The federal government’s controversial My Health Record has been given the tick of approval by the national auditor-general, despite it being exposed to shared cybersecurity risks.
The online medical database sparked national privacy and security concerns from tech experts to family violence groups to teenage health advocates in the lead up to the “opt-out” deadline in January this year.
In its latest report, the Australian National Audit Office has described the widespread criticism as simply, “parliamentary and public interest in relation to privacy and cybersecurity risks”.
But apparently there was nothing to fear. The implementation of the My Health Record system was “largely effective”, auditor-general Grant Hehir concluded.
However, the management of shared cybersecurity risks — particularly in third-party software vendors and healthcare provider organisations — was found to be in need of improvement.
Hehir noted the Australian Digital Health Agency (ADHA) — the system operator for My Health Record — has not yet undertaken any privacy risk assessments of the system under the current opt-out model. And while the agency had funded the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019, none were completed.
The ADHA also did not have solid arrangements to ensure the emergency access function would not lead to an “interference with privacy”, the audit found.
Cybersecurity risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened. The audit report noted the board had received “dedicated” cybersecurity briefings four times between July 2016 and February 2019, but had not considered the latest cybersecurity strategic plan, despite it having been finalised by the ADHA executive in November last year. The role of the committee was also questioned.
Hehir recommended the agency conduct an end-to-end privacy risk assessment of the system’s operation, including shared risks and mitigation controls. It should then put the results into the risk management framework for the system.
ADHA, the Department of Health and the information commissioner should review procedures for monitoring the system’s emergency access function, and should notify the commissioner of any suspicious use.
The report also recommended an assurance framework be developed for third party software connecting to the system, including clinical software and mobile applications. A strategy to monitor compliance with legislated security requirements by registered healthcare provider organisations and contracted service providers should also be set up.
The ADHA has agreed with all recommendations. It acknowledged the system operates within a “complex environment” of controls such as state and territory privacy laws, and would consider this when working with stakeholders to “lift the capability of the health sector” and meet increasing community expectations on their privacy and security.
Hehir left some key messages for other government entities to learn from:
“My Health Record is an example of a program with many shared risks, not only between different Commonwealth agencies but also jurisdictions and the wider community, including the healthcare sector, clinical software vendors, and consumers. Good risk management is not just about managing risks to Commonwealth agencies; entities must also identify, assess and manage the risks that they share with others – which may include the groups of people to whom they are delivering services.”
“The intended benefits for the My Health Record system are estimated to take at least ten years to be realised. Where the intended benefits of a program are projected to be realised over a relatively long period, entities should not only describe what the intended benefits are and how they could be measured, but also make clear delivery plans showing how and when the benefits will be measured, evaluated and reported.”
ADHA CEO Tim Kelsey said the audit findings could help other government entities improve their digital services.
“The agency supports the sharing of learnings as key messages to other government entities. We hope that our experience implementing this major program will contribute to the capability of the public service to deliver major technological and change programs into the future,” he said in a statement.