Australia’s national auditor has given the country's My Health Record system a mostly clean bill of health, despite persistent issues with the management of shared cyber security risks.
In an audit [pdf] into the implementation of the electronic health record released on Monday, the Australian National Audit Office (ANAO) said the planning and delivery of the system had been “largely effective”.
This includes preparations for the switch to an opt-out model, which took place this year after an extended opt-out period saw in excess of 2.5 million Australians elected not to have a record.
“The My Health Record expansion to an opt-out model was implemented in accordance with an approved business case and implementation plan,” the audit states.
ANAO said cyber security and privacy risks to system's the core infrastructure were “largely well managed”, with the Australian Signals Directorate’s Essential Eight cyber mitigation strategies in place.
Core infrastructure refers to the software, equipment and interfaces operated by Accenture, which has held the national infrastructure operator (NIO) contract since 2011.
However, while satisfying the government's baseline cyber security requirements, 15 of the 413 information security manual (ISM) security controls have yet to be implemented.
This is despite the government spending in excess of $1.5 billion on the My Health Record scheme since 2011, when it known as the personally controlled electronic health record (PCEHR).
“ADHA cyber security risk management arrangements with the NIO for core infrastructure are based on clearly defined roles and responsibilities documented in the NIO contract,” the audit states.
“While the contract required the NIO to comply with the PSPF and the ISM, this did not initially result in core infrastructure that implemented all applicable ISM cyber security controls.
“Additional funding was provided to the NIO to implement security improvements and increase the number of ISM cyber security controls for the core infrastructure.”
The audit highlighted that since at least 2017, according to the most recent IRAP security assessment.
ADHA risk management was also found to be informed by several privacy risk assessments undertaken over the past eight years, though none have been completed since the switch to opt-out.
This is despite the ADHA paying the Office of the Australian Information Commission $3.6 million to complete at least four privacy assessments between October 2017 and June 2019.
The not so good
While core infrastructure cyber security risks were “largely appropriate”, the same can’t be said for the management of shared cyber security risks, particularly those relating to third-party software vendors.
“Management of shared cyber security risks was not appropriate and should be improved with respect to risks that are shared with third-party software vendors and healthcare provider organisations,” the audit states.
The audit reveals ADHA previously rejected a 2016 end-to-end security review recommendation that contracted service providers like software vendors of clinical systems be accredited on the basis that this would create “additional burden to vendors and [the] potential for reputation damage”
A recommendation in the most recent IRAP security assessment in 2017 also recommended “ISM compliance should be considered a minimum acceptable standard for the My Health Record system”.
“The decision to not assess, certify or accredit the ISM compliance of third party software and systems — as required by the PSPF [Protective Security Policy Framework]— limited ADHA’s assurance over the cyber security risks of the My Health Record system,” the audit states.
“An ISM assessment, certification and accreditation approach would provide a rigorous system for ADHA to understand and manage cyber security risks from third party software, but any assurance process must be balanced against disincentives to register and use the system.”
The ANAO also ADHA assessments of share cyber security risks largely focused on “consequences to the ADHA itself and the in-house technical ICT controls and treatments protecting core infrastructure”.
The ANAO has recommended an “assurance framework for third-party software connecting to the My Health Record system” be developed, though ADHA had suggested such a framework is already in place.
“An assurance framework exists for systems (including clinical software and mobile applications) connecting to the Healthcare Identifiers Service and the My Health Record system, including processes to confirm conformance,” the agency said.
“The Agency will review the standards that apply to these systems, and alignment with the Information Security Manual. We will work with industry to update the assurance framework as required.”
ADHA has also been asked to “develop a strategy to monitor compliance with legislated security requirements by registered healthcare provider organisations”.
The audit also recommended that cyber security risk oversight by the ADHA board be strengthened with only four dedicated cyber security briefings occurring between July 2016 and February 2019.