The agency overseeing My Health Record paid $3.6 million for a series of privacy assessments that were never completed, and failed to appropriately managed shared cybersecurity risks of the controversial system, an audit has found.
The Australian National Audit Office tabled its report on the implementation of My Health Record on Monday morning.
It found that the implementation of the online electronic summary of an individual’s health information was “largely effective”, and gave a tick to the Australian Digital Health Agency’s (ADHA) planning and execution, governance arrangements and public communication efforts.
But it also found a number of significant issues with the implementation of the highly contentious system, including a poor managing of the risks associated with third-parties connecting to MHR, a failure to conduct any privacy assessments of the system after it was made to be opt-out, and a lack of cybersecurity risk oversight.
The federal government invested $1.15 billion into the development of what is now My Health Record between 2012 and 2016, and injected a further $374.2 million to transform it from ‘opt-in’ to an ‘opt-out’ model.
Following the completion of a tumultuous opt-out period, nine out of 10 Australians now have a record.
The audit found that no privacy assessments had been conducted on the MHR system since it was controversially changed to be an opt-out system.
The ADHA had paid the Office of the Australian Information Commissioner (OAIC) $3.6 million in 2017 as part of a Memorandum of Understanding where it agreed to complete a minimum of four privacy assessments by June this year. But none of these assessments were actually completed, the audit found.
The two organisations signed the Memorandum of Understanding in mid-2017, which included a number of other responsibilities for the OAIC, including responding to complaints, receiving data breach notifications and a range of enforcement powers.
The ANAO found that despite none of the necessary privacy assessments being completed under the previous agreement, the ADHA provided the OAIC with a further $2.1 million as part of a deal to conduct a minimum of two privacy assessments.
The audit recommended that an end-to-end privacy risk assessment of the operation of MHR under the opt-out model be completed, which the ADHA has agreed to.
The audit was also critical of how the responsible agency handled the risks associated with third-parties, like software vendors, healthcare providers and mobile apps, connecting to the MHR system.
“Management of shared cybersecurity risks was not appropriate and should be improved with respect to those risks that are shared with third-party software vendors and healthcare provider organisations,” the ANAO said.
It found that while a review in 2016 recommended that contracted service providers of healthcare provider organisations be accredited, but this was rejected by the ADHA.
While compliance with the government’s Information Security Manual (ISM) should be the bare minimum, the ANAO found that the ADHA did not “assess, certify or accredit the ISM compliance of third-party software and systems connected to the MHR system”.
Instead, software vendors just have to complete a Conformance Vendor Declaration Form and a “deed poll” warranting their conformance testing against requirements set by the ADHA.
“The decision to not assess, certify or accredit the ISM compliance of third-party software and systems limited ADHA’s assurance over the cybersecurity risks of the MHR system,” the audit report stated.
“An ISM assessment, certification and accreditation approach would provide a rigorous system for ADHA to understand and manage cybersecurity risks from third-party software, but any assurance process must be balanced against disincentives to register and use the system.”
The ADHA has now agreed to develop an assurance framework for third-party software vendors connecting to MHR, and to develop, implement and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations.
The report also found that cybersecurity risk assessment by the ADHA board and committee could be strengthened, with the board only receiving four dedicated cybersecurity briefings in the last three years, and is yet to consider the new cybersecurity strategy plan which was finalised late last year.