This appeared a few days ago.
My Health Record imaging services security failed ADHA password standards
Australia submitted 7% fewer data breach notifications compared to last year, according to the agency responsible for dealing with these notifications.
By Campbell Kwan | October 22, 2021 | Topic: Security
My Health Record system's physical and information security measures used to access the My Health Record system for pathology and diagnostic imaging services did not meet the ADHA's recommended standard for passwords, according to assessments made by the Office of the Australian Information Commissioner's (OAIC).
"In relation to physical and information security measures, while most assessment targets reported good physical security measures, most did not meet the ADHA's recommended standard for passwords used to access the My Health Record system," the OAIC said.
Detailed in the OAIC's annual digital health report [PDF], the agency did note, however, that most of My Health Record's assessment targets reported having a procedure in place for identifying and responding to My Health Record-related security and privacy risks even though there were areas for improvement in relation to recording matters relevant to security breaches.
During the 2020-21 financial year, three data breach notifications were submitted to the OAIC in relation to My Health Record. Two of the three have been finalised.
More here:
Any one know what having a breach notification “finalised” means?
Here is the press release from the OAIC.
OAIC publishes annual report on digital health
21 October 2021
The independent privacy regulator for the My Health Record system and Healthcare Identifiers Service has detailed its compliance and monitoring activity in its 2020–21 digital health annual report.
The Office of the Australian Information Commissioner (OAIC) regulates the privacy provisions contained in the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the annual report highlights the OAIC’s work to ensure privacy measures for Australia’s digital health systems are upheld.
“Over the past year my office has worked proactively to regulate the protection and security of the personal information at the core of both the My Health Record system and the Healthcare Identifiers Service,” Commissioner Falk said.
“We have used our investigative and assessment functions to make sure health service providers are aware of and uphold their obligations to protect the personal information of Australians.
“Digital innovation in the health sector has the power to improve health outcomes for Australians.
“Compliance with strict privacy controls is key to public trust and confidence in digital health services and realising this potential.”
During the reporting period, the OAIC provided detailed privacy advice to stakeholders such as the Australian Digital Health Agency and Department of Health, including a submission to the review of the My Health Records Act. It also developed and promoted guidance for providers and individuals, including new resources about the My Health Record emergency access function and guidance for healthcare providers on rule 42.
The OAIC completed three audits of regulated entities in the digital health sector, including assessments of pathology and diagnostic imaging services, and two mobile health applications. The regulator also commenced an assessment of 300 general practitioners’ compliance with the requirement in the My Health Records Act to have an access security policy.
In 2020–21, the OAIC received and finalised seven complaints in relation to the My Health Records system, and received and finalised one complaint relating to the Healthcare Identifier Service. The OAIC was notified of two data breaches involving the My Health Record system.
Key 2020–21 statistics
My Health Record
- Finalised one Commissioner-initiated investigation
- Completed 3 privacy assessments, commenced an additional privacy assessment
- Finalised 7 privacy complaints
- Finalised 2 data breach notifications
- Received 11 enquiries
- Received 7 complaints
- Received 3 data breach notifications
- Finalised one privacy complaint
- Received 2 enquiries
- Received one privacy complaint
Healthcare Identifier Service
- Finalised one privacy complaint
- Received 2 enquiries
- Received one privacy complaint
Here is the link:
https://www.oaic.gov.au/updates/news-and-media/oaic-publishes-annual-report-on-digital-health
The Executive Summary of the report reads as follows:
Executive summary
This annual report sets out the Australian Information Commissioner’s (Information Commissioner) digital health compliance and enforcement activity during 2020–21, in accordance with s 106 of the My Health Records Act 2012 and s 30 of the Healthcare Identifiers Act 2010 (HI Act).
The report provides information about other digital health activities led by the Office of the Australian Information Commissioner (OAIC), including our assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice and liaison with key stakeholders.
More information about the Memorandum of Understanding (MOU) between the OAIC and the Australian Digital Health Agency (ADHA) is provided in Part 1 of this report.
This was the ninth year of operation of the My Health Record system and the 11th year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.
The management of personal information is at the core of both the My Health Record system and the HI Service (which this report collectively refers to as ‘digital health’). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those privacy provisions.
The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get and share their My Health Record. In 2017, the Australian Government announced the creation of a My Health Record for every Australian. Following an opt-out period that ended on 31 January 2019, a My Health Record was created for everyone who had not opted out of the system.
In 2020–21, the OAIC received 7 privacy complaints relating to the My Health Record system with 3 remaining open at the end of the reporting period. We finalised 7 My Health Record system complaints, including 3 complaints from previous reporting periods.
