My Health Record cyber risk management fails

An audit has found shortcomings in privacy and cyber security risk management in My Health Record, particularly in relation to third party risks.

A report from the Australian National Audit Office found implementation of the digital health information system had been largely effective.

But it found management of cyber security risks needs to be improved.

“Management of shared cyber security risks was not appropriate and should be improved with respect to those risks that are shared with third party software vendors and healthcare provider organisations,” the report concludes.

My Health Record brings together electronic summaries of an individual’s health information on a platform delivered by the government’s digital health agency together with Services Australia and the Office of the Australian Information Commissioner.

Implementation of the $1.5 billion system is one of seven priorities in the National Digital Health Strategy.

The information on My Health Record can include medical reports, Medicare data, referral letters, organ donor advice and advance care plans, which can be shared with other government agencies, third party software vendors and healthcare providers.

It also has an emergency access override function to review records.

The system become “opt-out” in February this year and according to the government, a My Health Record now exists for 90 per cent of Australians and it is used by 16,400 healthcare providers.

The government says the system aims to improve efficiency and facilitate better sharing of health information, but critics have raised privacy and cyber security risks.

Need for end-to-end privacy risk assessment

The audit office found that Australian Digital Health Agency (ADHA) had not yet undertaken an end-to-end privacy risk assessment of the system under the opt-out model.

It said ADHA had “largely appropriate systems” to manage cyber security risks at the core of the system, but its management of shared cyber security risks and its oversight processes needed improvement.

Cyber security risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could be strengthened, the report said, and arrangements to ensure emergency access didn’t breach privacy need to toughened up.

Concerns about emergency access

The audit said there were 205 instances of the emergency override function in March, up from 80 in July 2018.  The function was only used as intended in 8.2 per cent of those cases and some indicated “a potential contravention”.

“To date, ADHA has not notified the Information Commissioner of any of these instances, and nor have the healthcare provider organisations.,” the report said.

The ADHA has agreed to conduct an end-to-end privacy risk assessment of My Health Record system under the opt out model and incorporate it into a risk management framework.

It has also agreed review the emergency access function and to develop an assurance framework for third party software connecting to the system.

The agency said it recognised it operated within a complex network of risk controls and privacy safeguards.

“We will have regard to this complex environment when working with stakeholders to raise standards in health information management, with a view to lift the capability of the health sector to continue to meet increasing community expectations on privacy and the security of health information,” it said.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required