Title

Australian primary health care check: Who is accountable for information security?

Document Type

Conference Proceeding

Publisher

secau Security Research Centre, Edith Cowan University, Perth, Western Australia

Faculty

Faculty of Computing, Health and Science

School

School of Computer and Security Science / eHealth

RAS ID

13081

Comments

This article was originally published as: Mahncke, R. J., & Williams, P.A.H. (2011). Australian primary health care check: Who is accountable for information security? Paper presented at the 9th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia. Original article available here.

Abstract

Primary healthcare in Australia is vulnerable to a multitude of information security threats and insecure practices. This situation is increasingly important in the developing e-health environment. Information security is everyone‘s responsibility and it is extensively documented in international standards and best practice frameworks, that this responsibility should be part of formal job descriptions. This necessitates incorporation of security at a functional level for all staff. These responsibilities are integral to demonstrable accountability, together with an authority to take action. Indeed, whilst senior management will ultimately be held accountable, staff need to be aware of the potential issues, given the responsibility to be vigilant, and the authority to act when information security issues arise. This is pertinent within Australian primary healthcare where the accountability for information security is most often devolved to the role of the practice manager. This paper analyses information security accountability from an operational and strategic security capability viewpoint in terms of responsibility and authority. Further, it discusses this in regard to the associated information security governance perspective. In the trustful primary healthcare environment, the accountability for information security resides with operational level staff who have many competing aspects to their role. The paper suggests how to manage this layer of security without burdening the already busy practice manager.

DOI

10.4225/75/57b5457ccd8c4

Access Rights

free_to_read

 

Link to publisher version (DOI)

10.4225/75/57b5457ccd8c4