The ANA) Audit Report was published on 25 November, 2019
Here is the direct link:
Here is the summary conclusion.
Conclusion
6. Implementation of the My Health Record system was largely effective.
7. Implementation planning for and delivery of My Health Record under the opt-out model was effective in promoting achievement of its purposes. Implementation planning and execution was appropriate, and was supported by appropriate governance arrangements. Communication activities were appropriate to inform healthcare recipients and providers.
8. Risk management for the My Health Record expansion program was partially appropriate. Risks relating to privacy and the IT system core infrastructure were largely well managed, and were informed by several privacy risk assessments and the implementation of key cyber security measures. Management of shared cyber security risks was not appropriate and should be improved with respect to those risks that are shared with third party software vendors and healthcare provider organisations.
9. The monitoring and evaluation arrangements for My Health Record are largely appropriate. There are appropriate mechanisms to improve the quality of information entered into the system. Some benefits measurement activities are underway, but they are not yet organised in a research delivery and evaluation plan setting out milestones, timeframes and sequencing of activities over forward years.
Supporting findings
Implementation planning and delivery
10. The objectives of the My Health Record system were clearly specified in the legislation that enabled establishment of the My Health Record system. The objectives were translated to operational objectives in corporate planning documents.
11. Implementation governance arrangements were clear and appropriate. ADHA established clear governance structures for the My Health Record expansion program, including a dedicated program board and program delivery committee. Progress reports were provided to the majority of ADHA Board meetings.
12. Implementation planning was appropriate. The My Health Record expansion to an opt-out model was implemented in accordance with an approved business case and implementation plan. The plan was revised and updated as needed. Milestones identified in the implementation plan were achieved and reporting to the ADHA Board indicates the program was delivered within the approved program budget.
13. Communication strategies were appropriate. A communications strategy was developed in September 2017, informed by the participation trials evaluation and supplementary market research. The strategy included development, testing and production of materials such as brochures, posters, and videos aimed at different target groups. ADHA commissioned communication tracking which showed that ‘every Australian’ had on average 38 opportunities to see or hear about My Health Record within the opt-out period, and that awareness increased throughout the opt-out period. ADHA also delivered education activities for healthcare providers. Tracking results showed that all general practices and community pharmacies in Australia received access to some form of My Health Record education activities, and that this corresponded with increasing registration and use of the system.
Risk management
14. Governance of risk assessment, management and monitoring for the My Health Record expansion program was largely appropriate. ADHA had a risk management framework in place, supported by various assessments and registers at the whole-of-entity level and specifically for the My Health Record expansion program. Risk documentation could further mature (as noted in the 2019 gateway review), and the ADHA could also clarify the roles and responsibilities of other government entities in the management of shared risks.
15. ADHA’s management of privacy risks was largely appropriate. Health and ADHA conducted several privacy impact assessments up until 2017 and implemented system and consumer access controls. System controls included access requirements for healthcare provider organisations and various consumer controls (including identity verification requirements, the ability to set advanced access controls and the ability to permanently delete records).
16. The ADHA has not yet undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model. The last privacy specific risk assessment was completed in 2017 and although ADHA funded the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019, none were completed in that period.
17. ADHA did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy. It should therefore review its approach and procedures for notifying the Information Commissioner of potential contraventions.
18. ADHA had largely appropriate systems to manage cyber security risks to the core infrastructure of the My Health Record system, except its management of shared cyber security risks and its oversight processes should be improved. ADHA managed risks to the core infrastructure through: establishing a Digital Health Cyber Security Centre; undertaking a series of dedicated cyber security assessments; and implementing the ‘Essential Eight’ cyber security mitigation strategies and decreasing the number of Information Security Manual (ISM) cyber security controls not implemented. ADHA’s approach to managing shared cyber security risks was not appropriate. This should be improved by:
- developing an assurance framework for third party software connecting to the My Health Record system in accordance with the ISM; and
- developing a strategy to monitor compliance with legislated security requirements by registered healthcare provider organisations.
19. Cyber security risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened. The ADHA Board received dedicated cyber security briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cyber security strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cyber security was not clear.
Monitoring and evaluation
20. There are appropriate mechanisms to improve the quality of information entered into the system, such as: procedures to detect and correct administrative data errors; processes to promote consistency in how information is entered into the system; and data quality education and training activities. Work to monitor and improve data quality will need to continue as use of the system increases, especially if different types of users, who may not have accessed awareness and education activities, increase their participation over the coming years (such as medical specialists, allied health and aged care providers).
21. Arrangements to measure, evaluate and report on benefits realised from My Health Record are largely appropriate. A 2017 benefits realisation plan estimated benefits over a ten year period, and identified potential data collection and research activities to measure the intermediate outputs and longer-term (‘end’) benefits.
22. ADHA is measuring intermediate outputs – which relate to participation and use of the system – and has commissioned some research activities to measure some longer-term benefits. These research activities are not yet organised within a plan setting out clear milestones, timeframes and sequencing of evaluation and reporting activities over the forward years.
---- End Extract
So what comes out of all this?
