GPNZ calls for digital primary care to be treated as critical infrastructure

NEWS - eHealthNews.nz editor Rebecca McBeth

General Practice New Zealand has released a position paper calling for digital primary care systems to be treated as critical national infrastructure, with enforceable minimum security standards and independent certification for all vendors handling patient data.

The position paper also says that sustainable investment in digital primary care is crucial as the funding model was not designed to uplift security and sustain ongoing compliance.

The move follows recent breaches including Manage My Health and MediMap, which GPNZ describes as symptoms of structural weaknesses in standards, governance, assurance and investment settings rather than isolated failures.

Justin Butcher, GPNZ deputy chair and chief executive of Pinnacle Midlands Health Network, says the health system’s reliance on digital tools has grown, but the governance and standards surrounding those systems has not kept pace.

“Digital systems are now embedded in everyday care. Patient portals, shared records and electronic referrals are essential to how primary care operates,” he says.

“Yet the standards and oversight needed to protect those systems remain inconsistent. The health system needs to move from reacting to incidents to deliberately strengthening its digital foundations.”

Butcher says other sectors already treat digital systems as critical infrastructure, operating with clear standards and independent oversight.

“Primary care sits at the frontline of the health system. It is where patients turn for reassurance and care, and that trust must not be undermined by preventable system failures,” he says.

The position statement calls for enforceable minimum digital security standards, independent certification and transparent assurance, oversight stratified by scale and concentration of risk, structured vendor governance with clear accountability, and sustainable investment recognising digital health as core infrastructure.

It says that current frameworks such as the Health Information Security Framework (HISF) operate primarily as guidance rather than auditable requirements and HISF is not currently enforceable and is not always used as the reference framework by vendors.

Because vendors engage individual practices as customers, there is limited aggregation of purchasing power and a lack of ability to influence pricing, standards and contractual terms, it adds.

Digital systems in general practice are funded from operating budgets and treated as overhead, meaning cost often becomes the main determinant of choice rather than security or functionality.

"Expecting small and medium sized providers to absorb increasing digital obligations within existing operating margins is neither realistic nor sustainable," the position paper says.

Butcher says primary care providers are committed to strengthening digital security but need consistent national frameworks to do so effectively.

His comments echo those of Aged Care Association (ACA) chief executive Tracey Martin and Medical IT Advisors chief executive Faustin Roman who told eHealthNews that healthcare IT should get similar regulatory treatment to other critical infrastructure sectors, with appropriate assurance and enforcement mechanisms. 

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page