Implementation of the My Health Record System
Entities Audited: Australian Digital Health Agency
Department of Health
Introduction
3.1
Chapter 3 focuses on the cyber resilience findings of Auditor-General Report No. 13 (2019-20), Implementation of the My Health Record System.
3.2
My Health Record is an online electronic summary of a person’s health information. It is part of a national digital health agenda to encourage better sharing of health information across healthcare settings. Nine out of every ten Australians now has a My Health Record, following the conclusion of the opt-out period on 31 January 2019. My Health Records may include:
information from healthcare providers—health summaries, hospital discharge summaries, pathology and diagnostic imaging reports, medications, and referral letters;
information from repository operators—Medicare data, Pharmaceutical Benefits Scheme/Repatriation Pharmaceutical Benefits Scheme data, Australian Organ Donor Register decisions, and Australian Immunisation Register data;
information added by healthcare recipients—such as contact numbers, emergency contact details, and advance care plans; and
back-up copies of documents.
3.3
My Health Records can be accessed by healthcare recipients, healthcare providers, and nominated/authorised representatives.
3.4
The Department of Health (Health), a non-corporate Commonwealth entity, administers the My Health Records Act 2012, on behalf of the Minister for Health. The Australian Digital Health Agency (ADHA), a corporate Commonwealth entity, is the System Operator for My Health Record.
3.5
ADHA shares cyber security risks with other participants, including:
the National Infrastructure Operator (NIO) and subcontractors—provide the core infrastructure for the My Health Record system, and have legislative and contractual security obligations;
Services Australia—secures the data repositories and myGov portal …;
software vendors—are responsible for the security of software used to access the My Health Record system, including clinical software used by healthcare providers and mobile applications used by healthcare recipients;
healthcare provider organisations and their contracted service providers—have access to multiple records by design, and are responsible for their information management and cyber security practices; and
individual healthcare recipients—are responsible for the security of the passwords, devices and connections they use to access their My Health Record, either through myGov or third party mobile applications.
Audit Rationale
3.6
The My Health Record system potentially impacts all Australians, as it collates electronic summaries of individuals’ health information. The system ‘requires a balance between increasing access to information, and managing the inherent privacy and cyber security risks of making that information more readily available’. The audit stated that, ‘for these reasons, My Health Record has generated parliamentary and public interest, particularly in relation to the management of privacy and cyber security risks’.
Audit Objective and Criteria
3.7
The audit objective was to assess the effectiveness of the implementation of the My Health Record system under the opt-out model, with the audit adopting the following criteria: ‘implementation of the My Health Record system promotes achievement of its purposes; My Health Record system risks are appropriately assessed, managed and monitored; and monitoring and evaluation arrangements for the My Health Record system are effective’.
Overall Audit Conclusion
3.8
The audit concluded that ‘implementation of the My Health Record system was largely effective’. Implementation planning for and delivery of My Health Record under the opt-out model was ‘effective in promoting achievement of its purposes’, and implementation planning and execution was ‘appropriate’ and supported by ‘appropriate governance arrangements’. Communication activities were also ‘appropriate to inform healthcare recipients and providers’; risk management for the My Health Record expansion program was ‘partially appropriate’; and monitoring and evaluation arrangements for My Health Record were ‘largely appropriate’.
3.9
In terms of cyber resilience, the audit found that ADHA had ‘largely appropriate systems to manage cyber security risks to the core infrastructure of the My Health Record system, except its management of shared cyber security risks and its oversight processes should be improved’. On these specific matters, the audit found that ADHA’s approach to managing shared cyber security risks was ‘not appropriate’ and recommended that ADHA develop an assurance framework for third-party software connecting to the My Health Record system, including clinical software and mobile applications, in accordance with the Australian Government Information Security Manual (ISM). It also recommended that ADHA develop, implement and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers. ADHA agreed to these recommendations.
Cyber Security Standards
3.10
It is not mandatory for corporate Commonwealth entities to apply the Protective Security Policy Framework (PSPF) or the Top Four strategies from the ISM for mitigating cyber threats. However, in March 2017, the Council of Australian Governments amended the Intergovernmental Agreement on National Digital Health to acknowledge that ADHA (a corporate Commonwealth entity) would comply with the PSPF and ISM.
3.11
The My Health Record system underwent five information security assessments between 2012 and 2017, conducted by an external Information Security Registered Assessors Program (IRAP) assessor. The audit noted the 2017 IRAP assessment found that, for My Health Record core infrastructure, ADHA had implemented the Top Four and Essential Eight cyber security mitigation strategies. ADHA also stated to the Australian National Audit Office (ANAO) that ‘the My Health Record system has not been the subject of any actual malicious cyber activity, events or incidents’.
