My Health Record expansion "largely effective": ANAO


By Dylan Bushell-Embling
Thursday, 28 November, 2019

My Health Record expansion "largely effective": ANAO

The Australian National Audit Office (ANAO) has given the government a qualified nod for the expanded implementation of the My Health Record system, despite identifying several security risk management shortcomings.

A recently released performance audit into the implementation of the system by the Australian Digital Health Agency (ADHA) and Department of Health has found that the expanded implementation incorporating the opt-out system was “largely effective”.

Implementation planning for and delivery of My Health Record under the opt-out model was likewise found to be appropriate and effective in achieving its objectives, the audit found.

But risk management for the expansion program was found to be only “partially appropriate”. While privacy and IT system core infrastructure related risks were largely well managed, management of shared cybersecurity risks was not appropriate and still needs improvement.

ADHA has also still not undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model.

The last privacy-specific risk assessment was completed in 2017, despite ADHA funding the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019.

The audit also found that ADHA “did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy” and needs to improve its management of shared cybersecurity risks and its oversight processes.

“Cybersecurity risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened,” the audit adds.

“The ADHA Board received dedicated cybersecurity briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cybersecurity strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cybersecurity was not clear.”

Image credit: ©stock.adobe.com/au/Africa Studio

Related Articles

Automated decision-making systems: ensuring transparency

Ensuring transparency is essential in government decision-making when using AI and automated...

Interview: Ryan van Leent, SAP Global Public Services

In our annual Leaders in Technology series, we ask the experts what the year ahead holds. Today...

AI in health care: the burning question that will only be answered with time

We are at an exciting juncture in our global healthcare journey, and AI’s arrival and...

Content from other channels on our network

ISACA identifies gaps in AI knowledge, training and policies

Emergency onboarding: what to do before and after a data breach

VNC accounts for nearly all remote desktop attacks

Savvy directors are demanding more points of proof when cyber incidents occur

Vectra AI expands platform to combat GenAI threats

Retailers caught selling unapproved electrical appliances

Ampcontrol and Siemens partner on renewable energy solutions

SA announces smart residential energy trial

Western Power welcomes new apprentices

Avoiding another Black Summer

The critical drive for technological innovation in emergency services

Command & Control Communications at the Heart of Utilities Worldwide

ARCIA's Sydney conference and networking dinner returns

Designing cellular antennas into small IoT products

Govt funds telco resilience tech, responds to LEOSat report

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd