This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Tuesday, September 13, 2016
The Office Of The Australian Information Commissioner Has Reviewed The myHR And Found A Potential Information Leak.
Assessment undertaken: November 2015
Draft report issued: April 2016
Final report issued: September 2016
Part 1: Summary
1.1 This report sets out the findings of a follow up assessment by the Office of the Australian Information Commissioner (OAIC) on the System Operator of the My Health Record system (Department of Health). The assessment considered how the System Operator has addressed recommendations from the OAIC’s previous audit on the security of personal information held on the National Repositories Service, undertaken in January 2014.
1.2 The fieldwork component of the assessment was conducted from 11 to 12 November 2015 at the System Operator offices in Canberra.
1.3 The OAIC has made three recommendations that, if put in place by the System Operator will in the opinion of the OAIC, minimise the risks identified around how the security of personal information is managed. These are set out in the report and summarised at Part 5.
Part 5: Summary of recommendations
5.1 It is recommended that the role and operation of the PSWG is reviewed to ensure that it has an effective role as a focal point for strategic and significant privacy advice and solutions for issues affecting the My Health Record system.
5.2 Agreed. The role of the internal PSWG will be reviewed to give the group a more strategic focus in an operational context. The review will also consider the role of the PSWG following the establishment of a Privacy and Security Advisory Committee as part of the governance structure for the Australian Digital Health Agency.
5.3 Subject to the following paragraph, it is recommended that the System Operator undertake a PIA (and, if necessary, a TRA) into the use of the IMS with particular reference to its adequacy in the My Health Record system incident management context and the effectiveness of its access controls.
5.4 A PIA may not be necessary if the System Operator is satisfied that the end to end security review and the external security review of the IMS adequately set out the privacy impacts from using the IMS to share incident information.
5.5 Agreed. The Australian Digital Health Agency will undertake a PIA on the IMS following consideration of the findings of the My Health Record end to end security review and its adequacy in addressing information sharing in the IMS.
5.6 It is recommended that the System Operator consider measures to assist with identifying where personal information is stored on the IMS. The System Operator should also consider how to secure older IMS tickets which may contain personal information with appropriate access controls. Where personal information is identified, consideration should be given to whether it needs to be retained in accordance with the Archives Act 1983 (Cth).
5.7 Agreed. The System Operator will develop a written policy which outlines the System Operators obligation for the management of personal information under the My Health Records Act 2012 and the Archives Act 1983. This will include periodic reviews of information contained in the IMS to identify, manage and dispose of such information in accordance with these obligations.