Regional Architectures & Security

The Australian digital health environment provides a unique architectural case study, characterized by massive, state-wide procurement strategies and sweeping regional integrations.

New Zealand's health sector provides an exemplary comprehensive architectural case study for enterprise security controls within EHR/HIS environments through the HISO 10029 standards.

Australia's healthcare IT landscape is defined by state-level procurement rather than fragmented independent hospital purchases.

State Deployments

NSW Health: Cloud Migration

• Historically relied on Cerner Millennium via eMR Connect
• Successfully migrated production Cerner to AWS public cloud
• Transitioning to Epic SDPR (Single Digital Patient Record)
• Completed advanced AWS Landing Zone infrastructure

Queensland and Victoria represent distinct architectural approaches to statewide EMR deployment.

Queensland Health: ieMR

• Cerner Millennium framework branded as ieMR
• The Viewer aggregates data statewide
• Collates patient data from multiple distinct state systems
• Provides unified longitudinal record regardless of source EMR

Victoria: Parkville Precinct

• Strong Epic Systems adoption
• Royal Melbourne Hospital
• Royal Children's Hospital
• Single unified Epic database across precinct
• Drastically reduces duplicate data entry

At the federal level, Australian healthcare interoperability is governed by the Australian Digital Health Agency (ADHA).

Healthcare Identifiers (HI) Service

The HI Service resolves demographic fragmentation nationally by issuing three distinct, mandatory identifiers:

NASH PKI Certificates

To securely authenticate and integrate with the HI Service, local EMR systems must utilize National Authentication Service for Health (NASH) Public Key Infrastructure (PKI) certificates.

My Health Record (MHR) is Australia's national opt-out EHR platform.

B2B Gateway Evolution

• Historical: SOAP web services + CDA payloads
• Clinical documents: Discharge summaries, pathology reports
• FHIR-aligned interoperability programs are expanding alongside the legacy model
• Benefit: clearer migration path toward more granular APIs where national programs support them

In New Zealand, the protection of clinical data is legally governed by the Privacy Act 2020 and the Health Information Privacy Code 2020.

Health Information Security Framework (HISF)

Te Whatu Ora (Health New Zealand) enforces the HISF, published under the HISO 10029 standard. The framework outlines rigid, comprehensive cyber security requirements spanning the entire clinical data lifecycle.

HISF Functional Phases

Within the Protect phase, the framework mandates strict architectural controls.

Identity and Access Management (IAM)

• Complete, auditable lifecycle governance of user accounts
• Absolute enforcement of Multi-Factor Authentication (MFA)
• MFA required for all privileged or administrative access

Network Topology

• Active separation of sensitive processing systems
• Dedicated, isolated network segments
• Insulation from general corporate traffic

Cryptographic Standards

• All electronic health information encrypted at rest
• All electronic health information encrypted in transit
• Transmission of unencrypted clinical payloads banned
• Raw MLLP over open networks prohibited

Operational resilience and security monitoring are critical pillars of the HISF.

Detect Phase: Monitoring

• Comprehensive application logging
• Continuous network traffic monitoring
• Independent security reviews prior to system upgrades
• All access and modification events aggressively logged
• Secure log storage for forensic audit integrity

Respond Phase: Incident Management

• Report all security incidents immediately to governance boards
• Notify impacted customers
• Strictly preserve forensic evidence
• Documented incident response procedures

Historically, healthcare institutions relied exclusively on heavily fortified, isolated, on-premises data centers.

Cloud First Policy

Te Whatu Ora has adopted an aggressive modernization mandate rooted in the New Zealand Government's Cloud First policy, pushing the healthcare sector away from localized, aging physical infrastructure toward highly resilient, scalable public cloud environments.

Hybrid Multi-Cloud Programme

The Australian Privacy Principles (APPs) are the cornerstone of privacy protection in Australia, governing how healthcare organizations must handle personal information including sensitive health data.

The 13 Australian Privacy Principles

Notifiable Data Breaches (NDB) Scheme

• Mandatory notification of eligible data breaches to affected individuals
• Notification to Office of the Australian Information Commissioner (OAIC) required
• Applies to all entities covered by the Privacy Act 1988
• Healthcare organizations must have breach response procedures in place
• Failure to notify can result in significant penalties and enforcement action

The Information Security Registered Assessors Program (IRAP) provides independent assessment of cloud services against the Australian Signals Directorate (ASD) Information Security Manual (ISM) controls.

IRAP PROTECTED Requirements

AWS IRAP Certification

• Multiple AWS Australian regions achieved IRAP PROTECTED certification
• Enables Australian government and healthcare agencies to host PROTECTED data
• Includes controls for encryption, access management, and incident response
• Regular independent assessments ensure ongoing compliance

Data Sovereignty Requirements

• Australian health data must remain within Australian borders
• Cross-border data transfer requires explicit consent or legal authorization
• Cloud providers must guarantee data residency in Australian regions
• Backup and disaster recovery sites must also comply with sovereignty requirements

In addition to federal Privacy Act requirements, Australian states have enacted specific legislation governing health information privacy and access.

State Health Privacy Legislation

NSW: Health Records and Information Privacy Act

• HRIP Act provides additional protections beyond Privacy Act 1988
• Health Privacy Principles (HPPs) specific to health information
• Applies to both public and private sector health organizations in NSW
• Enforced by NSW Privacy Commissioner

Victoria: Health Records Act 2001

• Health Privacy Principles (HPPs) govern collection, use, and disclosure
• Right of access to health records
• Applies to all health service providers in Victoria
• Enforced by Health Services Commissioner

Queensland & South Australia

• QLD: Information Privacy Act 2009 includes specific health privacy provisions
• SA: Health Care Act 2008 governs health information handling
• Both states align with federal Privacy Act requirements
• State commissioners handle complaints and enforcement

The New Zealand Health Information Security Framework (HISF) under HISO 10029 provides a comprehensive five-phase approach to healthcare security.

Security Framework Phases

Australian and New Zealand healthcare architectures demonstrate state-wide deployment strategies and comprehensive security frameworks.

Core Concepts Recap

• NSW: Cerner → Epic SDPR on AWS
• Queensland: ieMR with The Viewer aggregation
• Victoria: Epic Parkville Precinct
• South Australia: Sunrise state-wide rollout
• My Health Record: National opt-out EHR
• HI Service: IHI, HPI-I, HPI-O identifiers
• HISO 10029: NZ security framework (Plan, Identify, Protect, Detect, Respond)
• APPs: 13 Australian Privacy Principles
• IRAP PROTECTED: ASD ISM certification for cloud services

Security Requirements

• MFA for all privileged access
• Encryption at rest and in transit
• Network segmentation for clinical systems
• Comprehensive audit logging
• BCDR plans with tested restoration
• Data sovereignty: Australian/NZ data must remain in-country

Compliance Frameworks

• Federal: Privacy Act 1988, NDB scheme
• State: HRIP Act (NSW), Health Records Act (VIC), Information Privacy Act (QLD)
• NZ: HISO 10029, Privacy Act 2020, Health Information Privacy Code
• Cloud: IRAP PROTECTED certification

For further reading on Australian and New Zealand health IT architectures, privacy, and security: