The system administrator of Australia’s oft-criticised My Health Record has agreed to a number of recommendations made by the Joint Committee of Public Accounts and Audit as part of its probe into the security resilience of the online medical file.
The committee in 2019 scrutinised a report from the Australian National Audit Office (ANAO) which pointed out a number of security issues concerning the Australian Digital Health Agency’s (ADHA) My Health Record implementation that otherwise widely gave ADHA the tick as “largely effective”.
In a response [PDF] to the committee, ADHA provided an update to its ANAO My Health Record Performance Audit Implementation Plan, which was developed in February 2020.
One of the recommendations made by ANAO was that ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls. It also recommended for the agency to incorporate the results of this assessment into the risk management framework for the My Health Record system.
The agency said it would work with public and private sector healthcare providers, professional associations, consumer groups, and medical indemnity insurers on an “overarching privacy risk assessment”, and incorporate results into the risk management plan for My Health Record.
With a privacy risk assessment completed in September, and initial risk register updates flagged as done as of February, the ADHA has given itself until November to complete the risk management work.
Another recommendation was that the ADHA, with the Department of Health and in consultation with the Information Commissioner, review the adequacy of its approach and procedures for monitoring use of the emergency access function within the online medical file.
After delivering a compliance framework and an emergency access compliance plan in February, the ADHA said it will continue to monitor emergency access and engage with system participants to “promote a sound understanding of the legislative provision and relevant reporting arrangements, so that unauthorised use is recognised and reported to the Information Commissioner, as required”.
It also flagged November as completion date for this work.
ADHA was also asked by ANAO to develop an assurance framework for third party software connecting to the My Health Record system, including clinical software and mobile applications, in accordance with the federal government’s Information Security Manual.
“An assurance framework exists for systems (including clinical software and mobile applications) connecting to the Healthcare Identifiers Service and the My Health Record system, including processes to confirm conformance,” ADHA said in response to the recommendation.
“The agency will review the standards that apply to these systems, and alignment with the Information Security Manual. We will work with industry to update the assurance framework as required.”
The agency also agreed to develop, implement, and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers and develop and implement a program evaluation plan for My Health Record.
While not requested by ANAO, ADHA said it is also working to ensure shared privacy risks are identified and appropriately managed between the agency and My Health Record stakeholders and that it is distributing guidance materials and other resources to help with this.
It is also mandating software developers undertake a conformance process for the new Security Requirements for Connecting Systems, when requested by ADHA.