Audit reveals potential security risks in My Health Record

Matt Woodley

28/11/2019 4:05:28 PM

It also found monitoring and evaluation arrangements for the system are ‘largely appropriate’.

Using My Health Record
The Australian National Audit Office report found monitoring and evaluation arrangements for My Health Record are ‘largely appropriate’.

The Australian National Audit Office (ANAO) concluded that the implementation of the My Health Record system has been ‘largely effective’, despite determining risk management for the expansion program to be only ‘partially appropriate’.
It also found monitoring and evaluation arrangements for My Health Record are ‘largely appropriate’, and the planning for and delivery of the opt-out model was ‘effective in promoting achievement of its purposes’.
Dr Rob Hosking, Chair of the RACGP Expert Committee – Practice Technology and Management (REC–PTM), told newsGP the report shows infrastructure is secure, with concerns raised related to peripheral connections to My Health Record – including hospitals, pharmacies and all other health practitioners who are connected.
‘For the most part, this is currently GPs. It also includes patient connection via computer or mobile apps,’ Dr Hosking said.
‘GP software undergoes conformance testing to enable connection to My Health Record and this will be reviewed by the Australian Digital Health Agency [ADHA] as a result of the ANAO findings.’
The report also referenced quality reviews undertaken by the ADHA of a ‘very small sample’ of general practices, which found only 32% had met the requirement of possessing an appropriate security policy. However, Dr Hosking said these figures were a number of years old and that he expected a new survey would produce different results.
‘I would hope that, with the recent publicity and education around My Health Record, general practices have appropriate policies in place,’ he said.
‘The RACGP has conducted a lengthy education program on My Health Record and … during these educational programs the security of our general practice systems was emphasised.
‘There is a definite legal obligation, not just a recommendation, to have a security policy in the practice if you’ve signed up to use  My Health Record.
Information security in general practice has security templates for practices to develop their security policy. It is a requirement for accreditation that practices have a privacy policy, and part of this should include a security policy.’
Dr Hosking added that non-GP specialists and allied health professionals connecting to My Health Record represent a potentially larger risk, as many have likely had less support and education on these issues than the RACGP has provided.
‘The RACGP, through REC–PTM, will be working with the ADHA to address the concerns raised in the ANAO audit on My Health Record,’ he said.
‘We need good security for our practices overall to protect our patients and our businesses, and connection to My Health Record is only one component of this.
‘However, one must always find a balance between security and usability. We don’t want so many restrictions for perfect security that no one will use it. This will not help in the primary purpose of being available to assist in patient care.’
The ADHA and the Department of Health (DoH) agreed to all five recommendations made by the ANAO as a result of the audit:

  • ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls, and incorporate the results of this assessment into the risk management framework for the My Health Record system
  • ADHA, with the DoH and in consultation with the Information Commissioner, review the adequacy of its approach and procedures for monitoring use of the emergency access function and notifying the Information Commissioner of potential and actual contraventions
  • ADHA develop an assurance framework for third-party software connecting to the My Health Record system – including clinical software and mobile applications – in accordance with the Information Security Manual
  • ADHA develop, implement and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers
  • ADHA develop and implement a program evaluation plan for My Health Record, including forward timeframes and sequencing of measurement and evaluation activities across the coming years, and report on the outcomes of benefits evaluation
More information on My Health Record and other topics, such as information security in general practice, can be found in REC–PTM’s monthly eHealth webinars

Log in below to join the conversation.

ADHA My Health Record security

newsGP weekly poll What is your chief concern with role substitution?

newsGP weekly poll What is your chief concern with role substitution?



Login to comment