WA Health scrubs up for secure transformation and cloud-first future

Western Australia is home to 2.6 million people, spread across a landmass equal to almost a third of the nation. Providing health care services is a challenging ask – but one that is tackled daily by the WA health system (WA Health) and the 45,000 people who work there.

Ticking away in the background are more than 1,000 clinical and corporate applications, which represent a significant challenge to transition to the cloud while also delivering cost effective, responsive, secure and nimble platforms that will stand the test of time.

Holger Kaufmann, chief information officer at Health Support Services (HSS), is leading this transformation and modernisation of technology across WA Health. HSS is the WA health system’s shared services provider delivering connectivity, central compute and storage and application support for all of WA Health. The team also leads on cyber security issues for the agency.

Kaufmann is leading a transformation program that will see most workloads move from on premises data centres and into the cloud. He explains; “Our model for the future of compute and storage is going to be hybrid-cloud, with the majority probably in private cloud, and increasing over the coming years in managed public cloud services.”

The transition to the cloud is taking place alongside an overhaul of the wide area network that connects WA Health’s 500 sites, spread across the vast State. This will support the deployment of cloud and the rollout of Office 365 State-wide. Currently being piloted, the intent is to make Office 365 available to all employees by mid-2020.

Ensuring that proper data controls and security are addressed alongside the transformation program is critical to WA Health. In the past year the team has established a cyber-focussed Security and Risk Management (SRM) team in response to regular public sector audits to improve cybersecurity business-as-usual practices. This included managing a Digital Information Security (DIS) program to bolster the cybersecurity baseline in preparation for ongoing transformation, using Microsoft Security Cloud Services such as Advanced Threat Analytics, Azure Active Directory and Multi-Factor Authentication.

It’s an approach already delivering significant benefits for WA Health, such as helping to drive down operational costs thanks to self-service password management. The user experience is also enhanced through single sign-on to Office 365 cloud applications and the collaboration options offered through Microsoft Teams.

The migration to the cloud also ensures WA Health and its user community have access to the latest version of key systems and platforms.

The SRM team, led by Martin Dart, ICT Director Security and Risk Management at HSS, is drawing from the NIST Cyber Security Framework and several strategic government and industry partnerships to help lift maturity across the system. According to Dart: “We are partnering with Microsoft to help us with technical resources, and fully leverage our investments in the Microsoft Office 365 suite.”

Microsoft and WA Health’s SRM team have already run a series of workshops to ensure maximum advantage from Microsoft 365, and to enhance the security posture across the enterprise

According to Dart; “By expanding the DIS project we are looking to tackle issues including Australian data sovereignty over cloud services. We’re currently rewriting our cloud security policy to reflect that as a key concept, that not all clouds are created equal – Australian clouds versus overseas clouds.”

Microsoft Azure, which has been certified to handle confidential data to Protected level by the Australian Signals Directorate under the Certified Cloud Services List, would meet that requirement.

With these enhanced security and privacy key considerations, WA Health will promote a cloud-first approach for the future – and hopes to have substantially migrated legacy applications to cloud platforms over the coming 18 months.

Cloud selection will be tackled on a tiered basis depending on the sensitivity of the application and data involved. Straightforward workloads and data transitioned to the cloud via trusted WA Health interfaces will attract a streamlined risk assessment, as opposed to more complex and sensitive applications which will require greater scrutiny.

As more cloud-based applications become available Kaufmann anticipates that there will be increased demand for access to applications through staff or patient-owned devices. This will require continued rigour in terms of identity and access management, and the ability to monitor and control data flows. HSS will continue to explore these options to ensure security and privacy, while promoting streamlined and efficient access for authorised users.