Healthdirect Australia Applies User-Centric Approaches to Identity and Access

Bruce Hafaele is the Chief Architect at Healthdirect Australia where he is responsible for technology strategy, architecture, software delivery and operations.

As consumers, we are all to aware of how the healthcare industry is fragmented with multiple views on consumer/patient data held in multiple settings with diverse approaches to identity and access. For most consumers, health information — as well as other personal information — is increasingly private and the new Privacy Act increases the responsibility of information providers.

At the recent Gartner Security and Risk Management Summit, Hafaele told the audience identity and access can no longer be a one-size-fits-all approach. We need to create a user-centric consumer experience while maintaining sufficient security. He described Healthdirect's approach to federating identity, maintaining privacy and securing private information.

Historically, Healthdirect was a provider of outsourced services - mainly telephony - for a number of different state and federal agencies. But, as the digital economy has grown, Healthdirect realised that in order to stay relevant they would need to change their focus away from mainly telephony.

Healthdirect see themselves as content aggregators who collect information from many sources and make it more accessible. They also run a national health services directory with a mission to create a single source for all medical practitioners and services across the entire country.

One of the challenges Hafaele described was the need to comply with "onerous" security and privacy obligations such as the federal government's ISM while maintaining agility in a constantly changing technical environment.

On the technical side, Hafaele noted that the way information is structured in government tends not to be user-focussed but on the departments that collect and use the data. As a result, users that interact with multiple departments have their data split across different silos. "Healthdirect decided early on to put the user at the centre of our design" said Hafaele.

"User-centred design is a philosophy where end-user needs are the centre of focus at all stages," he said.

This meant user identity was a central pillar of what Hafaele and his team needed to bring together. One part of this was giving customers choice as to what credentials they could use. For example, in some circumstances, it might be possible for consumers to use Facebook as a credential. Or, as mobile phones are registered in Australia, those devices might be usable, in some situations, as an authentication or access management tool.

Read more: Security threats through the Cloud

"Users want to be in control of their information. They want to determine what I can do with it and when I can have it and who I should be disclosing it to," said Hafaele.

Another challenge faced by Healthdirect was many users already have multiple identifiers in government systems. Rather than assign yet another user-name to their customers, Healthdirect is able to use existing identifiers to create their user-centric view of the world.

"For example, in Queensland Health, in every single clinical information system, that patient gets a new identifier. So they have problems such as knowing how do I know that this is the same patient and how am I able to tell how they're moving through my healthcare system," he said.

Hafaele noted that the ability to de-identify data, only collect the minimum required data in order to provide services to clients and giving users control over their data and credentials were of critical importance.

One of the keys shifts Hafaele has seen is a move from "command and control" to "govern and monitor". The systems Hafaele and his team have put in place are only as effective as the governance arrangements they have put in place.

"There's no use centralising identity and collecting consent unless the systems are applying and abiding with the rules that you've set. Those governance arrangements need to be able to bubble all that information up and do audits on behalf of the different services to make sure that the design is actually compliant with the policy," Hafaele added.

One of the pieces of advice offered by Hafaele was to get on the front foot when it comes to user-centric approaches to identity and access control.

"Gone are the days when we can say we can build and they will come. We have to build it so they will come," he said. Security that puts the users at their core is no longer an after-market extra but a key selling point to attracts new customers.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags telephonyprivacy actrisk managementSecurity and PrivacyCSORisk Management SummitCSO Australiainformation systemGartner securityEnex TestLabBruce Hafaele (CA Healthdirect)information securityqueensland healthHealthcare

More about CSOEnex TestLabFacebookGartnerISMQueensland Health

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place