iTnews

My Health Record exposed to shared cyber security risks

By Justin Hendry on Nov 26, 2019 12:10AM
My Health Record exposed to shared cyber security risks

Otherwise positive audit concerned by lacklustre third-party controls.

Australia’s national auditor has given the country's My Health Record system a mostly clean bill of health, despite persistent issues with the management of shared cyber security risks.

In an audit [pdf] into the implementation of the electronic health record released on Monday, the Australian National Audit Office (ANAO) said the planning and delivery of the system had been “largely effective”.

This includes preparations for the switch to an opt-out model, which took place this year after an extended opt-out period saw in excess of 2.5 million Australians elected not to have a record.

“The My Health Record expansion to an opt-out model was implemented in accordance with an approved business case and implementation plan,” the audit states.

ANAO said cyber security and privacy risks to system's the core infrastructure were “largely well managed”, with the Australian Signals Directorate’s Essential Eight cyber mitigation strategies in place.

Core infrastructure refers to the software, equipment and interfaces operated by Accenture, which has held the national infrastructure operator (NIO) contract since 2011.

However, while satisfying the government's baseline cyber security requirements, 15 of the 413 information security manual (ISM) security controls have yet to be implemented.

This is despite the government spending in excess of $1.5 billion on the My Health Record scheme since 2011, when it known as the personally controlled electronic health record (PCEHR).

“ADHA cyber security risk management arrangements with the NIO for core infrastructure are based on clearly defined roles and responsibilities documented in the NIO contract,” the audit states.

“While the contract required the NIO to comply with the PSPF and the ISM, this did not initially result in core infrastructure that implemented all applicable ISM cyber security controls.

“Additional funding was provided to the NIO to implement security improvements and increase the number of ISM cyber security controls for the core infrastructure.”

The audit highlighted that  since at least 2017, according to the most recent IRAP security assessment.

ADHA risk management was also found to be informed by several privacy risk assessments undertaken over the past eight years, though none have been completed since the switch to opt-out.

This is despite the ADHA paying the Office of the Australian Information Commission $3.6 million to complete at least four privacy assessments between October 2017 and June 2019.

The not so good

While core infrastructure cyber security risks were “largely appropriate”, the same can’t be said for the management of shared cyber security risks, particularly those relating to third-party software vendors.

“Management of shared cyber security risks was not appropriate and should be improved with respect to risks that are shared with third-party software vendors and healthcare provider organisations,” the audit states.

The audit reveals ADHA previously rejected a 2016 end-to-end security review recommendation that contracted service providers like software vendors of clinical systems be accredited on the basis that this would create “additional burden to vendors and [the] potential for reputation damage”

A recommendation in the most recent IRAP security assessment in 2017 also recommended “ISM compliance should be considered a minimum acceptable standard for the My Health Record system”.

“The decision to not assess, certify or accredit the ISM compliance of third party software and systems — as required by the PSPF [Protective Security Policy Framework]— limited ADHA’s assurance over the cyber security risks of the My Health Record system,” the audit states.

“An ISM assessment, certification and accreditation approach would provide a rigorous system for ADHA to understand and manage cyber security risks from third party software, but any assurance process must be balanced against disincentives to register and use the system.”

The ANAO also ADHA assessments of share cyber security risks largely focused on “consequences to the ADHA itself and the in-house technical ICT controls and treatments protecting core infrastructure”.

The ANAO has recommended an “assurance framework for third-party software connecting to the My Health Record system” be developed, though ADHA had suggested such a framework is already in place.

“An assurance framework exists for systems (including clinical software and mobile applications) connecting to the Healthcare Identifiers Service and the My Health Record system, including processes to confirm conformance,” the agency said.

“The Agency will review the standards that apply to these systems, and alignment with the Information Security Manual. We will work with industry to update the assurance framework as required.”

ADHA has also been asked to “develop a strategy to monitor compliance with legislated security requirements by registered healthcare provider organisations”.

The audit also recommended that cyber security risk oversight by the ADHA board be strengthened with only four dedicated cyber security briefings occurring between July 2016 and February 2019.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
accenture adha anao audit cyber cyber security ehealth governmentit healthit my health record security software strategy

Partner Content

MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
MSI launches innovative new laptops
Partner Content MSI launches innovative new laptops
Improving returns from SD-WAN spending
Sponsored Content Improving returns from SD-WAN spending
NCS expands into Australia in partnership with Optus Enterprise
Sponsored Content NCS expands into Australia in partnership with Optus Enterprise

Sponsored Whitepapers

The risky business of open source
The risky business of open source
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation
How to choose a WAF that's right for you
How to choose a WAF that's right for you
The global telco 5G cloud gaming opportunity
The global telco 5G cloud gaming opportunity
Building a ransomware remediation backup strategy
Building a ransomware remediation backup strategy

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Justin Hendry
Nov 26 2019
12:10AM
0 Comments

Related Articles

  • My Health Record data breaches fall
  • Govt agencies face annual cyber security audits for next five years
  • ADHA moves to replace My Health Record's Oracle API gateway
  • Govt begins search for future My Health Record provider
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Update Chrome or risk remote takeover, US govt warns

Update Chrome or risk remote takeover, US govt warns
Telstra pilots its first neurodiversity recruitment program

Telstra pilots its first neurodiversity recruitment program
Google unravels state-of-art Android and Windows exploit chains

Google unravels state-of-art Android and Windows exploit chains
Accellion hack behind Reserve Bank of NZ data breach

Accellion hack behind Reserve Bank of NZ data breach
You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.