3.12
The audit concluded that ADHA had ‘managed risks’ to the core infrastructure of the My Health Record system through ‘establishing a Digital Health Cyber Security Centre; undertaking a series of dedicated cyber security assessments; and implementing the “Essential Eight” cyber security mitigation strategies and decreasing the number of ISM cyber security controls not implemented’.
3.13
The audit noted that its analysis of cyber security risks was based on ‘a review of ADHA’s documentation and management frameworks’—the ANAO ‘did not test the technical effectiveness of cyber security controls as part of this audit’. As the Auditor-General further advised, ‘we reported that, effectively, they had provided assurance that they met the mandatory four and the top eight. We didn’t do an independent assessment of those things in that audit like we do in the cyberaudits’.
3.14
ADHA provided additional information at the public hearing about the IRAP assessment. The Auditor-General observed that ‘we’ve reported in other audit reports that sometimes we’ve found that IRAPs haven’t always provided an accurate indicator of cyber resilience … That said, they are a key part of the framework, so it’s an important part of what agencies undertaking them do’.
Assurance Framework for Third Party Software
3.15
The audit found that ADHA ‘did not assess, certify or accredit the ISM compliance of third party software and systems connected to the My Health Record system’, as required by the PSPF—‘this included clinical software that gives healthcare providers access to multiple health records, and mobile applications for healthcare recipients’. This decision ‘limited ADHA’s assurance over the cyber security risks of the My Health Record system’. The audit stated that ‘an ISM assessment, certification and accreditation approach would provide a rigorous system for ADHA to understand and manage cyber security risks from third party software’, but any assurance process ‘must be balanced against disincentives to register and use the system’.
3.16
The audit recommended that ADHA develop an assurance framework for third party software connecting to the My Health Record system, including clinical software and mobile applications, in accordance with the ISM. ADHA agreed to the recommendation and, at the time of the audit, advised that ‘an assurance framework exists for systems (including clinical software and mobile applications) connecting to the Healthcare Identifiers Service and the My Health Record system, including processes to confirm conformance’—but stated that it would ‘review the standards that apply to these systems, and alignment with the ISM. We will work with industry to update the assurance framework as required’.
3.17
The ADHA-Health submission provided further details of ADHA’s implementation plan for this audit recommendation. ADHA also provided implementation timeframes over 2020 for the recommendation, encompassing ‘external engagement, internal engagement, baseline framework, prioritise roadmap, roadmap delivery’.
Shared Risk and Compliance with Legislated Security Requirements
3.18
The ANAO outlined that the My Health Record program has a number of shared risks involving different Commonwealth agencies, various jurisdictions, the healthcare sector and consumers. More specifically, the ADHA shares My Health Record risks with a variety of system participants including Services Australia, healthcare provider organisations, medical practitioners, software vendors, healthcare recipients and the Information Commissioner. The ANAO highlighted the importance of not only managing risks to Commonwealth agencies but also assessing and managing risks shared with other participants.
3.19
The Commonwealth Risk Management Policy requires that entities implement strategies to manage shared risks and outlines measures that may be taken including: establishing memoranda of understanding with partners to formalise shared risk management; development of shared risk registers; educating officials on their responsibilities to identify and manage shared risks; and documenting control owners and governance arrangements for monitoring shared risks.
3.20
The ANAO stated that the ADHA could further clarify the roles and responsibilities of government entities in managing shared risks ‘by explicitly indicating which risks are shared, with which entities, and who in other entities is responsible for controls implementation’. Further, the ANAO recommended that ‘ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls, and incorporate the results of this assessment into the risk management framework for the My Health Record system’. The Australian Digital Health Agency agreed to this recommendation.
3.21
Under the relevant My Health Records legislation, entities such as healthcare provider organisations and contracted service providers must comply with mandatory legislated security requirements in order to be eligible, and remain eligible, for registration. As the System Operator, ADHA should not register an ineligible entity, and may consider revoking registration of an entity that does not remain eligible. ADHA has ‘clear statutory functions and powers to register and deregister entities’.
3.22
The audit found that ADHA ‘conducted limited compliance monitoring to ensure registered healthcare providers met legislated security requirements’, noting that ‘legislative requirements are only effective risk controls when enforced’. The risk that multiple health records are accessed, modified or made unavailable without authorisation due to compromise of a participating healthcare organisation or their contracted service provider ‘remains a shared risk above ADHA’s residual risk tolerance’.
