Patient data is being compromised because there are no minimum standards for IT security products in the health sector, particularly for the use of firewalls.
A survey of Australian GPs has found few know how to correctly configure or even purchase a firewall and as a result patient data could be compromised through the Broadband for Health program.
At a national GP conference this year, Bruce Mills, managing director of IT consultancy firm GP Central, surveyed 110 GPs and found one-third of practices involved in the Broadband for Health program have no firewall in place beyond that provided by the carrier.
Mills said the research indicates that millions of Australian medical records could be exposed online, and hundreds of medical networks may already be infected with viruses, spyware and adware as a result of the Broadband for Health project.
"Doctors are very aware of the confidentiality of patient records as it has been drummed into them even when using paper, but doctors are generally not aware of the ramifications of plugging broadband into their network and what they must do to secure it ... probably the major supplier is providing nothing different in security for small business and home users," Mills said.
"With the Broadband for Health, users are required to complete a 'security guidance review' but unfortunately this only gauges where they are in terms of security ... it does not insist using a minimum packet inspection firewall - so really the security guidance is just a survey document."
"I think there should be a minimum standard of firewall for GPs to use - it is difficult to dictate which one but as a minimum they (GPs) require a properly configured, packet-inspecting firewall to protect both themselves and the patient data."
Mills said doctors are confused about the connection between the HIC online project and Broadband for Health and have made the assumption that because the data is encrypted for HIC online it also the case with the Broadband for Health program.
Dr Ron Tomlins, chair of the General Practice Computing Group (GPCG) published the GPCG Computer Security Self-Assessment Guidelines, as well as the GPCG Security Firewall Guidelines.
Tomlins said the whole issue for doctors in the Broadband for Health project is in asking people whose interest is in looking after patients to develop other skills. Tomlins said very few of the managing directors within the top five companies in Australia would manage their own firewalls, leading the GPCG to provide both advice and tutorials for doctors from their Web site (GPCG.org) on how to correctly configure firewalls.
Tomlins said the guidelines have been well received.
"There is a security checklist which was developed around the early part of this year because of the concern many people had that the security of GP databases was not as good as it should be both internally and when connected to the Internet.
"The security checklist was the first list designed and the firewalls guidelines flowed on from that because it was clear that was an issue that needed to be addressed."