This appeared a few days ago.
Australian cyber policymakers to face Audit Office probe
The Attorney-General's Department, Australian Signals Directorate, and Department of Home Affairs are three of nine entities under the microscope this time.
The Australian National Audit Office (ANAO) has a handful of non-corporate Commonwealth entities in its sights for the next round of cybersecurity probes, with the three entities responsible for cyber policy within the government to face examination.
The Attorney-General's Department (AGD); Australian Signals Directorate (ASD); Australian Trade and Investment Commission; Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; Department of Home Affairs (DHA); IP Australia; and Department of the Prime Minister and Cabinet will all be under the microscope.
The objective of the audit, ANAO said, will be to assess the effectiveness of cybersecurity risk mitigation strategies implemented by the selected entities, to see if they meet mandatory requirements under the Protective Security Policy Framework (PSPF), and if the support provided by the responsible cyber policy entities are sufficient.
The ANAO proposes to examine whether the selected entities have fully implemented the Top Four cybersecurity risk mitigation strategies, or have otherwise adopted strategies and actions to progress towards full implementation.
…..
Specifically, the committee will examine two Auditor-General's reports: Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities and Implementation of the My Health Record System.
…..
Meanwhile, in probing the contentious My Health Record, ANAO pointed out a number of security issues concerning its implementation, widely giving the system administrator -- the Australian Digital Health Agency -- the tick as "largely effective".
"The ability to design and maintain secure cyber networks is essential in modern governance. As such, it is a priority of the committee to ensure that government entities have the appropriate systems in place to protect information security." committee chair Lucy Wicks said.
Submissions close 19 March 2020.
Here is the link:
The key issue that would appear to be followed up is contained in this paragraph from the Auditor General – most especially the part in bold..
8. Risk management for the My Health Record expansion program was partially appropriate. Risks relating to privacy and the IT system core infrastructure were largely well managed, and were informed by several privacy risk assessments and the implementation of key cyber security measures. Management of shared cyber security risks was not appropriate and should be improved with respect to those risks that are shared with third party software vendors and healthcare provider organisations.
Further on there is more concern with both privacy and security:
“16. The ADHA has not yet undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model. The last privacy specific risk assessment was completed in 2017 and although ADHA funded the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019, none were completed in that period.
17. ADHA did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy. It should therefore review its approach and procedures for notifying the Information Commissioner of potential contraventions.
18. ADHA had largely appropriate systems to manage cyber security risks to the core infrastructure of the My Health Record system, except its management of shared cyber security risks and its oversight processes should be improved. ADHA managed risks to the core infrastructure through: establishing a Digital Health Cyber Security Centre; undertaking a series of dedicated cyber security assessments; and implementing the ‘Essential Eight’ cyber security mitigation strategies and decreasing the number of Information Security Manual (ISM) cyber security controls not implemented. ADHA’s approach to managing shared cyber security risks was not appropriate. This should be improved by:
- developing an assurance framework for third party software connecting to the My Health Record system in accordance with the ISM; and
- developing a strategy to monitor compliance with legislated security requirements by registered healthcare provider organisations.
19. Cyber security risk oversight by the AHDA Board and its Privacy and Security Advisory Committee could also be strengthened. The ADHA Board received dedicated cyber security briefings on only four occasions between July 2016 and February 2019, and has not considered the updated 2019–2023 cyber security strategic plan (which was finalised by the ADHA executive on 14 November 2018). The role of the Privacy and Security Advisory Committee in cyber security was not clear.”
Here is the link to the blog and report from November, 2019.
I take all this to mean that all those apps and PCs (operated by GPs etc.) were not seen by the ANAO as being properly secured and that they were needing work.
The ANAO also wanted some review and reworked frameworks as to how all this was managed.
Has anyone heard what work has been done to address the issues raised? I have not seen any announcements of change, improved security etc.
David.
5 comments:
David do not expect anything to come of these “audit”. They are standard undertakings. A few PMO officers might get excited but that is about it. They are standard OGC gateway reviews. It is these same box ticking standard approaches that enable bad ideas to get funding.
I have to agree somewhat with February 23, 2020 5:59 PM. As it has been highlighted before, the MyHR is more a political tool than a clinical tool. It is not clear what currency or political mileage the system has. The DoH through ADHA appear to have run out of cohorts to bribe and there seems little incentive for those large peak bodies and colleges to carry a banner.
Despite my patient safety concerns about the myHR I thought that the access security was acceptable as it could only be accessed via myGOV. This ensured that 2FA was in place and all was good.
Maybe I was wrong.
By the end of this month, it will be mandatory for businesses to use myGOVID for authentication when dealing electronically with the ATO. AUSkey is being retired and myGOV authentication will not be used - presumably it is inadequate.
If myGOV security is not good enough for the ATO then why is it good enough for myHR?
Access via MyGov is the public portal.
There are two other access mechanisms - the provider portal and via conformant clinical systems, neither of which (AFAIK) require 2FA at the individual level.
One of the ANAO criticisms of the ADHA was that there had not been a review of full end to end security, i.e. that includes the endpoints - GP computers, hospital computers etc. This is not a technical issue it's a data access issue. myhr data that ends up in other systems is out of sight of the myhr system and the myhr legislation.
That's correct Bernard. I was referring only to public access but I did not make this clear. Sorry about that.
Your points about the other access methods are valid. An analysis of end-to-end security including hospital and GP computers would certainly be desirable. However, I can't see this happening.
Post a Comment