Australian primary health care check: Who is accountable for information security?
secau Security Research Centre, Edith Cowan University, Perth, Western Australia
Faculty of Computing, Health and Science
School of Computer and Security Science / eHealth
Primary healthcare in Australia is vulnerable to a multitude of information security threats and insecure practices. This situation is increasingly important in the developing e-health environment. Information security is everyone‘s responsibility and it is extensively documented in international standards and best practice frameworks, that this responsibility should be part of formal job descriptions. This necessitates incorporation of security at a functional level for all staff. These responsibilities are integral to demonstrable accountability, together with an authority to take action. Indeed, whilst senior management will ultimately be held accountable, staff need to be aware of the potential issues, given the responsibility to be vigilant, and the authority to act when information security issues arise. This is pertinent within Australian primary healthcare where the accountability for information security is most often devolved to the role of the practice manager. This paper analyses information security accountability from an operational and strategic security capability viewpoint in terms of responsibility and authority. Further, it discusses this in regard to the associated information security governance perspective. In the trustful primary healthcare environment, the accountability for information security resides with operational level staff who have many competing aspects to their role. The paper suggests how to manage this layer of security without burdening the already busy practice manager.