Third party minimum cyber compliance for My Health Record skipped: Audit Office

Instead of testing against the Australian government's Information Security Manual, vendors sign a form saying they are compliant.

Less than 2 percent of My Health Record trial users opted out

The Australian National Audit Office (ANAO) has pointed out a number of security issues concerning the Australian Digital Health Agency's (ADHA) My Health Record implementation, among a report that widely gave ADHA the tick as "largely effective".

In its report released on Monday, ANAO pointed out that in a 2016 end-to-end security review, ADHA decided against accrediting those that provide services to healthcare providers.

"ADHA rejected this recommendation on the basis that it 'presents several challenges' including the additional burden to vendors and potential for reputational damage," ANAO said.

A year later, an assessment by the Information Security Registered Assessors Programme (IRAP) said compliance with the Australian government's Information Security Manual (ISM) should be the minimum acceptable standard for using My Health Record. This assessment applied to software used by healthcare providers, including mobile apps.

However, ADHA did not do this, despite it being required by the Australian Government Protective Security Policy Framework, and instead allowed vendors to sign a declaration form.

"The decision to not assess, certify or accredit the ISM compliance of third party software and systems ... limited ADHA's assurance over the cybersecurity risks of the My Health Record system," ANAO wrote.

"An ISM assessment, certification and accreditation approach would provide a rigorous system for ADHA to understand and manage cybersecurity risks from third-party software, but any assurance process must be balanced against disincentives to register and use the system."

The report also noted that when ADHA conducted a cyber assessment, it focused only on itself, and not on the My Health Record ecosystem.

"[ADHA] did not appear to focus on potential consequences to vendors, healthcare providers and healthcare recipients. Shared risk assessments considered all key stakeholder groups -- the [National Infrastructure Operator], Services Australia, software and mobile application vendors, healthcare providers and healthcare recipients -- however primarily focused on consequences to the ADHA itself and the in-house technical ICT controls and treatments protecting core infrastructure," the audit office said.

ANAO said the ADHA needs to improve its mechanism for tracking IRAP recommendations, after finding a 2017 assessment found 11 of 31 recommendations from a 2015 assessment were not implemented, and a 2018 assessment referred to some of the 2017 assessment but did not state progress against its recommendations.

"From June 2019, the [National Infrastructure Operator] prepared a My Health Record security risk register that documented 74 risks in a comprehensive risk framework, but did not document any proposed risk treatments, controls, or assessment of the effectiveness of controls -- including for the 15 'high' and five 'very high' risks," the report said.

Despite this, My Health Record was certified and accredited by the Department of Health in 2013 and 2016, and by ADHA in 2018.

The report noted that despite ADHA paying for four assessments by the Office of the Australian Information Commissioner (OAIC), no assessments have been completed, but the OAIC said it would be completed this fiscal year. On June 26, ADHA kicked in AU$2.1 million for at least two more assessments by OAIC.

Similar to numbers disclosed in September last year, that of 971,252 records created during the My Health Record trial period, only 214 had access controls set, the report said as of June 30, a record access code had been set 27,215 times, or to 0.1% of records, and a document access code had been set only 3,862 times.

With users able to limit visibility of their record, a function exists within My Health Record to allow health personnel to access the complete record in times of an emergency. This function is used in 0.1% of record accesses, or 205 instances in March 2019, ANAO said. However, it also found only 8.2% of those emergency accesses were on records with access control.

"ADHA sought written responses from healthcare provider organisations in relation to each instance of emergency access, and maintained detailed records and analysis of provider responses. In a number of instances, ADHA did not receive a response from specific healthcare provider organisations," the report said.

"In these cases ADHA could not satisfy itself that the circumstances of the emergency access did not constitute an interference with privacy. In other instances, some of the responses indicated a potential contravention of the Act. To date, ADHA has not notified the Information Commissioner of any of these instances, and nor have the healthcare provider organisations."

In terms of the when records are deleted from My Health Record, ANAO said permanent deletion occurs via an automated two-step process. Firstly, the record is cancelled to prevent documents being stored against it, and then within 48 hours, a record is deleted from various data stores.

But deleted records stored on backups are not as timely.

"The information is also removed from system back-ups, but this may not occur immediately: ADHA stated that 'deleted records are removed from the backup when a new backup is created during regular backup cycle'," ANAO said.

Despite not doing a test of the system, nor a technical review of it, ANAO gave the deletion process the tick.

"The ANAO assessed that the documents reflected a design that was consistent with the legal requirement to permanently delete clinical data and documents," it said.

Indeed, despite the cyber issues encountered, ANAO gave the system a tick overall.

"Implementation of My Health Record has been largely effective," the report said.

"Risks relating to privacy and the IT core infrastructure were largely well managed, but management of shared cyber security risks was not appropriate and should be improved."

ANAO made four recommendations to ADHA, on which it agreed to all. The first being to conduct an end-to-end privacy assessment of My Health Record; that ADHA, the Department of Health, and OAIC review the emergency access function and notify OAIC of potential and actual privacy breaches; ADHA to create an assurance framework for third party software; and for ADHA to develop and implement a program evaluation plan for My Health Record.

For its part, ADHA latched onto the soft touch by ANAO.

"The ANAO's conclusion that the implementation of the My Health Record was largely effective and that planning, governance, and communication was appropriate will provide the community with an important perspective on the competence of the public sector to implement a system of this scale and nature," the agency said.

In September, ADHA said nearly all public providers of pathology and diagnostic imaging use the electronic health record, with over 850,000 diagnostic reports each week having been uploaded to My Health Record.

"There has been significant progress in connecting pathology and diagnostic imaging providers to the My Health Record," ADHA said at the time.

"Nearly all public providers are already uploading and the number of private providers registering, and uploading is accelerating."

Private health providers have consistently been at the top of the Notifiable Data Breaches quarterly report from the OAIC.

Earlier this month, ADHA said in its annual report there were 38 matters reported to OAIC during the year concerning potential unauthorised access, security, or integrity breaches.

37 of these matters were counted as breaches, and the ADHA said most were the result of administrative errors such as "intertwined" Medicare records or processing errors when creating records for infants.

Three involved the unauthorised access to an individual's My Health Record.

As of 30 June 2019, there were 22.55 million active records in the My Health Record system. A total of 1.74 million people accessed their record via the national consumer portal and a total of 493 million documents were uploaded to the My Health Record system.

Speaking during Senate Estimates last month, ADHA representatives said there had been 23,528 records cancelled since 22 February 2019; at the same time, 22,129 people have opted back in.

Related Coverage

ADHA to overhaul underlying infrastructure of Australia's health services

The government agency has its eyes on a future that includes AI, blockchain, and IoT.

The ADHA is simplifying its clinical terminology database with AWS

The National Clinical Terminology Service has been re-engineered to reduce complexities and costs.

Could blockchain be the answer for Australia's digital health record?

With privacy and security concerns still plaguing My Health Record, Gartner fellow and VP David Furlonger ponders a future where blockchain could actually help.

My Health Record 'breaches' mostly fixing mismatched Medicare records

The breaches were mostly the result of data integrity activity initiated by Services Australia to identify intertwined Medicare records, rather than unauthorised access for nefarious activity.

Over 30,000 Australians cancelled their My Health Record in under two months

30,402 individual records were cancelled in just over seven weeks.