Here Are The Details Of The ANAO Review Of The #MyHealthRecord - Sadly No Comment Regarding If It Is Working Or Not And If Any Real Benefits Are Flowing.

The ANA) Audit Report was published on 25 November, 2019

Here is the direct link:

https://www.anao.gov.au/work/performance-audit/implementation-the-my-health-record-system

Here is the summary conclusion.

Conclusion

6. Implementation of the My Health Record system was largely effective.

7. Implementation planning for and delivery of My Health Record under the opt-out model was effective in promoting achievement of its purposes. Implementation planning and execution was appropriate, and was supported by appropriate governance arrangements. Communication activities were appropriate to inform healthcare recipients and providers.

8. Risk management for the My Health Record expansion program was partially appropriate. Risks relating to privacy and the IT system core infrastructure were largely well managed, and were informed by several privacy risk assessments and the implementation of key cyber security measures. Management of shared cyber security risks was not appropriate and should be improved with respect to those risks that are shared with third party software vendors and healthcare provider organisations.

9. The monitoring and evaluation arrangements for My Health Record are largely appropriate. There are appropriate mechanisms to improve the quality of information entered into the system. Some benefits measurement activities are underway, but they are not yet organised in a research delivery and evaluation plan setting out milestones, timeframes and sequencing of activities over forward years.

Supporting findings

Implementation planning and delivery

10. The objectives of the My Health Record system were clearly specified in the legislation that enabled establishment of the My Health Record system. The objectives were translated to operational objectives in corporate planning documents.

11. Implementation governance arrangements were clear and appropriate. ADHA established clear governance structures for the My Health Record expansion program, including a dedicated program board and program delivery committee. Progress reports were provided to the majority of ADHA Board meetings.

12. Implementation planning was appropriate. The My Health Record expansion to an opt-out model was implemented in accordance with an approved business case and implementation plan. The plan was revised and updated as needed. Milestones identified in the implementation plan were achieved and reporting to the ADHA Board indicates the program was delivered within the approved program budget.

13. Communication strategies were appropriate. A communications strategy was developed in September 2017, informed by the participation trials evaluation and supplementary market research. The strategy included development, testing and production of materials such as brochures, posters, and videos aimed at different target groups. ADHA commissioned communication tracking which showed that ‘every Australian’ had on average 38 opportunities to see or hear about My Health Record within the opt-out period, and that awareness increased throughout the opt-out period. ADHA also delivered education activities for healthcare providers. Tracking results showed that all general practices and community pharmacies in Australia received access to some form of My Health Record education activities, and that this corresponded with increasing registration and use of the system.

Risk management

14. Governance of risk assessment, management and monitoring for the My Health Record expansion program was largely appropriate. ADHA had a risk management framework in place, supported by various assessments and registers at the whole-of-entity level and specifically for the My Health Record expansion program. Risk documentation could further mature (as noted in the 2019 gateway review), and the ADHA could also clarify the roles and responsibilities of other government entities in the management of shared risks.

15. ADHA’s management of privacy risks was largely appropriate. Health and ADHA conducted several privacy impact assessments up until 2017 and implemented system and consumer access controls. System controls included access requirements for healthcare provider organisations and various consumer controls (including identity verification requirements, the ability to set advanced access controls and the ability to permanently delete records).

16. The ADHA has not yet undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model. The last privacy specific risk assessment was completed in 2017 and although ADHA funded the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019, none were completed in that period.

17. ADHA did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy. It should therefore review its approach and procedures for notifying the Information Commissioner of potential contraventions.

18. ADHA had largely appropriate systems to manage cyber security risks to the core infrastructure of the My Health Record system, except its management of shared cyber security risks and its oversight processes should be improved. ADHA managed risks to the core infrastructure through: establishing a Digital Health Cyber Security Centre; undertaking a series of dedicated cyber security assessments; and implementing the ‘Essential Eight’ cyber security mitigation strategies and decreasing the number of Information Security Manual (ISM) cyber security controls not implemented. ADHA’s approach to managing shared cyber security risks was not appropriate. This should be improved by:

• developing an assurance framework for third party software connecting to the My Health Record system in accordance with the ISM; and
• developing a strategy to monitor compliance with legislated security requirements by registered healthcare provider organisations.

