Controversial digital health scheme My Health Record has been given a relatively clean bill of health by the Australian National Audit Office (ANAO).

This week, the ANAO released its findings into the implementation of the My Health Record system.

For the most part, the ANAO concluded that the system was built in a “largely effective” manner with appropriate planning, execution, and communication throughout the implementation.

The national auditor said My Health Record’s cybersecurity posture – a major cause for concern during its rollout – was good, but expressed disappointment with how shared cyber risk is currently handled.

“Risks relating to privacy and the IT system core infrastructure were largely well managed, and were informed by several privacy risk assessments and the implementation of key cyber security measures,” the ANAO report said.

“Management of shared cyber security risks was not appropriate and should be improved with respect to those risks that are shared with third party software vendors and healthcare provider organisations.”

Recommendations

The Australian Digital Health Agency (ADHA), which has been responsible for the My Health Record rollout, agreed to a number of recommendations made by the ANAO to improve its information security.

These recommendations include:

  • Conducting a privacy risk assessment
  • Reviewing procedures for emergency data access and notifications to the Information Commissioner
  • Developing an assurance framework for third party software that connects to My Health Record
  • Regularly reporting on compliance with legislated security requirements

CEO of the Digital Health Agency, Tim Kelsey, said he expects the My Health Record rollout to provide an example for future government digital initiatives.

“We hope that our experience implementing this major program will contribute to the capability of the public service to deliver major technological and change programs into the future,” he said.

Between 2012 and 2016, the government invested $1.15 billion into building My Health Record and related digital health infrastructure.

In 2017-18, another $374.2 million was spent on further operational costs while expanding the system to an opt-out model.

After a number of extensions, the period to opt-out of My Health Record ended early this year leaving nine out of ten Australians with a digital record of their health data.

Complaints about the system rose significantly last year and ADHA reported 38 data breaches between July 2018 and January this year – although the agency said most of those breaches were neither malicious nor compromised the system.

More scrutiny

However, some groups are still concerned with the government’s standards for information security and say My Health Record deserves even greater scrutiny.

Dr Trent Yarwood, a medical specialist and health spokesperson for Future Wise, said the ADHA’s apparent lack of risk mitigation strategies for high risk personal data is disturbing.

“Improper access by an authorised user like a healthcare worker snooping on record of their friend, or ex-partner, or even a celebrity is a much more likely to occur than an external hack,” Dr Yarwood said.

“So when ADHA say the system has never been hacked, it does not mean people’s private information hasn’t been breached, because clearly it is happening.”

Chair of Electronic Frontiers Australia, Lyndsey Jackson, said the government’s approach to data protection is simply not good enough.

“We call on the government to move beyond lazy, simplistic, and divisive rhetoric about cyber security and to engage seriously with the work required,” Jackson said.

“These are complex issues that require serious people willing to engage with the complexity, and to do the hard work required to keep our data private and secure.

“Australians deserve nothing less.”