http://www.computerworld.com.au/index.php/id%3B1373164455%3Bfp%3B16%3Bfpid%3B0 Michael Crawford 09/09/2005 The author of a study into firewalls prepared for general practitioners under the Broadband for Health program claims it has been dumbed down so much by federal health bureaucrats, the document is now virtually useless as an IT security guide. The author Dr Horst Herb, director of the Dorrigo Medical Centre in NSW, is demanding his name be stripped from the final report. Once a systems auditor, penetration tester and mainframe security analyst for Siemens, Dr Herb spent the last five months advising the government on minimum firewall standards for GPs. Horst said he believes the government is not serious about IT security when it comes to e-health. Although Herb's work has been published as part of the GPCG (General Practice Computing Group) Security Firewall Guidelines, he said many core technical aspects and product-specific analysis had been stripped out of the recommendations. As a result, he said, the document prepared as an IT security guide for GPs has reached the point of irrelevance. A Department of Health and Ageing spokesperson, asked to respond to Dr Herb's allegations, said the submitted report was "overly-technical" and had to be "simplified extensively" so that could GPs understand it. "The original document was very technical," Herb said. "But that was the whole point, to raise interest and technical understanding of what is involved for GPs. Even if the doctors were to commission out implementing firewalls they would still need to emulate skills of the person that set it up, because generally, there is no formal qualification for implementing firewalls or formal liabilities for firewalls," Herb said. Herb also warned many IT security products are not strong enough to protect highly sensitive, personal information. "The main problem I had was with personal firewalls, which is just software on a computer which is, in my opinion pointless in a surgery scenario because they have too many vulnerabilities - all it takes is downloading software to disable it. GPs need a dedicated firewall where no user can dabble with it," he said. "Surgeries should not rely on basic or personal firewalls. This [detail] was edited out of the original report, mainly so [telecommunications vendors] can just push a default firewall setting as acceptable - it is just pure nonsense." Herb said while the strong security message was being lost on GPs as a result, though he is glad some security information has been released. However, Herb is insisting his name be stripped from the report, because he does not want to be held liable for anyone considering a personal firewall as a viable IT security solution for doctors. Since the report was published, the federal government has axed funding for GPCG, which provided IT support and advice for doctors and clinicians. It ran for eight years under an annual, million-dollar government grant. The Department of Health and Ageing spokesperson said all doctors involved with the now defunct General Practice Computing Group considered the original document to be far too complicated. However, when it was "simplified extensively", they gave it their full endorsement. The department claims the document has since been well received by doctors, despite the GPCG being disbanded. _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Fri Sep 09 2005 - 21:39:43 PDT