My Health Record expansion "largely effective": ANAO
The Australian National Audit Office (ANAO) has given the government a qualified nod for the expanded implementation of the My Health Record system, despite identifying several security risk management shortcomings.
A recently released performance audit into the implementation of the system by the Australian Digital Health Agency (ADHA) and Department of Health has found that the expanded implementation incorporating the opt-out system was “largely effective”.
Implementation planning for and delivery of My Health Record under the opt-out model was likewise found to be appropriate and effective in achieving its objectives, the audit found.
But risk management for the expansion program was found to be only “partially appropriate”. While privacy and IT system core infrastructure related risks were largely well managed, management of shared cybersecurity risks was not appropriate and still needs improvement.
ADHA has also still not undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model.
The last privacy-specific risk assessment was completed in 2017, despite ADHA funding the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019.
The audit also found that ADHA “did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy” and needs to improve its management of shared cybersecurity risks and its oversight processes.
“Cybersecurity risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened,” the audit adds.
“The ADHA Board received dedicated cybersecurity briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cybersecurity strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cybersecurity was not clear.”
Now could be the right time to take another look at your organisation's SaaS contracts.
Government and private sector stakeholders have warmly responded to the Digital Transformation...
Overhauling security, implementing real-time observability and using data to drive...