SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
Information security is a necessary requirement of information sharing in the healthcare environment. Research shows that the application of security in this setting is sometimes subject to work-arounds where healthcare practitioners feel forced to incorporate practices that they have not had an input into and with which they have not engaged with. This can result in a sense of security practitioners and healthcare practitioners being culturally very different in their approach to information systems. As a result such practices do not constitute part of their community of practice nor their identity. In order to respond to this, systems designers typically deploy user-centred, participatory approaches to design using various forms of consultation and engagement in order to ensure that the needs of users are responded to within the design. Learning from international implementations of e-health, the development of the Australian electronic health records (EHR) system has been a participatory process. However, the more participatory approach has not been used as part of the technical security design of the e-health system and the functionality of the security governance architecture was not included in the process of consultation. Such exclusions result in a design-reality gap in so far as the healthcare systems as envisioned by designers are not easily related to by “front-line” clinical staff. Despite repeated design-reality issues in healthcare systems design, there is no fundamental change in the development paradigm to address the socio-technical security aspects of such systems. Indeed, the security perspective of system designers seems to originate from a very different perspective to that of front-line clinical staff. This discussion paper characterises the problem, uses examples from both the UK and Australian EHR experience, and proposes an alternative start-point to healthcare systems design.