3.23
At the public hearing, the Auditor-General explained that the shared risks in My Health Record ‘bring additional risks’, and ‘the increase is because there needs to be coordination between various agencies to manage the risk … So it’s simply the number of players involved and getting accountability in the right spot for where mitigation can best occur’. As the Auditor-General further noted:
Part of the response to our report from the agencies … was the balance between meeting statutory requirements and ensuring broad uptake of a system … at the end of the day, parliament has put through some legislation saying that certain things have to happen before someone can be registered as a provider, and that’s sort of where we landed with respect to the recommendations.
3.24
ADHA outlined some of its cyber security initiatives to manage risk and improve the level of awareness and education, including cybersecurity guidance materials ‘designed to encourage improved information security practices across the health sector and into GP practices’; presentations and workshops; and digital health security awareness e-learning courses. ADHA also worked with the Australian Cyber Security Centre (ACSC) to issue alerts into the health sector. ADHA further emphasised that this is a ‘continuing, ongoing improvement process. The landscape changes on a minute-by-minute, daily basis … this is just ongoing in relation to the support that we provide to those organisations’. ADHA also advised that all traffic to and from the My Health Record system is monitored for ‘any unusual behaviour or activity’, using specialist real-time monitoring tools and, ‘in instances where we have particular concern, we can suspend access from that organisation to the My Health Record system’.
3.25
In terms of benchmarking cyber security practice within healthcare providers and tracking progress, Health responded that:
obviously we’ve still got work ahead of us in terms of more detailed consultation with the peak organisations about lifting the security posture of all of those participants that interact with the Commonwealth government, and specifically with My Health Record. So that is a … design piece of work that we need to do with them about what is their current level of conformance and then how we might continue to attest that and its improvement.
3.26
As Health further explained, ‘part of the work that we’re trying to do collectively at the Commonwealth level is to have a look at how we continue to lift the minimum level of conformance with security requirements for all participants that connect to Commonwealth infrastructure’.
3.27
Another matter explored at the public hearing was the cyber attack threat level for Australian healthcare providers, noting the audit had stated that:
in Australia, evidence shows: not all healthcare provider organisations achieve minimum cyber security levels; in 2018, the private health service provider sector reported the most notifiable data breaches of any industry sector; and more than 40 per cent of data breaches from the private health service provider sector notifications to the [Office of the Australian Information Commissioner] in 2018 were due to malicious or criminal attacks, almost half of which were cyber incidents.
3.28
ADHA observed that ‘those reports have shown that there are risks to the health system from cyberattack, as there are in the rest of the economy, and those need to be managed through improved security over time, which is what we’re working with the sector on at the moment’. Health further emphasised that it constantly monitors this area with its service delivery partners, ADHA and Services Australia, ‘to look at how we can strengthen those parts of the health sector that government participates in’. Health also pointed to ‘the challenges that we’ve got … to work through with peak organisations around how they continue to lift their cybermaturity’ and ‘the need to work with states and territories … So, it’s a complex and quite distributed landscape that we need to manage’.
3.29
The audit recommended that ADHA ‘develop, implement and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers’. The ADHA-Health submission provided details of ADHA’s implementation plan for this audit recommendation. ADHA also provided implementation timeframes over 2020 for the recommendation, encompassing ‘context, engagement, regulatory design, consultation/refinement, implementation/review’.
Timeframes for Implementation of Recommendations
3.30
The ADHA-Health submission provided details of the ADHA implementation plan for the audit recommendations, with indicative timeframes. ADHA confirmed that it consulted with the ANAO in the development of the implementation plan.
3.31
Asked about the assistance to entities of such implementation plans in addressing recommendations, the Auditor-General observed that ‘we think setting up those types of frameworks is the best practice way of driving implementation’—the best chance of successfully implementing recommendations is to ‘have a plan and for it to be monitored, usually through the audit and risk committee. That will put some accountability in terms of who’s going to do things and by when’.
3.32
There was interest at the public hearing in further exploring ADHA’s timeframes for implementing the recommendations, noting that the ADHA Implementation Plan ‘does not cover the actual changes which the Agency and others must make to implement the recommendations; this detail will be developed in 2020 through the activities described in the plan’. ADHA provided an update on its ‘indicative timeline’, confirming that the first two milestones had been completed (plan approval and analysis). Engagement was due to be conducted from March to July 2020, but ADHA ‘shifted that back slightly to take into account the availability of stakeholders’, with this instead commencing in April and now ‘likely to run through to the end of July or August’. ADHA advised that ‘the final completion date is October next year, which is within the two-year time frame that we’ve articulated we’ll implement each of the recommendations’.
