iTnews

My Health Record exposed to shared cyber security risks

By Justin Hendry on Nov 26, 2019 12:10AM
My Health Record exposed to shared cyber security risks

Otherwise positive audit concerned by lacklustre third-party controls.

Australia’s national auditor has given the country's My Health Record system a mostly clean bill of health, despite persistent issues with the management of shared cyber security risks.

In an audit [pdf] into the implementation of the electronic health record released on Monday, the Australian National Audit Office (ANAO) said the planning and delivery of the system had been “largely effective”.

This includes preparations for the switch to an opt-out model, which took place this year after an extended opt-out period saw in excess of 2.5 million Australians elected not to have a record.

“The My Health Record expansion to an opt-out model was implemented in accordance with an approved business case and implementation plan,” the audit states.

ANAO said cyber security and privacy risks to system's the core infrastructure were “largely well managed”, with the Australian Signals Directorate’s Essential Eight cyber mitigation strategies in place.

Core infrastructure refers to the software, equipment and interfaces operated by Accenture, which has held the national infrastructure operator (NIO) contract since 2011.

However, while satisfying the government's baseline cyber security requirements, 15 of the 413 information security manual (ISM) security controls have yet to be implemented.

This is despite the government spending in excess of $1.5 billion on the My Health Record scheme since 2011, when it known as the personally controlled electronic health record (PCEHR).

“ADHA cyber security risk management arrangements with the NIO for core infrastructure are based on clearly defined roles and responsibilities documented in the NIO contract,” the audit states.

“While the contract required the NIO to comply with the PSPF and the ISM, this did not initially result in core infrastructure that implemented all applicable ISM cyber security controls.

“Additional funding was provided to the NIO to implement security improvements and increase the number of ISM cyber security controls for the core infrastructure.”

The audit highlighted that  since at least 2017, according to the most recent IRAP security assessment.

ADHA risk management was also found to be informed by several privacy risk assessments undertaken over the past eight years, though none have been completed since the switch to opt-out.

This is despite the ADHA paying the Office of the Australian Information Commission $3.6 million to complete at least four privacy assessments between October 2017 and June 2019.

The not so good

While core infrastructure cyber security risks were “largely appropriate”, the same can’t be said for the management of shared cyber security risks, particularly those relating to third-party software vendors.

“Management of shared cyber security risks was not appropriate and should be improved with respect to risks that are shared with third-party software vendors and healthcare provider organisations,” the audit states.

The audit reveals ADHA previously rejected a 2016 end-to-end security review recommendation that contracted service providers like software vendors of clinical systems be accredited on the basis that this would create “additional burden to vendors and [the] potential for reputation damage”

A recommendation in the most recent IRAP security assessment in 2017 also recommended “ISM compliance should be considered a minimum acceptable standard for the My Health Record system”.

“The decision to not assess, certify or accredit the ISM compliance of third party software and systems — as required by the PSPF [Protective Security Policy Framework]— limited ADHA’s assurance over the cyber security risks of the My Health Record system,” the audit states.

“An ISM assessment, certification and accreditation approach would provide a rigorous system for ADHA to understand and manage cyber security risks from third party software, but any assurance process must be balanced against disincentives to register and use the system.”

The ANAO also ADHA assessments of share cyber security risks largely focused on “consequences to the ADHA itself and the in-house technical ICT controls and treatments protecting core infrastructure”.

The ANAO has recommended an “assurance framework for third-party software connecting to the My Health Record system” be developed, though ADHA had suggested such a framework is already in place.

“An assurance framework exists for systems (including clinical software and mobile applications) connecting to the Healthcare Identifiers Service and the My Health Record system, including processes to confirm conformance,” the agency said.

“The Agency will review the standards that apply to these systems, and alignment with the Information Security Manual. We will work with industry to update the assurance framework as required.”

ADHA has also been asked to “develop a strategy to monitor compliance with legislated security requirements by registered healthcare provider organisations”.

The audit also recommended that cyber security risk oversight by the ADHA board be strengthened with only four dedicated cyber security briefings occurring between July 2016 and February 2019.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
accentureadhaanaoauditcybercyber securityehealthgovernmentithealthitmy health recordsecuritysoftwarestrategy

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Operationalising net zero to be centre stage at IoT Impact conference
Partner Content Operationalising net zero to be centre stage at IoT Impact conference
Don't miss Australia’s premiere IoT Conference on 9th June
Promoted Content Don't miss Australia’s premiere IoT Conference on 9th June
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • 11th Annual Fraud Prevention Summit 2022
  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Justin Hendry
Nov 26 2019
12:10AM
0 Comments

Related Articles

  • Chamonix lands My Health Record app deal
  • My Health Record data breaches fall
  • SA Health links Sunrise ehealth record to My Health Record
  • Audits alone won't solve govt cyber woes: ANAO
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification

What to expect from the incoming Labor government

What to expect from the incoming Labor government

Digital Nation

COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.