We received one privacy complaint relating to the HI Service in 2020–21 which is ongoing. We finalised one HI Service complaint from the previous reporting period. No Commissioner-initiated investigations were opened during the reporting period. We closed one Commissioner-initiated investigation from the previous reporting period.
We received 3 data breach notifications during the reporting period in relation to the My Health Record system and closed 2 notifications with one ongoing. We also carried out digital health-related work including:
- commencing one privacy assessment and closing 3 privacy assessments
- providing advice to stakeholders, including the ADHA and the Department of Health, on privacy-related matters relevant to the My Health Record system
- developing and promoting guidance materials, including new resources about the My Health Record emergency access function and guidance for healthcare providers on Rule 42
- making a submission to the Department of Health on the review of the My Health Records Act
- monitoring developments in digital health, the My Health Record system and the HI Service.
----- End Summary.
Here is the link:
Reading the main report there are a few points to be made:
1. The full report does not actually explain what the breaches are.
2. The discussion of path and radiology providers said the security of most – but not all – were up to scratch.
3. We are still waiting for the report on GP practice security.
Assessment of general practice clinics – APPs 1.2 and 11 and Rule 42
In 2020–21, the OAIC commenced an assessment of 300 general practice (GP) clinics’ compliance with the requirements of Rule 42 of the My Health Records Rule, which requires entities to have an access security policy. The assessment is being conducted under APP 11.1, given that compliance with Rule 42 is a reasonable step that the OAIC would expect health service providers to take when securing the personal information they collect and hold. The OAIC anticipates finalising this assessment during 2021–22 and publishing a de-identified assessment report which provides sector analysis and aggregated findings.
4. There seems to be a ‘futures roadmap’ for the #myHR – but I have no seen it. Can anyone who has send it along! There is also mention of the ADHA trying to loosen various controls. I wonder where this agenda comes from?
Here is the section of the Annual Report.
Review of My Health Records Act submission
The OAIC made a submission to the Department of Health on the review of the My Health Records Act. Led by Professor John McMillan AO, the review sought to ensure the legislation underpinning the My Health Record system is effective. The OAIC considered the review to be an important evaluative measure and an opportunity to ensure that the privacy and security of health information continues to be a central focus of the design and functionality of the My Health Record system. In our submission we:
- welcomed the development of a ‘futures roadmap’ or strategic plan for the My Health Record system as a way for stakeholders, including the OAIC, to understand how the system is intended to operate going forward
- noted that the ADHA is required by the Privacy (Australian Government Agencies – Governance) APP Code 2017 to undertake a privacy impact assessment for any high privacy risk projects
- observed that weakening the prohibited purposes provisions (employers and insurers) could impact the privacy of healthcare recipients and public confidence in the system, leading to possible reduced participation
- welcomed further consideration of the issues related to the existing framework for the handling of the health information of minors
- found that the existing provisions that establish the emergency access function appropriately balance privacy and clinical needs.
The OAIC recommended that:
- consideration be given to legislative amendments which would ensure the application of the Information Commissioner’s role in assessing, investigating and enforcing the My Health Records Act fully extends to all participants in the system
- a mechanism for external oversight of healthcare provider registration be established
- the permitted disclosure regime be expanded to allow disclosures of certain risks identified through the OAIC’s regulation of the My Health Record system to the ADHA
- the My Health Record Rule deals with the status of a person’s My Health Record upon death and that the necessity and proportionality of the requirement to retain records 30 years after death (or for 130 years if the date of death is not known) be reconsidered
- the existing My Health Record data breaches scheme, which captures a broader range of data breaches compared to the Notifiable Data Breaches scheme under the Privacy Act, be retained
- s 44 and s 51(3) of the My Health Records Act be amended to introduce positive obligations on the ADHA in relation to the registration of healthcare providers.
The bottom line is this report probably conceals more than it explains and reveals and leaves us wondering have the results from the ANAO security have actually been fixed. I must suspect not.
David.
2 comments:
Another ball dropped by the usual suspect. Every day we uncover more steaming piles she left behind. A real indicator of why digital health is in such a shambles in Australia. Seems the less you achieve the more the cloud rewards you.
For those who read the weekend papers did you see the MyHR advert?
It contains this sentence:
"You can get your COVID-19 digital certificate frm different sources, including My Health Record which also has your full immunisation history and any pathology results that have been uploaded."
This bit is interesting "which also has your full immunisation history"
How would they know what immunisations I have had in the past, in another country? I don't know what I had half a century ago, so how would they?
They don't know, so why do they claim they have my "full immunisation history"?
Do you suppose they know they are deceiving the public? Or is it just plain old incompetence?
Who is responsible and accountable for this blatant lie?
Or are they in the same category as politicians who seem to be able to get away with gross incompetence and spin?
Post a Comment