These summary recommendations are from Page 10 of the 66 page Audit Report published today.
Recommendations
Recommendation no. 1
Paragraph 3.27
|
ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls, and incorporate the results of this assessment into the risk management framework for the My Health Record system.
Australian Digital Health Agency response: Agreed.
|
Recommendation no. 2
Paragraph 3.45
|
ADHA, with the Department of Health and in consultation with the Information Commissioner, review the adequacy of its approach and procedures for monitoring use of the emergency access function and notifying the Information Commissioner of potential and actual contraventions.
Australian Digital Health Agency response: Agreed.
Department of Health response: Agreed.
|
Recommendation no. 3
Paragraph 3.76
|
ADHA develop an assurance framework for third party software connecting to the My Health Record system — including clinical software and mobile applications — in accordance with the Information Security Manual.
Australian Digital Health Agency response: Agreed.
|
Recommendation no. 4
Paragraph 3.82
|
ADHA develop, implement and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers.
Australian Digital Health Agency response: Agreed.
|
Recommendation no. 5
Paragraph 4.29
|
ADHA develop and implement a program evaluation plan for My Health Record, including forward timeframes and sequencing of measurement and evaluation activities across the coming years, and report on the outcomes of benefits evaluation.
Australian Digital Health Agency response: Agreed.
|
Note they are not good enough on evaluation, control of emergency access, security controls, access by third-part applications and individuals and a privacy impact assessment has not been done. Pretty big issues to address!
Outcome – they got through it – with some holes – to say the least.
Here is the link to the full .pdf.
More to come as I digest the detail.
David.
So, pretty much all good, keep going. The naysayers have been neutralised, they should all be quiet now and go to sleep for a very long time.
ReplyDeleteYes al good. A pay rise of 10% and another 3 year contract for the CEO sounds about right.
ReplyDeleteIt doesn't really matter whether the MHR works well or not,as long as the implementation was Ok then who cares?
ReplyDeleteLet's do a recap...
ReplyDeleteThe government asked the government to review if the government did what the government said it would do. The government replied - yes.
What else could the ANAO say? They had to believe what the government said.
For example the ANAO asked the question: "Were objectives clearly specified?"
This is what the review concluded:
2.2 The My Health Records Act 2012 enabled establishment of the My Health Record system. The object of the Act is to enable the establishment and operation of a voluntary national public system for the provision of access to health information relating to recipients of healthcare, to:
* help overcome the fragmentation of health information;
* improve the availability and quality of health information;
* reduce the occurrence of adverse medical events and the duplication of treatment; and
* improve the coordination and quality of healthcare provided to healthcare recipients by different healthcare providers.18
2.3 The rationale for the My Health Record system was based on the intended benefits of a single point of access to health information at the point of care. The Minister for Health stated in August 2018 that:
* Health information is spread across a vast number of different locations and systems. In many healthcare situations, quick access to key health information about an individual is not always possible. Limited access to health information at the point of care can result in a greater risk to patient safety, less than optimal health outcomes, avoidable adverse events, increased costs of care and time wasted in collecting or finding information, unnecessary or duplicated investigations, additional pressure on the health workforce, and reduced participation by individuals in their own healthcare management
Did the ANAO ask if these objectives were either realistic or have been (or could be) achieved)?
No, because they were not allowed to.
The fact that what was implemented is not and cannot be "a single point of access to health information at the point of care" went over ANAO's head.
But the objectives were clearly stated.
Neither could they question the government's claim:
"At the time the 2017-18 Budget measure was developed potential economic benefits of $14.6 billion were identified in support of the Budget measure if the government was to invest $2.13 billion over ten years."
Note that the myhr had been operating for 5 years then and no benefits seem to have been achieved.
Moving the goalposts is always a good idea, especially if they are moved into the unknown future.
The ANAO was forbidden from asking the real question which is: what is the value of this system to the users - doctors and patients.
Nowhere in the review was any professional body (e.g. AMA, RACGP), healthcare service provider or consumer representative or even patients consulted.
No doubt the ADHA and the DoH will claim that they have done a good job and will continue to improve things. If they have really done a good job, why do they need to re-platform the thing?
The only questions now are will anyone actually use it and will the government keep pumping money into it?
Everything you say Bernard is correct. Even so, your last question is right off-the-mark. In reality the audit has given the MyHR the thumbs up for the government to keep pumping money into it. The two major political parties will be relieved. Full steam ahead will be the only option for government, anything else would be political suicide.
ReplyDeleteNow is probably the best time for Tim to jump ship. Things can only get worse for him, they certainly won't get any better. There's only so long you can hide from the promises you've made.
ReplyDeleteWhy jump ship now. He's on the crest of a wave with a big bonus imminent. He doesn't see things as being worse or better just under control and moving forward. And he doesn't hide behind promises he's made, he just makes new one - bigger, bolder, higher, faster, out of the way we're coming through.
ReplyDelete‘He’ would not be alone. True to how it works at ADHA someone behind the wave 1 ocher fiasco, behind the dismantling of CCA, behind dismissing the requirement for vendors of clinical systems be accredited, in charge of MyHR opt out period that dismissed privacy reviews? All this tip of the iceberg stuff and they are handsomely rewarded with an acting role. If I was the general manager for cyber security I would watch my back.
ReplyDelete