My Health Record expansion "largely effective": ANAO


By Dylan Bushell-Embling
Thursday, 28 November, 2019



My Health Record expansion "largely effective": ANAO

The Australian National Audit Office (ANAO) has given the government a qualified nod for the expanded implementation of the My Health Record system, despite identifying several security risk management shortcomings.

A recently released performance audit into the implementation of the system by the Australian Digital Health Agency (ADHA) and Department of Health has found that the expanded implementation incorporating the opt-out system was “largely effective”.

Implementation planning for and delivery of My Health Record under the opt-out model was likewise found to be appropriate and effective in achieving its objectives, the audit found.

But risk management for the expansion program was found to be only “partially appropriate”. While privacy and IT system core infrastructure related risks were largely well managed, management of shared cybersecurity risks was not appropriate and still needs improvement.

ADHA has also still not undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model.

The last privacy-specific risk assessment was completed in 2017, despite ADHA funding the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019.

The audit also found that ADHA “did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy” and needs to improve its management of shared cybersecurity risks and its oversight processes.

“Cybersecurity risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened,” the audit adds.

“The ADHA Board received dedicated cybersecurity briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cybersecurity strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cybersecurity was not clear.”

Image credit: ©stock.adobe.com/au/Africa Studio

Related Articles

COVID-19's impact on tech optimisation and modernisation

Governments will struggle to complete tech optimisation or modernising plans if they're not...

AusPost helps digitise agency mailrooms amid COVID-19

Australia Post's Decipha developed a mailroom digitisation solution that can be deployed in...

VCAT gets digital upgrade to cope with COVID-19

The Victorian Government is spending $5.2m for an upgrade aimed at allowing the Victorian Civil...


  • All content Copyright © 2020 Westwick-Farrow Pty Ltd