[LINK] Microsoft slams local data centre edict
brd at iimetro.com.au
Fri Nov 25 09:16:46 AEDT 2011
Microsoft slams local data centre edict
by: Karen Dearne
From: The Australian
November 25, 2011 12:00AM
Microsoft Australia has come out swinging against the Gillard
government's insistence on local data centres for the personally
controlled e-health record system.
"Healthcare information stored in a PCEHR will not necessarily be better
secured and protected simply by virtue of data being held within
Australia’s territorial boundaries, as compared to (offshore) storage
repositories and portals operated under world’s best practice security
and privacy systems," it says in a just revealed submission on the draft
"By regulating the geography where the data is held rather than the
level of security under which it is held implicitly establishes criteria
for data protection that are not related to principles of technology
"Microsoft submits this is not an optimal approach and could have a
detrimental effect on system security and efficiency."
The software giant warned the local operator and data holding
proscriptions would prevent the use of highly secure data centres
outside Australia, putting the benefits of cloud computing beyond reach.
Microsoft’s data centres employ "proven cryptographic methods to
authenticate users and encrypt data, along with best-in-breed procedures
for the deployment of software and physical security of stored data".
"Arguably, cloud computing vendors offer much greater security of data
and privacy for consumers than that offered by many healthcare
providers, repositories or portal operators within Australia," it says.
Microsoft believes the government should remove the restrictions and
instead require operators to hold PCEHR information in accordance with
Australian laws and global standards.
Acknowledging the political sensitivities of hosting sensitive data
offshore, it argues that "all governments may, under certain
circumstances, be able to lawfully access data held by entities within
"It is Microsoft’s opinion that the possibility of lawful access by a
foreign government to data held in PCEHR records will not be eliminated
by requiring that all data in the PCEHR system be stored in Australia."
Given the small population size, "companies that can provide data
hosting and storage services on the scale needed to deliver genuine cost
efficiencies for the healthcare system" were "highly likely" to be based
"The government is currently involved in a review of Australian privacy
laws," it says. "We submit there is merit in having privacy issues dealt
with under harmonised and unified privacy legislation, rather than
adopting a piecemeal approach."
Privacy Commissioner Timothy Pilgrim has expressed similar views on the
need for a uniform privacy framework for the PCEHR.
Microsoft’s concerns were aired in one of about 50 submissions on the
exposure draft finally released yesterday as the federal Health Minister
Nicola Roxon introduced her final version of the PCEHR Bill and
consequential amendments legislation to Parliament.
The new laws will underpin the legal and operational arrangements for
the PCEHR, a $500m nationwide e-health record-sharing system that will
be voluntary for all participants.
Ms Roxon has set a July 2012 deadline for the start of the scheme.
"This legislation being introduced is yet another sign that this
government is getting on with the job of rolling out e-health records,"
she told the Lower House.
"The implementation approach is both swift and careful. We are
developing infrastructure in a set period of time, but the rollout will
happen in a staged manner."
Technology security and smartcard specialist Giesecke & Devrient
Australasia also raised concerns with the government’s approach,
particularly in relation to technical standards and the operation of the
Healthcare Identifiers service.
"We reiterate concerns over the level of detail specified in the
Healthcare Identifiers Act (introduced last year and intended to)
preserve the security of data and protect the privacy of consumer
identity and other information," its submission says.
"We strongly support the requirement for all healthcare providers to
authenticate their identities using a public key infrastructure digital
certificate, and to reveal their provider identifier as a consequence of
"But we note with some concern that Standards Australia does not yet
have a delivery date for the specifications for the use of digital
signatures in healthcare messages and electronic documents."
The National e-Health Transition Authority set up a series of tiger
teams to fast-track the standards development process, but only released
a new specifications and standards plan last week. The tiger teams are
supposed to finalise essential specifications by the end of November.
G&D said there needed to be wider industry engagement, "as the disparate
suite of software systems for both product/service descriptors and data
transmissions form a significant risk to a July 2012 rollout".
"Our experience with interoperability issues in other agencies suggests
this task is often understated and underestimated."
G&D asked whether the Health department was "comfortable" with the
progress on standards development.
"Each stakeholder will require some proof of identity to establish their
credential, and subsequent right to access and contribute to, or block,
information in the PCEHR system," it says.
"What are the standards for these qualifications, and have they been
G&D notes that strong authentication systems use two or more factors to
verify a user’s identity – something the person knows, like a password
or PIN, and a physical token such as a digital certificate stored on a
"The use of strong authentication systems guarantees that, if one of the
factors is compromised, the user will not be validated," it says.
"(In relation to the PCEHR), will there be different security
requirements depending on the access point? Will there be encryption and
authentication on mobile devices, encrypted emails and a single sign-on
(for core systems)?"
email: brd at iimetro.com.au
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1873 / Virus Database: 2101/4636 - Release Date: 11/24/11
More information about the Link