Sunday, June 27, 2021

I Am Not Sure The ADHA Is Being Upfront And Honest With #myHealthRecord Security Situation Risks.

The following appeared a few days ago:

Digital Health Agency says My Health Record risk mitigation work on-track

Addressing concerns raised by an audit that had asked the agency to create a risk management plan as well as remind users of My Health Record of how the emergency access function should be used.

By Asha Barbaschow | June 21, 2021 -- 05:53 GMT (15:53 AEST) | Topic: Security

The system administrator of Australia's oft-criticised My Health Record has agreed to a number of recommendations made by the Joint Committee of Public Accounts and Audit as part of its probe into the security resilience of the online medical file.

The committee in 2019 scrutinised a report from the Australian National Audit Office (ANAO) which pointed out a number of security issues concerning the Australian Digital Health Agency's (ADHA) My Health Record implementation that otherwise widely gave ADHA the tick as "largely effective".

In a response [PDF] to the committee, ADHA provided an update to its ANAO My Health Record Performance Audit Implementation Plan, which was developed in February 2020.

One of the recommendations made by ANAO was that ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls. It also recommended for the agency to incorporate the results of this assessment into the risk management framework for the My Health Record system.

The agency said it would work with public and private sector healthcare providers, professional associations, consumer groups, and medical indemnity insurers on an "overarching privacy risk assessment", and incorporate results into the risk management plan for My Health Record.

With a privacy risk assessment completed in September, and initial risk register updates flagged as done as of February, the ADHA has given itself until November to complete the risk management work.

Another recommendation was that the ADHA, with the Department of Health and in consultation with the Information Commissioner, review the adequacy of its approach and procedures for monitoring use of the emergency access function within the online medical file.

After delivering a compliance framework and an emergency access compliance plan in February, the ADHA said it will continue to monitor emergency access and engage with system participants to "promote a sound understanding of the legislative provision and relevant reporting arrangements, so that unauthorised use is recognised and reported to the Information Commissioner, as required".

It also flagged November as completion date for this work.

ADHA was also asked by ANAO to develop an assurance framework for third party software connecting to the My Health Record system, including clinical software and mobile applications, in accordance with the federal government's Information Security Manual.

"An assurance framework exists for systems (including clinical software and mobile applications) connecting to the Healthcare Identifiers Service and the My Health Record system, including processes to confirm conformance," ADHA said in response to the recommendation.

More here:

https://www.zdnet.com/article/digital-health-agency-says-my-health-record-risk-mitigation-work-on-track/#ftag=RSSbaffb68

What strikes me about this is the totally relaxed way the security holes in the access mechanisms are being addressed. The Audit itself was conducted in 2019 and the ADHA are no planning to have the various remediations partially finalized by late 2021. One would have expected a little more urgency!

Of note also is that in the response linked above it seems most of the work in keeping things secure is being shifted back to the myHR stakeholders

Here is the latter part of the advice!

Changes to be undertaken by My Health Record stakeholders

In addition to the ongoing activities outlined above, there are a number of activities that My Health Record stakeholders will need to undertake, including:

• Working with the Agency on an ongoing basis to ensure shared privacy risks are identified and appropriately managed.

• Distributing guidance materials and other resources related to shared privacy risks and legislative requirements to healthcare providers, as appropriate.

• Healthcare Provider Organisations to ensure appropriate use of Emergency Access within their healthcare facilities, as outlined in section 64 of the My Health Records Act 2012 and adherence to notification provisions outlined under section 75 of the Act.

• System Participants to implement and maintain a policy addressing security and access requirements outlined in Parts 4 & 5 of the My Health Records Rule 2016; and provide a copy of the relevant policy, where requested by the System Operator.

• Software developers to undertake a conformance process for the new Security Requirements for Connecting Systems, when requested by the System Operator.

The full 4 page file can be downloaded from here:

https://www.aph.gov.au/DocumentStore.ashx?id=0f0311d5-492e-4e86-a142-e8b941e3c127

The document title is as follows:

 Executive Minute on Joint Committee of Public Accounts and Audit Report 485: Cyber Resilience

Inquiry into Auditor-General Reports 1 and 13 (2019-20)

10 June 2021 v1.0

OFFICIAL

Overall I really do not feel the ADHA has a solution to protecting the #myHR System from access by bad actors and is doing its best to shift any blame for issues to the legitimate users. I find it hard to discern just what real progress has been made with these vulnerabilities in the 2 years since the ANAO recognized them. It is hard to read all this any other way I believe.

 I am not at all sure it is reasonable to suggest that everything is under control!

David.

 

2 comments:

  1. Bernard Robertson-DunnJune 27, 2021 3:19 PM

    Has anyone seen this?
    1) Privacy risk assessment report – completed September 2020

    Does it identify that the biggest single risk to privacy and security are the endpoints because they are totally out of the control of the ADHA/DoH?

    Especially when any legislative protection to myhr data stops if and when data passes out of myhr, or came from elsewhere?

    The ADHA document seems to have been very carefully worded so as not to embarrass ADHA or let people know what really happens to their data.

    ReplyDelete
  2. Takes a collective understanding to mitigate those weaknesses. Not sure ADHA has the depth or breadth of knowledge. ADHA tends to (or at least use to) wonder about hoping things would fade away. They have lost a lot of cyber experience and leadership so not holding my breath.

    ReplyDelete