[LINK] Microsoft slams local data centre edict

Bernard Robertson-Dunn brd at iimetro.com.au
Fri Nov 25 09:16:46 AEDT 2011


Microsoft slams local data centre edict
by: Karen Dearne
From: The Australian
November 25, 2011 12:00AM
http://www.theaustralian.com.au/australian-it/microsoft-slams-local-data-centre-edict/story-e6frgakx-1226205393994

Microsoft Australia has come out swinging against the Gillard 
government's insistence on local data centres for the personally 
controlled e-health record system.

"Healthcare information stored in a PCEHR will not necessarily be better 
secured and protected simply by virtue of data being held within 
Australia’s territorial boundaries, as compared to (offshore) storage 
repositories and portals operated under world’s best practice security 
and privacy systems," it says in a just revealed submission on the draft 
bill.

"By regulating the geography where the data is held rather than the 
level of security under which it is held implicitly establishes criteria 
for data protection that are not related to principles of technology 
security.

"Microsoft submits this is not an optimal approach and could have a 
detrimental effect on system security and efficiency."
Free trial

The software giant warned the local operator and data holding 
proscriptions would prevent the use of highly secure data centres 
outside Australia, putting the benefits of cloud computing beyond reach.

Microsoft’s data centres employ "proven cryptographic methods to 
authenticate users and encrypt data, along with best-in-breed procedures 
for the deployment of software and physical security of stored data".

"Arguably, cloud computing vendors offer much greater security of data 
and privacy for consumers than that offered by many healthcare 
providers, repositories or portal operators within Australia," it says.

Microsoft believes the government should remove the restrictions and 
instead require operators to hold PCEHR information in accordance with 
Australian laws and global standards.

Acknowledging the political sensitivities of hosting sensitive data 
offshore, it argues that "all governments may, under certain 
circumstances, be able to lawfully access data held by entities within 
their jurisdiction".

"It is Microsoft’s opinion that the possibility of lawful access by a 
foreign government to data held in PCEHR records will not be eliminated 
by requiring that all data in the PCEHR system be stored in Australia."

Given the small population size, "companies that can provide data 
hosting and storage services on the scale needed to deliver genuine cost 
efficiencies for the healthcare system" were "highly likely" to be based 
outside Australia.

"The government is currently involved in a review of Australian privacy 
laws," it says. "We submit there is merit in having privacy issues dealt 
with under harmonised and unified privacy legislation, rather than 
adopting a piecemeal approach."

Privacy Commissioner Timothy Pilgrim has expressed similar views on the 
need for a uniform privacy framework for the PCEHR.

Microsoft’s concerns were aired in one of about 50 submissions on the 
exposure draft finally released yesterday as the federal Health Minister 
Nicola Roxon introduced her final version of the PCEHR Bill and 
consequential amendments legislation to Parliament.

The new laws will underpin the legal and operational arrangements for 
the PCEHR, a $500m nationwide e-health record-sharing system that will 
be voluntary for all participants.

Ms Roxon has set a July 2012 deadline for the start of the scheme.

"This legislation being introduced is yet another sign that this 
government is getting on with the job of rolling out e-health records," 
she told the Lower House.

"The implementation approach is both swift and careful. We are 
developing infrastructure in a set period of time, but the rollout will 
happen in a staged manner."

Technology security and smartcard specialist Giesecke & Devrient 
Australasia also raised concerns with the government’s approach, 
particularly in relation to technical standards and the operation of the 
Healthcare Identifiers service.

"We reiterate concerns over the level of detail specified in the 
Healthcare Identifiers Act (introduced last year and intended to) 
preserve the security of data and protect the privacy of consumer 
identity and other information," its submission says.

"We strongly support the requirement for all healthcare providers to 
authenticate their identities using a public key infrastructure digital 
certificate, and to reveal their provider identifier as a consequence of 
that authentication.

"But we note with some concern that Standards Australia does not yet 
have a delivery date for the specifications for the use of digital 
signatures in healthcare messages and electronic documents."

The National e-Health Transition Authority set up a series of tiger 
teams to fast-track the standards development process, but only released 
a new specifications and standards plan last week. The tiger teams are 
supposed to finalise essential specifications by the end of November.

G&D said there needed to be wider industry engagement, "as the disparate 
suite of software systems for both product/service descriptors and data 
transmissions form a significant risk to a July 2012 rollout".

"Our experience with interoperability issues in other agencies suggests 
this task is often understated and underestimated."

G&D asked whether the Health department was "comfortable" with the 
progress on standards development.

"Each stakeholder will require some proof of identity to establish their 
credential, and subsequent right to access and contribute to, or block, 
information in the PCEHR system," it says.

"What are the standards for these qualifications, and have they been 
tested?"

G&D notes that strong authentication systems use two or more factors to 
verify a user’s identity – something the person knows, like a password 
or PIN, and a physical token such as a digital certificate stored on a 
smartcard.

"The use of strong authentication systems guarantees that, if one of the 
factors is compromised, the user will not be validated," it says.

"(In relation to the PCEHR), will there be different security 
requirements depending on the access point? Will there be encryption and 
authentication on mobile devices, encrypted emails and a single sign-on 
(for core systems)?"

-- 

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
email:   brd at iimetro.com.au
website: www.drbrd.com



-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1873 / Virus Database: 2101/4636 - Release Date: 11/24/11




More information about the Link mailing list