The federal government’s online medical database was recently the target of an attempted hack from an unknown attacker, an inquiry into the cyber resilience of government entities has heard.
The Australian Digital Health Agency — the system operator for My Health Record — on Tuesday told the Joint Committee on Public Accounts and Audit that it has identified two potential data breaches this financial year.
The first was an attempted “hack” on the external perimeter of the My Health Record System, and the second on a state healthcare facility, according to ADHA national health CIO Ronan O’Connor.
“The first notification was reported to the Office of the Australian Information Commissioner and that was related to a potential compromise to external information technology infrastructures supporting the wider My Health Record system,” he said.
“I want to assure the committee there was no access into the My Health Record whatsoever, no health information or personal, sensitive information was accessed.”
He said the agency had worked with the Australian Cyber Security Centre following the incident, and “there were no further investigations”.
Despite the ADHA’s security monitoring tools having identified a “potential vulnerability” in the system, O’Connor said the agency could not identify the attacker.
In regards to the second incident, O’Connor said the healthcare facility “became aware their system had potentially been hacked”, but “there was no compromise”.
In a November audit report the national auditor-general Grant Hehir found the implementation of the My Health Record system was “largely effective”. However, the management of shared cybersecurity risks — particularly in third-party software vendors and healthcare provider organisations — was found in need of improvement.
Hehir said the ADHA had failed to undertake any privacy risk assessments of the system, noting the agency had funded the OAIC to conduct at least four privacy reviews between October 2017 and June 2019, but none were completed.
O’Connor reassured the committee that My Health Record has “quite a comprehensive system for security monitoring”, and revealed the ADHA has set up its own cybersecurity centre. He said the agency would soon implement a security-focused e-learning initiative.
The Department of Health told the inquiry it was a requirement for all registered My Health Record participants to have a written security policy covering a range of issues.
ADHA CEO Bettina McMahon noted cyber resilience is also addressed in the My Health Record Act.