My Health Record expansion "largely effective": ANAO


By Dylan Bushell-Embling
Thursday, 28 November, 2019



My Health Record expansion "largely effective": ANAO

The Australian National Audit Office (ANAO) has given the government a qualified nod for the expanded implementation of the My Health Record system, despite identifying several security risk management shortcomings.

A recently released performance audit into the implementation of the system by the Australian Digital Health Agency (ADHA) and Department of Health has found that the expanded implementation incorporating the opt-out system was “largely effective”.

Implementation planning for and delivery of My Health Record under the opt-out model was likewise found to be appropriate and effective in achieving its objectives, the audit found.

But risk management for the expansion program was found to be only “partially appropriate”. While privacy and IT system core infrastructure related risks were largely well managed, management of shared cybersecurity risks was not appropriate and still needs improvement.

ADHA has also still not undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model.

The last privacy-specific risk assessment was completed in 2017, despite ADHA funding the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019.

The audit also found that ADHA “did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy” and needs to improve its management of shared cybersecurity risks and its oversight processes.

“Cybersecurity risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened,” the audit adds.

“The ADHA Board received dedicated cybersecurity briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cybersecurity strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cybersecurity was not clear.”

Image credit: ©stock.adobe.com/au/Africa Studio

Related Articles

Interview: Sharon Don, Oracle

In our annual Leaders in Technology series, we ask the experts what the year ahead holds. Today...

NSW holds AI Thought Leaders Summit

At the AI Thought Leaders Summit last week, attendees gave feedback into the design of the NSW...

Putting people first — government’s human-centric IT vision

Human-centred design is changing the way government interacts with the public, leading to better...


  • All content Copyright © 2019 Westwick-Farrow Pty Ltd