Digital Health SA issues RFI for security compliance uplift

Digital Health SA (DHSA) has issued an RFI to engage the market and identify tooling solutions to support its alignment to the South Australian Cyber Security Framework (SACSF) Version 2.0.

Digital Health SA is the division of SA Health responsible for providing and maintaining the ICT that supports the state’s healthcare system.

The SACSF v2.0 provides the mandatory cyber security framework for South Australian Government agencies, requiring organisations to demonstrate consistent, measurable, and auditable security posture. The Security Services function within DHSA is responsible for leading compliance with the SACSF and ensuring that the organisation meets its obligations under the framework. 

Currently, DHSA manages its SACSF alignment activities through a mix of ad-hoc tools including manual spreadsheets, standalone documents, and disconnected processes.

Without a unified platform capable of both aggregating data and acting within the environment – such as isolating endpoints and managing remediations - security evidence and compliance data is scattered across multiple systems, creating duplication of effort and version control issues.

Staff are required to spend disproportionate time on administrative tasks — collating evidence, updating trackers, and producing reports — rather than on value-adding security activities, while leadership and stakeholders also lack a consolidated, real-time view of DHSA's compliance posture against SACSF controls, making it difficult to prioritise remediation and report with confidence.

As SACSF v2.0 introduces more rigorous requirements, the current ad-hoc approach is not sustainable and will only increase in complexity and cost over time, with the hidden labour cost of managing compliance manually across multiple tools described by DHSA as "significant" and representing a "poor return on investment compared to a purpose-built solution".

To solve these problems, DHSA is seeking a centralised platform that maps DHSA's security activities and evidence directly to SACSF v2.0 controls, reducing manual effort and eliminating duplication.

It's also looking for tooling that actively supports improvement across the SACSF v2.0 control domains, including but not limited to vulnerability assessment and management, asset identification and inventory, and network security assessment. The intent is not only to demonstrate compliance, but to use the SACSF as a driver for measurable, sustainable improvement in DHSA's overall security posture.

Other objectives of procuring a new solution include improved assurance and reporting, cost reduction, integration with existing tooling, audit readiness and scalability and sustainability.

The tender closes at 2PM (SA time) on 15 June.

Last week, DHSA has issued a request for quote for an Enterprise Architecture Management System to provide a single, accurate and up-to-date view of digital assets.