Wednesday, December 16, 2020

Funny How Long It Has Taken For These Appalling #myHealthRecord Security And Privacy Reports To Come To Light.

These reports were apparently published in early September, 2020 but Google Alerts only found them yesterday! Not sure therefore that is dates are very credible but whatever!

I want to provide 2 Exec Summaries and people can read the full reports at their leisure, following up on the report published on Sunday.

First we have:

Access security governance for the My Health Record system - St Vincent’s Private Hospital Toowoomba

Part 1: Executive Summary      

1.1          This report outlines the findings of the Office of the Australian Information Commissioner (OAIC) on a privacy assessment of St Vincent’s Private Hospital Toowoomba’s (SVPHT) access security governance for the My Health Record (MHR) system conducted in May 2019.

1.2          All healthcare providers who are registered participants of the MHR system are required to have, communicate and enforce an access security policy under Rule 42 of the My Health Records Rule 2016 (My Health Records Rule). Rule 42 prescribes a number of requirements that must be addressed in the policy, to ensure that staff and contractors’ access to the MHR system is secure.

1.3          The objective of this assessment was to examine how staff and contractors at SVPHT access the MHR system, and whether the hospital has appropriate governance arrangements to manage access security risks in accordance with Rule 42. This involved looking at how staff and contractors are granted access to the MHR system, how that access is controlled and monitored, and how system risks are identified and managed.

1.4          This assessment also considered the reasonable steps taken by SVPHT to protect personal information and implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs), pursuant to APPs 1.2 and 11.

1.5          This assessment found that SVPHT has taken some steps to address and implement the requirements of Rule 42, including implementing an MHR access security policy.

1.6          The assessment identified some high and medium level privacy risks. The OAIC has made nine recommendations to address these risks. The recommendations, and SVPHT’s responses, are outlined in the Parts 3 and 4 of this report. The OAIC has also made nine suggestions which, if implemented, will assist SVPHT to further reduce privacy risks.

Here is the link to the full report:

https://www.oaic.gov.au/privacy/privacy-assessments/access-security-governance-for-the-my-health-record-system-st-vincents-private-hospital-toowoomba/

Basically the report had a range of recommendations to get the hospital up to scratch and to address both the security and privacy issues raised. Read details on the OAIC site.

Second we have:

Access security governance for the My Health Record system - Midland Private Hospital

Part 1: Executive Summary   

1.1 This report outlines the findings of the Office of the Australian Information Commissioner (OAIC) on a privacy assessment of St John of God Midland Private Hospital’s (Midland Private Hospital) access security governance for the My Health Record (MHR) system conducted in April 2019.

1.2 All healthcare providers who are registered participants of the MHR system are required to have, communicate and enforce an access security policy under Rule 42 of the My Health Records Rule 2016. Rule 42 prescribes a number of requirements that must be addressed in the policy, to ensure that staff and contractors’ access to the MHR system is secure.

1.3 The objective of this assessment was to examine how staff and contractors at Midland Private Hospital access the MHR system, and whether the hospital has appropriate governance arrangements to manage access security risks in accordance with Rule 42. This involved looking at how staff and contractors are granted access to the MHR system, how that access is controlled and monitored, and how system risks are identified and managed.

1.4 This assessment also considered the reasonable steps taken by Midland Private Hospital to protect personal information and implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs), pursuant to APPs 1.2 and 11.

1.5 This assessment found that Midland Private Hospital has taken a number of steps to address and implement the requirements of Rule 42 but was yet to implement a finalised MHR access security policy.

1.6 The assessment identified a number of high and medium level privacy risks and has made 13 recommendations to address these risks. The recommendations, and Midland Private Hospital’s responses, are outlined in the Parts 3 and 4 of this report. The OAIC has also made eight suggestions which, if implemented, may assist Midland Private Hospital to further reduce privacy risks.

Here is the link:

https://www.oaic.gov.au/privacy/privacy-assessments/access-security-governance-for-the-my-health-record-system-midland-private-hospital/

Basically we see a similar outcome with the Hospital on a journey to address its security and privacy issues. Both have a good number of issues and we must conclude that, since these sites were recommended by the ADHA for assessment, that there are a good number of other institutions that are not in great shape in these respects.

Again it is not clear if the issues are fixed. It is amazing just how relaxed the OAIC seems to be with all these issues. Just wait until there is a major issue blow up somewhere. I can see the claims of we warned you – without providing any proof the issues are properly resolved both generally and in these specific cases.

What do you think?

David.

 

1 comment:

  1. Not surprising. Mad rush to get anything and anyone connected and sending whatever to the govhr. Cyber security live in a bubble unable to create a safe secure and seamless ecosystem to facilitate clinical care needs. A government agency drained of leadership.

    Like you point out - these were selected by ADHA. Hate to see examples elsewhere.

    ReplyDelete