19. Cyber security risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened. The ADHA Board received dedicated cyber security briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cyber security strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cyber security was not clear.

Monitoring and evaluation

20. There are appropriate mechanisms to improve the quality of information entered into the system, such as: procedures to detect and correct administrative data errors; processes to promote consistency in how information is entered into the system; and data quality education and training activities. Work to monitor and improve data quality will need to continue as use of the system increases, especially if different types of users, who may not have accessed awareness and education activities, increase their participation over the coming years (such as medical specialists, allied health and aged care providers).

21. Arrangements to measure, evaluate and report on benefits realised from My Health Record are largely appropriate. A 2017 benefits realisation plan estimated benefits over a ten year period, and identified potential data collection and research activities to measure the intermediate outputs and longer-term (‘end’) benefits.

22. ADHA is measuring intermediate outputs – which relate to participation and use of the system – and has commissioned some research activities to measure some longer-term benefits. These research activities are not yet organised within a plan setting out clear milestones, timeframes and sequencing of evaluation and reporting activities over the forward years.

---- End Extract

So what comes out of all this?

1. The Audit was limited in not being able to really look at what the purpose of the #myHR was and if it was delivering.

2. It seems that the technical aspects of moving to opt-out were well handled but there were some serious issues outside the pure technical implementation.

3. Point 18 makes it very clear much more work on security is needed. e.g. Only 32% of connecting practices are secure!

4. Point 20 makes it clear that there are data quality issues which are unaddressed.

5. Point 17 suggests the ‘emergency access’ arrangements are not satisfactory.

6. Points 14 and 15 make it clear that risk and privacy planning were not satisfactory and probably still are not.

7. Points 21 and 22 show analysis of benefits is totally immature.

8. Also on benefits the lack of a plan is noted:

“The intended benefits for the My Health Record system are estimated to take at least ten years to be realised. Where the intended benefits of a program are projected to be realised over a relatively long period, entities should not only describe what the intended benefits are and how they could be measured, but also make clear delivery plans showing how and when the benefits will be measured, evaluated and reported.”

Interesting facts:

3.36 As at 30 June 2019, a Record Access Code had been set for 27,215 records – 0.1 per cent of all records – and a Limited Document Access Code had been set for 3,862 documents in the system.

3.44 ADHA documented a procedure for monitoring emergency access, but not next steps for receipt, assessment or monitoring of responses. ADHA sought written responses from healthcare provider organisations in relation to each instance of emergency access, and maintained detailed records and analysis of provider responses. In a number of instances, ADHA did not receive a response from specific healthcare provider organisations. In these cases ADHA could not satisfy itself that the circumstances of the emergency access did not constitute an interference with privacy. In other instances, some of the responses indicated a potential contravention of the Act. To date, ADHA has not notified the Information Commissioner of any of these instances, and nor have the healthcare provider organisations.

3.51 In Australia, evidence shows that:

• not all healthcare provider organisations achieve minimum cyber security levels⁵⁵;
• in 2018, the private health service provider sector reported the most notifiable data breaches of any industry sector; and
• more than 40 per cent of data breaches from the private health service provider sector notifications to the OAIC in 2018 were due to malicious or criminal attacks, almost half of which were cyber incidents.⁵⁶

3.60 Following these IRAP security assessments, the system was certified and accredited by Health in 2013 and 2016, and by ADHA in 2018. Each time the system was accredited by a senior executive below the accountable authority, which is permissible under the PSPF. ADHA could consider elevating future accreditation decisions to the accountable authority (the ADHA Board).