1. The Audit was limited in not being able to really look at what the purpose of the #myHR was and if it was delivering.
2. It seems that the technical aspects of moving to opt-out were well handled but there were some serious issues outside the pure technical implementation.
3. Point 18 makes it very clear much more work on security is needed. e.g. Only 32% of connecting practices are secure!
4. Point 20 makes it clear that there are data quality issues which are unaddressed.
5. Point 17 suggests the ‘emergency access’ arrangements are not satisfactory.
6. Points 14 and 15 make it clear that risk and privacy planning were not satisfactory and probably still are not.
7. Points 21 and 22 show analysis of benefits is totally immature.
8. Also on benefits the lack of a plan is noted:
“The intended benefits for the My Health Record system are estimated to take at least ten years to be realised. Where the intended benefits of a program are projected to be realised over a relatively long period, entities should not only describe what the intended benefits are and how they could be measured, but also make clear delivery plans showing how and when the benefits will be measured, evaluated and reported.”
Interesting facts:
3.36 As at 30 June 2019, a Record Access Code had been set for 27,215 records – 0.1 per cent of all records – and a Limited Document Access Code had been set for 3,862 documents in the system.
3.44 ADHA documented a procedure for monitoring emergency access, but not next steps for receipt, assessment or monitoring of responses. ADHA sought written responses from healthcare provider organisations in relation to each instance of emergency access, and maintained detailed records and analysis of provider responses. In a number of instances, ADHA did not receive a response from specific healthcare provider organisations. In these cases ADHA could not satisfy itself that the circumstances of the emergency access did not constitute an interference with privacy. In other instances, some of the responses indicated a potential contravention of the Act. To date, ADHA has not notified the Information Commissioner of any of these instances, and nor have the healthcare provider organisations.
3.51 In Australia, evidence shows that:
- not all healthcare provider organisations achieve minimum cyber security levels55;
- in 2018, the private health service provider sector reported the most notifiable data breaches of any industry sector; and
- more than 40 per cent of data breaches from the private health service provider sector notifications to the OAIC in 2018 were due to malicious or criminal attacks, almost half of which were cyber incidents.56
3.60 Following these IRAP security assessments, the system was certified and accredited by Health in 2013 and 2016, and by ADHA in 2018. Each time the system was accredited by a senior executive below the accountable authority, which is permissible under the PSPF. ADHA could consider elevating future accreditation decisions to the accountable authority (the ADHA Board).
3.80 Entities such as healthcare provider organisations and contracted service providers must comply with mandatory legislated security requirements in order to be eligible, and remain eligible, for registration.67 As the System Operator, ADHA should not register an ineligible entity, and may consider revoking registration of an entity that does not remain eligible.68 Despite clear statutory functions and powers to register and deregister entities, ADHA stated to the ANAO that ‘it is unclear that the Agency has a mandate to undertake such monitoring and assurance activities’. Legislative requirements are only effective risk controls when enforced. ADHA conducted limited compliance monitoring to ensure registered healthcare providers met legislated security requirements. ADHA stated to the ANAO that:
Through our engagement with clinicians, they have told us that security and compliance controls can make the provision of healthcare unworkable. This can increase clinical safety risks and place additional pressure on the health workforce which is often already strained.
3.81 The risk that multiple health records are accessed, modified or made unavailable without authorisation due to compromise of a participating healthcare organisation or their contracted service provider remains a shared risk above ADHA’s residual risk tolerance. Quality reviews undertaken by ADHA of a very small sample of general practices against the requirement to have a security policy found that this requirement was only fully met by 32 per cent of survey recipients.
3.86 It was not clear that the Privacy and Security Advisory Committee (PSAC) provided advice or recommendations to the ADHA Board, despite meeting minutes recording that the PSAC noted regular briefings from ADHA on cyber security. As part of these meetings PSAC also noted the 2016–2019 Cyber Security Centre Strategic Plan on 23 March 2017, and reviewed the underpinning work plans supporting the strategy on 1 August 2018. Progress reporting against these KPI has not been provided back to PSAC. The ADHA updated the Cyber Security Centre Strategic Plan for 2019–2023 on 14 November 2018. The meeting minutes to April 2019 do not show that the updated Strategy was considered by the PSAC or the ADHA Board.
4.18 The benefits plan estimated the potential health sector economic benefits from implementing My Health Record as an opt-out model. Estimates were derived from academic studies rather than being extrapolated from actual My Health Record usage, due to a lack of sufficient historical data. Estimates were reviewed by a clinical reference group and clinicians from ADHA and Health. The plan stated that ‘estimates were calculated conservatively’.
4.19 Potential health sector economic benefits were estimated from 2007 to 202776, totalling $14.59 billion. The benefit categories identified were:
- ‘Improved health outcomes: if clinicians have greater access to medication information, it will result in avoided hospital admissions and saved lives’ — requiring evidence of reduced hospital admissions, lengths of stay, emergency presentations, and general practice visits;
- ‘A much more efficient health system’ — requiring evidence of reduced healthcare provider time gathering information and communicating with other providers;
- ‘Avoided duplication of diagnostic tests’ — requiring evidence of reduced expenditure on duplicate tests due to better access to pathology and diagnostic imaging information;
- ‘Putting the person at the centre of their healthcare’ — requiring evidence of improved patient self-management through increased use of care plans, mobile apps and advance care plans linked to My Health Record; and
- ‘Enabling innovation and developments in healthcare’ — requiring evidence of system improvements arising from secondary use of data and innovation in care delivery.
