Guidance on Security and Privacy

This page provides information taken from the Uniquest Report which was commissioned by the Department to provide advice on security, privacy, interoperability and technical requirements for a broad range of telehealth services, noting that they will be dependent on individual clinical settings and requirements and does not necessarily reflect the Department's position.

Page last updated: 16 October 2014

Further details on technical issues can be found in the summary document for the Uniquest Report.

Summary of Uniquest Report


Security and privacy considerations
Privacy protection and security mechanisms to be considered include:
  • Telehealth services that are compliant with all relevant state and federal laws
  • Telehealth service providers periodically review and update their privacy policies to ensure that they adequately address the management of information gathered during telehealth consultations.
  • Telehealth service providers periodically review and update their privacy notices to ensure that they adequately address the management of information gathered during telehealth consultations.
  • Telehealth service providers periodically review and update their practices and procedures for managing personal information, including data security measures.
  • Protocols used to secure telehealth consultations be non-proprietary, standards-based to foster interoperability, inspectability and trust.
  • Telehealth services, whether discrete practitioners or service providers use a valid Public Key Infrastructure (PKI) certificate.
  • The PKI certificate be signed by a Certification Authority who maintains a Certificate Revocation List (CRL).
  • The PKI certificate use a minimum key strength e.g. 2048-bit encryption. As computing power increases then the level of encryption may need to be increased.
  • PKI certificates be stored in a physically or technically secured environment.
  • All teleconsultation data (including ancillary data) be secured for transmission across a data network either by use of encryption or VPN technology.
  • All web services used in teleconsultations — including web-based video conferencing, patient records, messaging systems be secured by a minimum Transport Layer Security Version 1.2.
  • All emails containing patient data be secured. This should be at a minimum by Secure Multipart Internet Mail Extensions (S/MIME) Version 3.0 or later and/or the latest technical specifications published by Standards Australia for E-Health Secure Message Delivery.
  • Hardware based videoconferencing units support International Telecommunications Union (ITU) H.235 standard allowing encrypted communication between end points in both point-to-point and multi-point videoconferencing sessions.
  • The National Authentication Service or a similar service be considered for telehealth service providers and telehealth applications when operational.
  • All telehealth applications enforce strong passwords.
  • All telehealth applications two-stage authentication.
  • All telehealth applications record an audit trail of user’s access to patient information.
  • Policy guidelines for the retention and storage of telehealth records could be developed to assist those telehealth service providers which are not subject to specific legislative requirements for the retention and maintenance of health records.
  • If storage is required, telehealth data (ancillary data and clinically determined recorded videoconference session) be stored in a physically secure environment. The management (sanitisation, destruction and disposal) of media on which telehealth data is stored should be performed according to legislative obligations and sound technological practice. Secure storage is the responsibility of the telehealth service (including discrete practices, practitioners and service providers).
  • If telehealth data is stored on a portable device it can be encrypted using a commercial data encryption application.