National eHealth Security and Access Framework v4.0

The National eHealth Security and Access Framework (NESAF) provides standards, tools, and guides for the Australian healthcare sector to build and implement secure systems that protect patient data and eHealth-related assets, while providing the provenance required for ensuring patient safety and privacy. (For more details and to download fact sheets, see eHealth Security and Authentication.) NESAF v4.0 is derived directly from previous releases and includes refinements and minor inclusions to improve the value of the current product set.   This release consolidates stakeholder feedback from independent reviews by reputable security firms as well as updates based on lessons learned during the application of the framework from the March 2012 release. The NESAF has also been updated to reflect changes to:

  • Processes relating to online registration for the My Health Record system;
  • The use of NASH certificates; and
  • Australian privacy legislation.

The clinical, consumer and business fact sheets published in the NESAF v3.1 bundle are still available from eHealth Security and Authentication. No changes have been made to these fact sheets since their last release. Future release: Three industry guides have been developed for NESAF v4 to address security for healthcare organisations looking at implementing:

  • Bring your own device (BYOD)
  • Cloud computing
  • Secure mobile applications

These guides are currently undergoing industry consultation and will be published in a future minor release.

SHA256 Checksum: 
15.64 MB

Product Components

Product component

NESAF v4.0 is derived directly from the previous releases and includes refinements and minor inclusions to improve the value of the current product set.

Product component

The NESAF v4 Overview explains the underlying principles behind the NESAF, the benefits of adopting the framework and additional implementation resources. It is a business-oriented document intended primarily for business executives, system owners and healthcare organisation management teams.

Product component

The NESAF v4 Business Blueprint provides a good understanding of the NESAF methodology and appropriate tools to conduct a risk assessment to secure information. It is intended primarily for practice managers, system owners and healthcare information managers.

Product component

The NESAF v4 Implementer Blueprint provides a library of process patterns and better practice guidance in relation to key security and access requirements in eHealth. Applying them to your business processes will enable you to design security into any eHealth system.

Product component

The NESAF v4 Framework Model and Controls describes in detail the security controls recommended in the NESAF.

Product component

The NESAF v4 Standards Mapping describes a suite of standards that have been referenced or mapped in the development of the NESAF, which may provide useful references for readers seeking a deeper understanding of this domain.

Release history

By operation of the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016, on 1 July 2016, all the assets and liabilities of NEHTA will vest in the Australian Digital Health Agency. In this website, on and from 1 July 2016, all references to "National E-Health Transition Authority" or "NEHTA" will be deemed to be references to the Australian Digital Health Agency. PCEHR means the My Health Record, formerly the "Personally Controlled Electronic Health Record", within the meaning of the My Health Records Act 2012 (Cth), formerly called the Personally Controlled Electronic Health Records Act 2012 (Cth).

Back to Top