Primary Health Insights (PHI) has been built and maintained as a highly-secure platform for Primary Health Networks (PHNs) to safely store, analyse and report on their data.

Platform Ownership and Governance

PHI is owned by all PHNs nationally as tenants-in-common through an unincorporated joint venture (UJV), and is operated by the WA Primary Health Alliance (WAPHA) as Lead PHN under a PHI Project Agreement.

PHNs are Not for Profit organisations registered with the Australian Charities and Not-for-profits Commission (ACNC), and are funded by the Commonwealth Department of Health and Aged Care under the Primary Health Networks Grant Program (see here for more information).

Under the requirements of the Grant Program, the UJV and the Project Agreement PHI is not a commercial activity. Access to PHI is only available to organisations that are party to the PHI Project Agreement.

PHI is governed by a national Steering Committee, with the Member from each state or territory representing the PHNs within that jurisdiction. The Steering Committee reports to the Management Committee of the UJV.

Data Ownership and Governance

Each PHN has access to its own secure section of the platform, referred to as its “lockbox”, and is solely responsible for data stored within that location. The PHN is the data owner and/or data custodian of all data within its lockbox, and is solely responsible for determining, providing and managing any access to that data.

No PHN has any access to, or data governance rights over, any data stored in the lockbox of any other PHN. Unless authorised and granted access by a PHN specifically to provide technical support, neither WAPHA as the Lead PHN nor any external Managed Services Provider (MSP) has any access to any data stored in any PHN’s lockbox.

PHNs operate under a National Data Governance Framework and Policy that establishes principles and requirements to ensure both privacy and the safe and effective management of data. Under the Project Agreement, WAPHA as the Lead PHN is required to operate PHI in compliance with that Framework and Policy (see here for more information).

A key requirement of the Framework is that PHN must complete a Dataset Privacy Impact Assessment (PIA) for any data they store within their PHI lockbox, and to manage data access and use in line with that PIA.

Technical Security

PHI is hosted within the Microsoft Azure data platform, which is accredited to ISO 27001 compliance and has met the requirements of the Australian Government for secure storage of both ‘sensitive’ and ‘protected’ information through the Information Security Registered Assessors (IRAP) program. Many government agencies, both State and Federal, store information of this classification on the Azure platform, including health information.

All traffic entering, leaving or traversing the PHI network is protected by a next-generation firewall that includes deep packet inspection and active threat monitoring. Web traffic is additionally secured behind a separate Web Application Firewall (WAF). Internal networks are fully segmented, and each lockbox is secured behind a separate peered connection to that PHN’s own corporate network.

All network traffic is encrypted to at least Transport Security Layer (TLS) version 1.2 using the Advanced Encryption Suite (AES) cipher with a minimum 128-bit key. Stored data is encrypted using 256-bit AES, with keys and other credentials securely managed within Azure Key Vaults for each lockbox.

Multifactor authentication (MFA) is enforced for all user access under a ‘zero trust’ network access model. PHN staff log into PHI using their home PHN account via Azure Active Directory B2B collaboration; no PHN account passwords are stored by PHI. Role-Based Access Control (RBAC) is used to restrict access to data and services, in line with the default ‘least privilege’ security model.

Advanced Threat Protection and similar services are active across the entire platform to actively detect, identify and respond to unusual and potentially harmful attempts to access data or exploit services.

Data sovereignty is maintained, with data storage geo-locked to physical locations within Australia. Geo-redundant storage (GRS) is established for data by default for cross-zone failover between data centres in Sydney and Melbourne.

All access is logged, with logs retained for between 90 days and two years based on the service accessed.

Security Assessment and Compliance

An annual security review and penetration test of PHI is undertaken by an independent cyber security firm.

Penetration testing is done for both ‘black box’ (unauthenticated access attempts based on limited system knowledge) to simulate external hacking and ‘grey box’ (authenticated access with full system knowledge attempting to gain elevated or prohibited privileges) to simulate potential internal threats.

No viable avenue for gaining unauthorised access to any part of PHI has ever been identified in these tests.

The security review includes architecture, configuration and operations as well as automated vulnerability and compliance scanning of all platform resources against industry standards such as ISO 27001, Azure CIS Foundations, CSA Cloud Controls Matrix, and NIST SP 800-53.

No critical technical vulnerabilities (which identify current security risks) have ever been reported as a result of these reviews or scans.

All lower-risk vulnerabilities (which identify potential future risks of varying degrees) reported are assessed and addressed quickly, with recommendations for improvements implemented by default if at all possible.

The most recent penetration test report for the financial year 2022-23, delivered by ES2 Pty Ltd, rated PHI as a low risk, compared to their average industry risk rating of medium-high.

During the initial platform build project in 2020 two separate Privacy Impact Assessments were undertaken on the architecture and design, and an additional independent security review undertaken prior to go-live.

Insurance

WAPHA holds comprehensive cyber insurance for the PHI platform with $5 million in coverage, which includes protection for any storage of data by PHNs up to and including identifiable health data (if any PHN is required to hold such data as part of their business operations).

Under the PHI Project Agreement, each PHN is also required to hold their own additional cyber insurance.

This Public Security Statement is intended to provide an overview only of PHI security and should not be interpreted as a complete or comprehensive description of security, privacy or governance controls in place to protect the platform or data.