❓ A WA parliamentary question seeks information on the Department of Health's digital record management, security, and strategy. The response indicates progress in vendor management, application deployment processes, security policies, and patching, but the digital strategy is still being finalised.
AnsweredQoN 5364Legislative Assembly
QuestionView source ↗
I refer to the 2018 Information Systems Audit Report, and ask, has the Department of Health: (a) Embedded appropriate vendor contract management practices associated with the digital patient medical record system: (i) If so, what practices have been embedded; (ii) If so, were they embedded in the contract extension; and (iii) If not, why not; (b) Developed appropriate processes to support future decisions to deploy applications, including approving business cases which are supported by appropriate cost models: (i) If so, what processes have been put in place; and (ii) If not, why not; (c) Reviewed its information security policies to apply appropriate controls to protect sensitive information: (i) If so, what policies have been put in place; (ii) If so, have the policies been put in place across the entire health system: (A) If not, why not; (iii) If not, why not; (d) Developed a digital strategy to guide WA Health's approach to digitising medical records: (i) If so, when was the strategy developed; (ii) If so, when was the strategy approved; (iii) If so, when was the strategy communicated; (iv) If so, will the Minister table the strategy; and (v) If not, why not; and (e) What processes have been put in place to ensure all servers, devices, computers and information systems implement all software updates in a timely manner: (i) When were these processes put in place?
AnswerView source ↗
Answered
17 September 2019
Responded by
Minister for Health
Response time
11 days
I am advised:
(a) Yes.
(i) A Service Level Agreement (SLA) has been agreed with the Contractor that defines:
A Contract Management Plan is in place to guide standard and consistent management of the contract and key stakeholders.
(ii) Yes.
(iii) Not applicable.
(b) Yes.
(i) The Department of Health ICT governance process allows Health Service Providers to present fully funded ICT proposals to HSS for technical review, cost estimation and an assessment whole of health strategic alignment. A scaling matrix determines whether the proposal is approved by a local ICT governance committee or a WA health system-wide committee. Approved proposals are delivered through a project lifecycle methodology which generates approved business cases.
(ii) Not applicable.
(c) Yes.
(i) Information Management policies are reviewed and updated continuously to ensure that information is secure and utilised appropriately. This includes the Information Access, Use and Disclosure Policy, the Information Classification Policy and the Data Breach Notification Policy, which all direct staff to apply appropriate controls to protect sensitive information. In addition, the Information Security Policy is in place across the WA health system. This policy was last updated on 29 May 2019.
(ii) Yes, these policies will continue to apply across the WA health system.
(iii) Not applicable.
(d) (i) The 2020-2030 WA Health Digital Strategy is currently being finalised.
(ii) The draft Digital Strategy was endorsed by the Senior Executive of the WA health system (all Chief Executives from the Health Service Providers, the Assistant Directors General and the Director General) in April 2019 subject to agreed changes being incorporated into the Strategy including alignment to the Sustainable Health Review Final Report.
(iii) The strategy has not been communicated as yet as it is currently being finalised.
(iv) Not applicable as strategy has not been finalised.
(v) Not applicable.
(e) (i) The HSS ICT Security & Risk Management team was established October 2018. This team manages operational ICT risk, of which patching is a component. A bi-weekly vulnerability (patching) management meeting takes place across HSS ICT teams to track vulnerable software.
HSS has various memberships to keep up to date with emerging threats and enable acceleration of patching timeframes based on the intelligence of emerging risks:
The HSS End User Computing (EUC) team has regularly applied patches to the EUC devices they manage (and with the Microsoft Operating System) since 2014. The HSS Infrastructure team maintains a Nessus scanner (implemented May 2017) which reports on server patch status and the implementation of Microsoft’s Windows Server Update Services server (WSUS) that automatically deploys patches.
(a) Yes.
(i) A Service Level Agreement (SLA) has been agreed with the Contractor that defines:
A Contract Management Plan is in place to guide standard and consistent management of the contract and key stakeholders.
(ii) Yes.
(iii) Not applicable.
(b) Yes.
(i) The Department of Health ICT governance process allows Health Service Providers to present fully funded ICT proposals to HSS for technical review, cost estimation and an assessment whole of health strategic alignment. A scaling matrix determines whether the proposal is approved by a local ICT governance committee or a WA health system-wide committee. Approved proposals are delivered through a project lifecycle methodology which generates approved business cases.
(ii) Not applicable.
(c) Yes.
(i) Information Management policies are reviewed and updated continuously to ensure that information is secure and utilised appropriately. This includes the Information Access, Use and Disclosure Policy, the Information Classification Policy and the Data Breach Notification Policy, which all direct staff to apply appropriate controls to protect sensitive information. In addition, the Information Security Policy is in place across the WA health system. This policy was last updated on 29 May 2019.
(ii) Yes, these policies will continue to apply across the WA health system.
(iii) Not applicable.
(d) (i) The 2020-2030 WA Health Digital Strategy is currently being finalised.
(ii) The draft Digital Strategy was endorsed by the Senior Executive of the WA health system (all Chief Executives from the Health Service Providers, the Assistant Directors General and the Director General) in April 2019 subject to agreed changes being incorporated into the Strategy including alignment to the Sustainable Health Review Final Report.
(iii) The strategy has not been communicated as yet as it is currently being finalised.
(iv) Not applicable as strategy has not been finalised.
(v) Not applicable.
(e) (i) The HSS ICT Security & Risk Management team was established October 2018. This team manages operational ICT risk, of which patching is a component. A bi-weekly vulnerability (patching) management meeting takes place across HSS ICT teams to track vulnerable software.
HSS has various memberships to keep up to date with emerging threats and enable acceleration of patching timeframes based on the intelligence of emerging risks:
The HSS End User Computing (EUC) team has regularly applied patches to the EUC devices they manage (and with the Microsoft Operating System) since 2014. The HSS Infrastructure team maintains a Nessus scanner (implemented May 2017) which reports on server patch status and the implementation of Microsoft’s Windows Server Update Services server (WSUS) that automatically deploys patches.
Explore WA Government Data
Search the full archive in the free dashboard, or query programmatically via API.
Explore more
Government Gazette
Appointments, regulatory notices, planning changes.
Hansard
Debates, questions, speeches and sentiment.
Tabled Papers
Reports and documents tabled in Parliament.
Committees
Committee profiles and recent reports.
Regulations
Subsidiary legislation with filters and summaries.
Bills
Proposed laws and parliamentary progress.
Acts
Current WA legislation and summaries.
Explanatory Memoranda
Bills with EMs (text/PDF) available.
Members
MP profiles, party breakdown and rankings.
Pollie Rankings
Data-driven rankings across 19 categories.
Amendment Chains
Track how schemes and regulations evolve over time.