What were the main findings of the report?
The ANAO undertook this investigation to determine the effectiveness of the implementation of the My Health Record system under the opt-out model.
In doing so, they considered whether the risks of the system are being appropriately assessed, managed and monitored and the arrangements that are in place to monitor and evaluate My Health Record as more and more Australians begin to use and rely on the system.
The ANAO’s Implementation of the My Health Record System found that the:
- Implementation of My Health Record has been largely effective.
- Implementation, planning and execution of My Health Record was appropriate and was supported by appropriate governance arrangements.
- Communication activities were appropriate to inform healthcare recipients and providers about the system.
- My Health Record is an example of a program with many shared risks, not only between different Commonwealth agencies, but between different governments, the healthcare sector, clinical software vendors and the community at large. Good risk management is not just about managing risks for Commonwealth agencies – but also include the groups of people to whom they are delivering services.
- The Agency has robust controls in place to manage cyber security risks to the core infrastructure of the My Health Record system, however needs to work closer with healthcare providers and software providers to ensure cybersecurity risks are appropriately managed at every stage of the healthcare system.
What were the recommendations?
The ANAO made five recommendations:
- ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls, and incorporate the results of this assessment into the risk management framework for the My Health Record system.
- ADHA, with the Department of Health and in consultation with the Information Commissioner, review the adequacy of its approach and procedures for monitoring use of the emergency access function and notifying the Information Commissioner of potential and actual contraventions.
- ADHA develop an assurance framework for third party software connecting to the My Health Record system — including clinical software and mobile applications — in accordance with the Information Security Manual.
- ADHA develop, implement and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers.
- ADHA develop and implement a program evaluation plan for My Health Record, including forward timeframes and sequencing of measurement and evaluation activities across the coming years, and report on the outcomes of benefits evaluation.
Does the Agency support the ANAO’s recommendations?
The Australian Digital Health Agency welcome the findings in the report and agree with all recommendations made by the ANAO.
The ANAO’s conclusion that the implementation of the My Health Record was largely effective, and that planning, governance and communication was appropriate will provide the community with an important perspective on the competence of the public sector to implement a system of this scale and nature.
The Agency will work with commonwealth entities, state and territory governments, healthcare providers and professionals, the technology industry and consumer groups to implement the recommendations.
Has the Agency met their reporting obligations under the My Health Records Act in relation to notifying OAIC of any potential unauthorised access, security or integrity breaches?
The Agency reports all instances of potential unauthorised access, security or integrity breaches that it is made aware of, as required under Section 75 of the My Health Records Act 2012.
The Agency is not required to report use of the emergency access function to the OAIC. Rather, as outlined in the OAIC report, system participants have a reporting obligation if “a contravention of the Act [involving unauthorised access] has or may have occurred”. A reporting obligation would only occur if a view was formed that access had not been lawful, which has not occurred to date.
Further information on notifications to OAIC can be found in the Agency’s annual reports.
How can people control who can access their My Health Record?
My Health Record is a safe and secure system that stores your health information. You can take further steps to control your privacy by limiting who has access to your record. Find out how by visiting the My Health Record website.
What did ANAO find in relation to cybersecurity protections for My Health Record?
In their report, ANAO recognised the high level of security on the My Health Record system and the multiple independent reviews that have assured this.
The ANAO has observed that the rest of the health sector would benefit from applying the standards in privacy and security by My Health Record.
It has suggested that the Agency take the lead on supporting the health sector to continue to improve in digital health matters. As such, the Agency will work with commonwealth entities, state and territory governments, healthcare providers, the technology industry and consumer groups to implement the recommendations.