3.80 Entities such as healthcare provider organisations and contracted service providers must comply with mandatory legislated security requirements in order to be eligible, and remain eligible, for registration.⁶⁷ As the System Operator, ADHA should not register an ineligible entity, and may consider revoking registration of an entity that does not remain eligible.⁶⁸ Despite clear statutory functions and powers to register and deregister entities, ADHA stated to the ANAO that ‘it is unclear that the Agency has a mandate to undertake such monitoring and assurance activities’. Legislative requirements are only effective risk controls when enforced. ADHA conducted limited compliance monitoring to ensure registered healthcare providers met legislated security requirements. ADHA stated to the ANAO that:

Through our engagement with clinicians, they have told us that security and compliance controls can make the provision of healthcare unworkable. This can increase clinical safety risks and place additional pressure on the health workforce which is often already strained.

3.81 The risk that multiple health records are accessed, modified or made unavailable without authorisation due to compromise of a participating healthcare organisation or their contracted service provider remains a shared risk above ADHA’s residual risk tolerance. Quality reviews undertaken by ADHA of a very small sample of general practices against the requirement to have a security policy found that this requirement was only fully met by 32 per cent of survey recipients.

3.86 It was not clear that the Privacy and Security Advisory Committee (PSAC) provided advice or recommendations to the ADHA Board, despite meeting minutes recording that the PSAC noted regular briefings from ADHA on cyber security. As part of these meetings PSAC also noted the 2016–2019 Cyber Security Centre Strategic Plan on 23 March 2017, and reviewed the underpinning work plans supporting the strategy on 1 August 2018. Progress reporting against these KPI has not been provided back to PSAC. The ADHA updated the Cyber Security Centre Strategic Plan for 2019–2023 on 14 November 2018. The meeting minutes to April 2019 do not show that the updated Strategy was considered by the PSAC or the ADHA Board.

4.18 The benefits plan estimated the potential health sector economic benefits from implementing My Health Record as an opt-out model. Estimates were derived from academic studies rather than being extrapolated from actual My Health Record usage, due to a lack of sufficient historical data. Estimates were reviewed by a clinical reference group and clinicians from ADHA and Health. The plan stated that ‘estimates were calculated conservatively’.

4.19 Potential health sector economic benefits were estimated from 2007 to 2027⁷⁶, totalling $14.59 billion. The benefit categories identified were:

• ‘Improved health outcomes: if clinicians have greater access to medication information, it will result in avoided hospital admissions and saved lives’ — requiring evidence of reduced hospital admissions, lengths of stay, emergency presentations, and general practice visits;
• ‘A much more efficient health system’ — requiring evidence of reduced healthcare provider time gathering information and communicating with other providers;
• ‘Avoided duplication of diagnostic tests’ — requiring evidence of reduced expenditure on duplicate tests due to better access to pathology and diagnostic imaging information;
• ‘Putting the person at the centre of their healthcare’ — requiring evidence of improved patient self-management through increased use of care plans, mobile apps and advance care plans linked to My Health Record; and
• ‘Enabling innovation and developments in healthcare’ — requiring evidence of system improvements arising from secondary use of data and innovation in care delivery.

4.22 The plan is being revised for the business case to government for future funding.

4.28 Given that the projected benefits realisation period for My Health Record is ten years, the ADHA should develop a forward looking evaluation plan to guide the sequencing, timing and scope of activities across the coming years. This would provide a clear line of sight as to what actions will be taken and when to collect and assess relevant information. Without a plan, there is a risk that there will not be enough evidence to evaluate the longer-term effectiveness of My Health Record.

Finally. with respect to the scope of the Audit the following is stated:

“The audit did not examine the decisions to create the My Health Record system or adopt the opt-out model, or consider the framework for secondary use of My Health Record data.”

So, no consideration as it if it was a good idea or if opt-out was a good idea.

This audit identified a number of serious technical issues and was prevented at looking at the value and utility of the system. It also provided little evidence of benefit.

Pity as it means the real questions around the #myHR remain unanswered!

David.