Posted on June 21, 2021 at 5:37 PM
In a bid to address the concerns raised by the Australian National Audit Authority(ANAO), the Australian Digital Health Agency (ADHA) says it has already set up a risk management plan.
The agency also said it has reminded users how they should utilize the emergency access function.
The MyHealth Record system administrator has been frequently criticized and asked to beef up the security of its online medical files.
Highly effective security framework
The commission looked into the records from ANAO and listed some security issues about the implementation of My Health Record by ADHA. As a result of this action, ADHA was highly regarded as “highly effective.”
A performance audit implementation was developed in February last year to take care of the issue. Even after the Emergency Access Plan has been submitted, ADHA says it will continue to check emergency access to make sure that any abuse is recognized quickly.
One of the recommendations made by ANAO was for ADHA to carry out a direct privacy risk management of My Health Record operations through an opt-out model.
This will also include mitigation controls and shared risk. Another recommendation was for government agencies to include the results of the assessment into the framework for risk management in My Health Record.
The agency also stated that it will be working with both private and public sector healthcare providers to incorporate the results into the risk management plan, which will be completed in November.
ANAO also recommended that ADHA should consult the Information Commissioner to review the adequacy of the procedures and approach for checking the use of the emergency access function within the online medical file.
ADHA delivered the emergency access compliance framework and the compliance structure in February. But the agency has reiterated that it will continue monitoring emergency access and liaise with system participants. According to the commission, the idea is to ensure a higher understanding of the legislative provision as well as the necessary reporting plans. In this way, any unauthorized use will be recognized and reported to the information commissioner.
Assurance framework for third-party software
ANAO also asked ADHA to set up an assurance framework especially for third-party software that connects to the My Health Record system. The audit unit pointed out that many infiltrations on systems have come from third-party software. As a result, there should be more attention placed on the software that connects to the systems.
These include mobile applications and clinical software in line with the Information Security Manual of the federal government.
In response to the recommendation, ADHA stated that an assurance framework that connects to My Health Record System and Healthcare Identifiers Service is already in place.
The agency says it will be reviewing the standards used on these systems and make sure it is in line with the Information Security Manual. It also reiterated that it has been working with the industry to make sure the assurance framework is updated properly.
The commission will monitor compliance strategy
The agency also says it will be developing, implementing, and regularly reporting on a strategy that will effectively monitor compliance. It will also make sure that registered healthcare providers meet the security requirements for My Health Record.
Although ADHA is not directly registered by ANAO, the commission stated that it will make sure there is proper identification and management of privacy risks between My Health Record shareholders and the agency.
It also hopes to distribute guidance materials as well as other resources that will come in handy.
ADHA has also requested that software developers carry out a conformance process in line with the new Security Requirements as requested by ADHA.
According to ADHA, the government also has a major role to play in the security framework. It stated that government agencies will make sure that the applicable standards are in line with the information security manuals. ADHA added that it will continue working with the industry to make sure the warranty framework is always updated.