The Office Of The Information Commissioner Audits the National E-Health Record System for 2013-14.

This report was released a week or so ago:

National Repositories Service — eHealth record System Operator: Audit report

Printable version385.37 KB

Audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988

Audit undertaken: January 2014
Draft report issued: May 2014
Final report issued: November 2014

Here is the link.

http://www.oaic.gov.au/privacy/applying-privacy-law/list-of-privacy-assessments/nrs-ehealth-audit-report

The findings of the audit are summarised here and should be read closely to pick out how much is apparently not up to scratch.

----- Begin extract.

Part 11 — Summary of recommendations

Recommendation 1 — use of appropriate definitions

11.1 It is recommended that the System Operator review and revise all eHealth security policy and procedure documents (including any related training material) so that the terminology used throughout the documents is consistent with the Privacy Act. In particular the documents should be amended so that they:

• employ the terms ‘personal information and ‘sensitive information’ as defined in the Privacy Act
• take into account recent amendments to the Privacy Act.

Auditee response

11.2 Agreed. The policies, procedures and training material will be updated to better reflect the  terminology use in both the Privacy Act and PCEHR Act.

Recommendation 2 — emphasise Privacy Act obligations

11.3 It is recommended that the System Operator consider reviewing its high level eHealth security policies and procedure documents to ensure that, where appropriate, they reflect the System Operator’s Privacy Act obligations to protect personal information and the manner in which these obligations will be met.

Auditee response

11.4 Agreed. The policies, procedures and training material will be updated to better emphasise the System Operator’s privacy obligations and manner in which to meet these obligations.

Recommendation 3 — review for readability

11.5 It is recommended that the System Operator review all eHealth system security policies to ensure they can be readily understood by management, non-technical and new staff or external persons who need to review this material by:

• providing more contextual information as to the relationship between the documents (such as the related documents’, ‘intended audience’ and ‘document map’ tables described above)
• ensuring the content of the documents is consistent, up to date, easy to follow, explains key concepts and terms and reflects current practice.

Auditee response

11.6 Agreed. The policies, procedures and training material will be updated to improve usability for a range of readers. 

Recommendation 4 — implement overall privacy control mechanism

11.7 It is recommended that the System Operator implement a formal written central privacy management function. This could involve appointing a person or designating a group of people (eg a committee or working group involving all relevant staff) as the focal point for privacy advice and solutions on the eHealth record system.

Auditee response

11.8 Agreed. A working group comprising relevant staff will be established as the focal point for privacy advice. In the longer term, the establishment of a Privacy and Security Committee will be considered as part of the Government’s response to recommendations from the Review of the PCEHR.

Recommendation 5 — manage collaboration risks

11.9 It is recommended that the System Operator review the use of the IMS (in consultation with the other eHealth stakeholders) and System Operator’s EDRMS system for eHealth incident handling. The risks highlighted above may be managed by:

• general risk profile — undertaking a TRA and a PIA on the use of the IMS and the System Operator’s EDRMS system for eHealth activities, with particular reference to their adequacy in the eHealth incident management context and the effectiveness of their access controls
• policy risk — ensuring consistency of protocols used by each stakeholder that govern the use of the IMS 
• access risk — considering smaller restricted IMS communities and if possible restrict access to tickets containing personal or sensitive information to personnel in the community who need access
• access risk/trusted insider risk — utilising dynamic passwords and/or other forms of authentication (for example RSA tokens)
• access risk/trusted insider risk — ensuring all personnel accessing incident information on the IMS have the necessary baseline clearance
• trusted insider risk — if possible limiting or preventing downloading of material from the IMS
• trusted insider risk/Monitoring risk — if possible and appropriate, the System Operator could consider real time monitoring of IMS usage, especially as the amount of incident information held in the IMS increases over time
• shadow data base risk — considering whether the information in the IMS and in the System Operator’s EDRMS system can be destroyed or de-identified in accordance with the Archives Act 1983.

If the above measures cannot be implemented effectively, the System Operator should consider:

• relocating incident information (from both the IMS and the System Operator’s EDRMS system) to a location within the NRS
• implementing its own incident tracking system, under the direct control of the System Operator and used solely for managing eHealth system incidents.

Auditee response

11.10  Agreed. The IMS will be reviewed, the above recommendations considered and resulting improvements added to continuous security improvement program.

----- End Extract.

This is really amazing.

Despite the audit being rather constrained and purely document based the recommendations really suggest the System Operator (i.e. The Secretary of DOH and Accenture) have a lot to do and soon.

Documents that are unreadable, complicated and not fit for purpose apparently are really not good enough.

Just how is it all this was not sorted ages ago?

I wonder what an audit of the overall PCEHR program would reveal if this was what was found with a very constrained and limited paper review?

David.