What is: Software as a Service (SaaS)

Why is this important and what’s my role in this?

Be cautious before signing to use a cloud solution provider/vendor. You must meet a number of Queensland Government “due diligence” requirements before using or procuring a Software as a Service solution.

These requirements ensure:

• Safety and protection of the public and staff, as well as their information.
• Protection of Queensland Health’s and Queensland Government’s assets, people, and reputation.
• Adherence to legislative obligations.

What are common cloud security considerations?

Data ownership in a cloud solution

Metro North Health is accountable for all information uploaded or created within a cloud service. Metro North Health must retain ownership of the information. You must not share or transfer data ownership.

Location of data storage and access

The SaaS should store the information in Australia. The Information Privacy Act 2009 only allows the transfer of personal information outside of Australia in certain circumstances.

Data Encryption

Encrypt the information when stored (at rest) and when in transit. This can prevent unauthorised disclosure.

Privacy and confidentiality of information

You may require a “Privacy Impact Assessment” (see Micro Skill) to determine the privacy impacts and risks of the SaaS solution.

Record keeping and audit logging

There are strict requirements for retaining and disposing of administrative and clinical records. Metro North Health must always meet these requirements. A cloud service provider must enable this.

Identity management

When you log to a SaaS from a QH device you should be able to use your existing QH account and password details without the need to create a new account. Do not create an account in the SaaS using your existing QH email account and password. This can be a security risk. You can contact Digital Metro North to assist you if the SaaS asks you to create an account.

If the SaaS you are accessing contains sensitive information, you may also be requested to provide a second authentication method such as a one-time code sent via SMS to your personal or work device.

Metro North Health (MNH) Approved Standards

Technology approved for use across Queensland Health (QH) is available within the “QH Software Centre”. All Metro North Health staff have access to the QH Software Centre (from the Start menu on your PC.

The “Metro North Health Approved Standards List” lists all Metro North Health technology. The Metro North Health Approved Standards List located in the Enterprise Architecture Repository Portal here.

I want to add my SaaS to the MNH Approved Technology List

If you cannot find your specific vendor or software in the QH Software Centre  or Metro North Health Approved Technology List, the DMN Enterprise Architecture team can help you to assess the SaaS to determine the suitability of the technology and if it aligns to Metro North Health strategies, with the aim of identifying the most appropriate way forward to ensure the information is secure. This may be to have your SaaS approved and added to the Metro North Health Approved Standards list or it may be a recommendation to leverage an existing QH or Metro North Health application or technology.

To have your technology assessed, click the  IT Support link or go to QHEPs IT Support and search  “HHS Architecture and Strategy – Generic Request.”

In your request outline:

• your business problem,
• the information you are using and why,
• the technology requested,
• the current risks and
• any specific timeframes for response.

Assessments will typically take approximately five (5) business days.

You do not need to request an assessment of a technology already on the Metro North Health Approved Standards List.

Note: Not all SaaS requests will be approved. Digital Metro North may provide alternative options that are more suitable for Metro North Health.  If approved, the SaaS is logged in the Metro North Health Approved Standards List. SaaS procurement must then be through MN Procurement Services.

Where do I find the Metro North Health Approved Standards List?

The Metro North Health Approved Standards list is located in the Enterprise Architecture Repository Portal here