3.33
As to whether there had been any impact on implementation timeframes due to COVID-19, ADHA confirmed:
Yes, absolutely. That is the reason why stakeholders are less available … we’re cognisant of the capacities, particularly around emergency access—there are people working in hospitals and running health services who we need to consult with ... We want to work around their availability rather than forging ahead.
3.34
It was also noted that ADHA’s Implementation Plan made reference to funding sensitivities, with the plan stating that:
execution of the solutions … is scheduled to commence in August 2020, however, funding is not secured for the Agency beyond June 2020 … If resourcing is not available in the 2020/21 budget, execution on the plan would largely shift to FY 2021/22, which could put all recommendations within two years at risk (particularly recommendation 4 which calls for implementation of the compliance framework).
3.35
However, ADHA confirmed at the public hearing that it does now have ‘sufficient funding to implement these recommendations’:
at the time we developed the implementation plan, we didn’t have the funding … for the next financial year. We do now have funding, which was provided through the supply bills in March, through to the end of January … activities both in this financial year and the next financial year to implement the recommendations are funded.
Concluding Comment
3.36
The audit concluded that implementation of the My Health Record system was largely effective. The Committee understands that implementation planning for and delivery of My Health Record under the opt-out model was effective in promoting achievement of its purposes, and implementation planning and execution was appropriate and supported by appropriate governance arrangements. Communication activities were also appropriate to inform healthcare recipients and providers; risk management for the My Health Record expansion program was partially appropriate; and monitoring and evaluation arrangements for My Health Record were largely appropriate.
3.37
Specifically on cyber resilience, the Committee notes the audit finding that ADHA had managed risks to the core infrastructure of the My Health Record system through establishing a Digital Health Cyber Security Centre; undertaking a series of dedicated cyber security assessments; and implementing the ‘Essential Eight’ cyber security mitigation strategies and decreasing the number of ISM cyber security controls not implemented.
3.38
The My Health Record system needs to take into account both effectively maintaining an appropriate level of privacy and cyber security, and providing ease of access to the system for healthcare professionals and others to encourage high levels of engagement. Under My Health Record, ADHA shares cyber security risks with many other participants, including the NIO and subcontractors; Services Australia; software vendors; healthcare provider organisations and their contracted service providers; and individual healthcare recipients. The Committee appreciates that this creates additional challenges because there needs to be coordination between various agencies to manage shared risk.
3.39
Against this background, the audit found that ADHA’s approach to managing shared cyber security risks needed to be improved, by ADHA developing an assurance framework for third party software connecting to the My Health Record system in accordance with the ISM, and implementing a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers.
3.40
The Committee notes that ADHA has agreed to these recommendations and that it provided an update at the public hearing on implementation progress. ADHA has also published an Implementation Plan, with indicative timeframes.
3.41
The Committee appreciates that the COVID-19 pandemic has had an impact on ADHA’s implementation timeframes for the audit recommendations, particularly given that a significant part of this work involves engaging with key stakeholders across the Health community. However, the Committee notes that the current Implementation Plan ‘does not cover the actual changes which the Agency and others must make to implement the recommendations; this detail will be developed in 2020 through the activities described in the plan’. Accordingly, the Committee seeks an update on the key milestones and implementation dates for the audit recommendations, particularly recommendations 3 and 4 relating to cyber security.
3.42
The Committee recommends that the Australian Digital Health Agency (ADHA) provide an update on its ‘ANAO My Health Record Performance Audit Implementation Plan’ (20 February 2020), including:
key milestones and implementation dates for each of the recommendations in Auditor-General Report No. 13 (2019-20), Implementation of the My Health Record System, with a particular focus on recommendations 3 and 4; and
details of the specific changes that ADHA and other stakeholders need to make to implement the recommendations.
3.43
The Committee understands that, while Auditor-General Report No. 13 (2019-20) examined My Health Record cyber security risks, it was not a specific cyber audit. Auditor-General Report No. 1 (2019-20) noted that the ‘small number’ of government business enterprises (GBEs) and corporate Commonwealth entities assessed to date means ‘it is not possible to draw conclusions as to the relative level of cyber resilience of corporate compared to non-corporate Commonwealth entities’. Noting this point and the cyber related recommendations directed at ADHA in Auditor-General Report No. 13, the Committee believes there would be merit in ADHA (as a corporate Commonwealth entity) being included in a future cyber audit of GBEs and corporate Commonwealth entities.
Ms Lucy Wicks MP
Chair
3 December 2020