My Health Record expansion "largely effective": ANAO

By Dylan Bushell-Embling
Thursday, 28 November, 2019

My Health Record expansion "largely effective": ANAO

The Australian National Audit Office (ANAO) has given the government a qualified nod for the expanded implementation of the My Health Record system, despite identifying several security risk management shortcomings.

A recently released performance audit into the implementation of the system by the Australian Digital Health Agency (ADHA) and Department of Health has found that the expanded implementation incorporating the opt-out system was “largely effective”.

Implementation planning for and delivery of My Health Record under the opt-out model was likewise found to be appropriate and effective in achieving its objectives, the audit found.

But risk management for the expansion program was found to be only “partially appropriate”. While privacy and IT system core infrastructure related risks were largely well managed, management of shared cybersecurity risks was not appropriate and still needs improvement.

ADHA has also still not undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model.

The last privacy-specific risk assessment was completed in 2017, despite ADHA funding the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019.

The audit also found that ADHA “did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy” and needs to improve its management of shared cybersecurity risks and its oversight processes.

“Cybersecurity risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened,” the audit adds.

“The ADHA Board received dedicated cybersecurity briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cybersecurity strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cybersecurity was not clear.”

Image credit: © Studio

Related Articles

How deliberate design can help close the digital divide

How do governments continue to build from the unexpected acceleration in digital transformation...

National Cabinet agree on data sharing

Australian federal, state and territory leaders have agreed to create an intergovernmental...

iProov to provide face recognition system for myGovID

The ATO has selected iProov to provide a secure biometric face verification solution for the...

  • All content Copyright © 2021 Westwick-Farrow Pty Ltd