Bruce Hafaele is the Chief Architect at Healthdirect Australia where he is responsible for technology strategy, architecture, software delivery and operations.
As consumers, we are all to aware of how the healthcare industry is fragmented with multiple views on consumer/patient data held in multiple settings with diverse approaches to identity and access. For most consumers, health information — as well as other personal information — is increasingly private and the new Privacy Act increases the responsibility of information providers.
At the recent Gartner Security and Risk Management Summit, Hafaele told the audience identity and access can no longer be a one-size-fits-all approach. We need to create a user-centric consumer experience while maintaining sufficient security. He described Healthdirect's approach to federating identity, maintaining privacy and securing private information.
Historically, Healthdirect was a provider of outsourced services - mainly telephony - for a number of different state and federal agencies. But, as the digital economy has grown, Healthdirect realised that in order to stay relevant they would need to change their focus away from mainly telephony.
Healthdirect see themselves as content aggregators who collect information from many sources and make it more accessible. They also run a national health services directory with a mission to create a single source for all medical practitioners and services across the entire country.
One of the challenges Hafaele described was the need to comply with "onerous" security and privacy obligations such as the federal government's ISM while maintaining agility in a constantly changing technical environment.
On the technical side, Hafaele noted that the way information is structured in government tends not to be user-focussed but on the departments that collect and use the data. As a result, users that interact with multiple departments have their data split across different silos. "Healthdirect decided early on to put the user at the centre of our design" said Hafaele.
"User-centred design is a philosophy where end-user needs are the centre of focus at all stages," he said.
This meant user identity was a central pillar of what Hafaele and his team needed to bring together. One part of this was giving customers choice as to what credentials they could use. For example, in some circumstances, it might be possible for consumers to use Facebook as a credential. Or, as mobile phones are registered in Australia, those devices might be usable, in some situations, as an authentication or access management tool.
Read more: Security threats through the Cloud
"Users want to be in control of their information. They want to determine what I can do with it and when I can have it and who I should be disclosing it to," said Hafaele.
Another challenge faced by Healthdirect was many users already have multiple identifiers in government systems. Rather than assign yet another user-name to their customers, Healthdirect is able to use existing identifiers to create their user-centric view of the world.
"For example, in Queensland Health, in every single clinical information system, that patient gets a new identifier. So they have problems such as knowing how do I know that this is the same patient and how am I able to tell how they're moving through my healthcare system," he said.
Hafaele noted that the ability to de-identify data, only collect the minimum required data in order to provide services to clients and giving users control over their data and credentials were of critical importance.
One of the keys shifts Hafaele has seen is a move from "command and control" to "govern and monitor". The systems Hafaele and his team have put in place are only as effective as the governance arrangements they have put in place.
"There's no use centralising identity and collecting consent unless the systems are applying and abiding with the rules that you've set. Those governance arrangements need to be able to bubble all that information up and do audits on behalf of the different services to make sure that the design is actually compliant with the policy," Hafaele added.
One of the pieces of advice offered by Hafaele was to get on the front foot when it comes to user-centric approaches to identity and access control.
"Gone are the days when we can say we can build and they will come. We have to build it so they will come," he said. Security that puts the users at their core is no longer an after-market extra but a key selling point to attracts new customers.
This article is brought to you by Enex TestLab, content directors for CSO Australia.