4.22 The plan is being revised for the business case to government for future funding.
4.28 Given that the projected benefits realisation period for My Health Record is ten years, the ADHA should develop a forward looking evaluation plan to guide the sequencing, timing and scope of activities across the coming years. This would provide a clear line of sight as to what actions will be taken and when to collect and assess relevant information. Without a plan, there is a risk that there will not be enough evidence to evaluate the longer-term effectiveness of My Health Record.
Finally. with respect to the scope of the Audit the following is stated:
“The audit did not examine the decisions to create the My Health Record system or adopt the opt-out model, or consider the framework for secondary use of My Health Record data.”
So, no consideration as it if it was a good idea or if opt-out was a good idea.
This audit identified a number of serious technical issues and was prevented at looking at the value and utility of the system. It also provided little evidence of benefit.
Pity as it means the real questions around the #myHR remain unanswered!
David.
This statement on www.myhealthrecord.gov.au
ReplyDeletehttps://www.myhealthrecord.gov.au/news-and-media/media-releases/australian-national-audit-office-findings-implementation-my-health
"The Australian Digital Health Agency (Agency) welcomes the findings in the report and agrees with all recommendations made by the Australian National Audit Office (ANAO)."
and ADHA's media release
https://www.digitalhealth.gov.au/news-and-events/news/media-release-the-australian-national-audit-office-findings-on-the-implementation-of-my-health-record-welcomed
All as weak as very weak dishwater
As you say "Pity as it means the real questions around the #myHR remain unanswered!"
ReplyDeleteMmmmm ----- unanswered to you and your readers maybe, BUT NOT unanswered to the bureaucrats and the politicians.
Just to reinforce the statement that ANAO only asked - did you do what you said you'd do?
ReplyDeleteThe ADHA said they would provide education/training for health service providers. The ANAO asked - did you? The ADHA said yes - tick in the box.
Did the ANAO think to ask - do you intend providing any education and/or training for the people at whom this thing is aimed and who have a major interest in its proper use?
No.
And the ADHA didn't and hasn't provided any education or training for any non-health service providers.
What does this suggest? The ADHA isn't really interested in the healthcare of Australian, just acquiring health data without alerting people to their responsibilities and how to manage their data and associated risks.
You can add this to the failure to produce board papers, safety reviews, statistics and benefits:
ReplyDelete1.17 On 15 August 2018, the Senate referred the My Health Record system to the Senate Community Affairs References Committee. The committee tabled its inquiry report on 18 October 2018.16 The report made 14 recommendations. By October 2019, a government response had not been tabled.
This is quite gaming for a standard gate 0 review. Anyone engaging with this system should be very careful. Privacy and Security have been the cornerstones of ADHA ”trust us” rhetoric. The ADHA has let the health system down. One can only wonder what hides in the halls of secrecy at ADHA.
ReplyDeleteNovember 25, 2019 11:15 PM. Seems many agree with you. This is very alarming. Failed massively on privacy and security. Just why did the privacy team walk out of ADHA? Why is our military cybersecurity so weak? What has been ignored regarding clinical safety?
ReplyDeleteThere is undoubtedly evidence of poor technical engineering practices?
The moral of the ANAO story is keep your distance from the ADHA.
ReplyDeleteHow do they define "largely effective"? It sounds like a subjective measure with no obvious level to meet.
ReplyDeletePage 7 missing "fragments" as a quantifier of it being incomplete.
"Background
1. My Health Record is an online electronic summary of a person’s health information."
should be
"My Health Record is an online electronic summary of fragments regarding a person's health information."
The original phrase sounds too definitive. While the intention and purpose is for every record to have a definitive summary the real system has no guarantee of all records having a summary and no guarantee a summary is actually complete & correct. Only 24% of healthcare provider organisations using the system after 7 years seems a bit slow for $2.13B spent.
Page 49 etc of "4. Monitoring and evaluation"
No benchmark or baseline measures of quality. Some quality areas have been identified, monitored, proactive education and some post processing (how long after each mistake?).
Page 53 highlights that "ADHA developed a benefits realisation plan in 2017" ... "Estimates were derived from academic studies rather than being extrapolated from actual My Health Record usage, due to a lack of sufficient historical data."
The Intermediate data collected I would describe is basic at best and not really useful.
Their plan does include further studies and analysis for measuring benefits from real usage but after 7 years they want another 2+ years, we're still waiting!
If the aim was to create a system of records and run it according to the legislation then that's what we got.
It was sold to the taxpayer as a system to improve clinical outcomes, improve efficiencies and reduce costs but the ANAO could not evaluate these.
As per usual the ADHA et. al. highlight what was "largely effective" but gloss over the shortcomings.