My Health Record failed to manage cybersecurity risks

My Health Record, a Government agency and in charge of the $1.5bn system left data unprotected and vulnerable, the National Audit Office reported.

An Australian National Audit Office discovered the risk related to cybersecurity and privacy. My Health record agency’s $1.5bn system didn’t protect the data of millions.

The review outlined that the implementation was “largely effective”. It also showed that this government agency was unable to guarantee that every “emergency access” requests made to view a record of an individual were legit.

Moreover, the Australian National Audit Office’s review indicated that privacy and cybersecurity risks were taken lightly or the agency didn’t take notice of them.

The database relied on doctors medical practices to upload medical information on patients. Its database expects to be handled with vigilance with medical information centralised. In 2012 it was opt-in, but this year it got opt-out.

Notably, more than 2.5 million citizens have opted-out from My Health Record.

Despite having concerns about privacy and some software bugs still almost 90% of Australians have a My Health Record.

But, only a few health provider organisations in Australia use this system.

The audit review revealed that largely appropriate systems were available to manage cybersecurity risks, but unfortunately, they failed to deliver standard protection against shared risk with third-party websites, apps, and health providers.

“Management of shared cybersecurity risks was not appropriate and should be improved with respect to those risks that are shared with third-party software vendors and healthcare provider organisations,” the report said.

Albeit, the audit office further claimed that there was no conduction of end-to-end privacy risk assessment for the system’s operation by ADHA, under the opt-out model.

The last privacy risk assessment was done in 2017. However, from October to June 2017, four privacy reviews were also uncompleted, which cost $3.6m.

A function of “emergency access” can be used for user-set accesses by registered healthcare providers and participants to view someone’s records.

But, “only if the circumstances involve a serious threat to an individual’s life, health or safety, or a serious threat to public health or public safety,” the report mentioned.

The audit office stated that ADHA was unable to assure that instances of “emergency access” to an individual’s health record were not intervening with that person’s privacy.

In fairness, emergency access per month accrued from 80 to 205 in the meantime of July 2018 and March 2019.

Nevertheless, 8.2% of requests successfully met guidelines according to the review.

The ADHA kept track of emergency access and request responses, but it had no idea about further procedures that needed to be implemented.

There were times when ADHA had no responses, but it didn’t inform the Information Commissioner Officer regarding the accesses.

In early 2016 the ADHA identified “nation-states and criminal actors as the greatest threat to the My Health Record system, with hacktivists and trusted insiders posing a medium threat and cyber terrorists posing a low threat”.

Despite the fact, not every healthcare provider located in Australia has achieved minimum levels of cybersecurity. The audit report also outlined some significant infringements of the industry sector in 2018.

Lately, many breaches that are reported to the ICO were because of “malicious or criminal attacks”. Whereas, many of them happened due to cyber-incidents.

The cybersecurity risks can increase, as the ADHA board didn’t consider the updated cybersecurity five-year strategic plan finalised last year.

The ADHA’s privacy and security advisory committee role is still unclear.

The auditor implied that they must have a set-up to track compliance by third-parties using My Health.

Leave a Reply

Your email address will not be published. Required fields are marked *