[ISN] Temperatures run high in IT health security debate

InfoSec News isn at c4i.org
Sat Sep 10 00:07:12 EDT 2005


Michael Crawford

The author of a study into firewalls prepared for general
practitioners under the Broadband for Health program claims it has
been dumbed down so much by federal health bureaucrats, the document
is now virtually useless as an IT security guide.

The author Dr Horst Herb, director of the Dorrigo Medical Centre in
NSW, is demanding his name be stripped from the final report.

Once a systems auditor, penetration tester and mainframe security
analyst for Siemens, Dr Herb spent the last five months advising the
government on minimum firewall standards for GPs.

Horst said he believes the government is not serious about IT security
when it comes to e-health.

Although Herb's work has been published as part of the GPCG (General
Practice Computing Group) Security Firewall Guidelines, he said many
core technical aspects and product-specific analysis had been stripped
out of the recommendations.

As a result, he said, the document prepared as an IT security guide
for GPs has reached the point of irrelevance.

A Department of Health and Ageing spokesperson, asked to respond to Dr
Herb's allegations, said the submitted report was "overly-technical"  
and had to be "simplified extensively" so that could GPs understand

"The original document was very technical," Herb said. "But that was
the whole point, to raise interest and technical understanding of what
is involved for GPs. Even if the doctors were to commission out
implementing firewalls they would still need to emulate skills of the
person that set it up, because generally, there is no formal
qualification for implementing firewalls or formal liabilities for
firewalls," Herb said.

Herb also warned many IT security products are not strong enough to
protect highly sensitive, personal information.

"The main problem I had was with personal firewalls, which is just
software on a computer which is, in my opinion pointless in a surgery
scenario because they have too many vulnerabilities - all it takes is
downloading software to disable it. GPs need a dedicated firewall
where no user can dabble with it," he said.

"Surgeries should not rely on basic or personal firewalls. This
[detail] was edited out of the original report, mainly so
[telecommunications vendors] can just push a default firewall setting
as acceptable - it is just pure nonsense."

Herb said while the strong security message was being lost on GPs as a
result, though he is glad some security information has been released.  
However, Herb is insisting his name be stripped from the report,
because he does not want to be held liable for anyone considering a
personal firewall as a viable IT security solution for doctors.

Since the report was published, the federal government has axed
funding for GPCG, which provided IT support and advice for doctors and
clinicians. It ran for eight years under an annual, million-dollar
government grant.

The Department of Health and Ageing spokesperson said all doctors
involved with the now defunct General Practice Computing Group
considered the original document to be far too complicated. However,
when it was "simplified extensively", they gave it their full

The department claims the document has since been well received by
doctors, despite the GPCG being disbanded.

More information about the ISN mailing list