’re often in a better position to monitor the hygiene of small partners like GP clinics.

And that’s another change the ADHA sees in its operating environment in recent years – it’s interacting with many more such small third parties and had to adjust its strategy accordingly.

The strategy also has to comply with top-level government imperatives, most importantly the digital health strategy (for example, with its emphasis on the importance of the MyHealth Record), and the cyber security strategy overseen by the Department of Home Affairs.

Protecting the health data honeypot.

Borchi said the foundations of the security strategy are straightforward: “Protecting the healthcare system from adversaries, and protecting the healthcare data of Australians.

“Healthcare data is considered key for criminals, to break into and utilise. So for us the challenge is making sure the threat is kept at bay, while we improve interconnectivity of the healthcare system, with more data sharing, and better information to improve healthcare and patient experiences,” he said.

The requests the ADHA took to market in August are designed to establish the “people and processes” needed to execute the strategy. They are:

The aim, Borchi said, is to have frameworks and teams in place to ensure that planning the execution of the strategy doesn’t fall victim to meeting the day-to-day demands of cyber security.

This program of work aims to “set up our team and our collaboration within the partners that we have, so that we are responsive and we work to respond to those priorities, and respond to the challenges over the next two to three years,” he said,

“Business-as-usual areas have other priorities that overtake their ability to deliver” when new strategies or projects are on the table, whereas the coordination cell will have a specific brief to “oversee the implementation of the agency’s cyber security uplift activities”.

The operating model, on the other hand, will help define the agency’s interactions with external providers.

For many years, the ADHA’s main external partner has been Accenture, since for many years that contractor has been operating MyHealth Record.

“As we’ve migrated MyHealth Record into a new hosting environment, we have formed relationships with Deloitte and other partners as well,” Borchi explained.

While its strategic direction has necessitated a boost to personnel, Borchi said so far the difference has been manageable, in the 10 to 15 percent range.

With these activities in place, Borchi said, the next program of work will set implementations in motion.

In the future, he told iTnews, “there will be a lot more go-to-market activities, and they will be specific for areas that we need support with.”

Source