Wednesday, December 28, 2022

The ADHA Seems To Be Astonishingly Relaxed Regarding Fixing myHR Security!

This release appeared last week:

20 Dec 2022 3:40 pm AEDT

Increased cyber security requirements for systems connecting to My Health Record

Australian Digital Health Agency

The Australian Digital Health Agency (the Agency) is strengthening My Health Record protections through a new mandatory conformance profile for clinical information systems (including those used in GP clinics, pharmacies and allied health services) connected to the My Health Record system.

The security requirements profile will be effective from April 2023 following a 3-month period where industry is invited to provide feedback on the profile. Software vendors with clinical software products will be supported to implement changes in their products in a phased approach, to balance the need to strengthen security for all systems connected to My Health Record with the capability of software vendors to make necessary adjustments in a timely manner. The conformance profile was co-developed with stakeholders including regulators, software vendors and security experts.

The Agency is supporting industry with their preparation by providing visibility of the conformance profile in advance of the official implementation period. Questions and comments on the new conformance profile and the proposed phased implementation schedule from across the software industry can be sent to the Agency until April 2023.

The new security requirements profile contains an evidence-based list of security requirements that harden clinical information systems from cyber security attacks, uplift information security and provide better protection for consumer information. Each vendor with software products connected to My Health Record will be required to submit an extensive file of evidence to demonstrate conformance to each requirement, as well as participate in an observation session conducted by the Agency specialist team.

Australian Digital Health Agency Acting Chief Digital Officer, Dr. Holger Kaufmann said, “Protecting sensitive information is essential in the provision of healthcare services and is a fundamental capability that is required to enable connected healthcare systems and safe, seamless, secure, and confidential information sharing across all healthcare providers.”

“The Agency has and will continue to work with clinical information system vendors to provide support and guidance to further secure and protect their software for the benefit of patient privacy, national infrastructure, and their own businesses” he said.

The new requirements align to the best-practice standards recommended by the Australian Cyber Security Centre (ACSC), detailed in the ACSC’s Strategies to Mitigate Cyber Security Incidents, known as the Essential Eight, that help protect systems against a range of online and cyber security threats.

Here is a link to the release:

https://www.miragenews.com/increased-cyber-security-requirements-for-919580/

There is more information here:

ADHA drafts new security standards for My Health Record interconnection

By on

Software vendors have up to 24 months to make changes.

Systems that interconnect with the government’s My Health Record will need to meet elevated security standards that align with the Essential Eight over the next two years.

The Australian Digital Health Agency (ADHA) said in a statement late Tuesday that it would introduce a new - mandatory - security requirements “conformance profile” for clinical software vendors.

“All clinical information systems that use one or more My Health Record B2B web services will need to conform to the new security profile,” the agency said in accompanying release notes.

"The agency is cognisant of the inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care.

"To address this risk, a set of security requirements for systems connecting to the My Health Record system have been identified, comprising controls related to application development and web development, with controls aligned to the Australian Cyber Security Centre’s (ACSC) Essential Eight maturity model.

"These controls are selected as the areas of the ACSC Information Security Manual (ISM) that are most relevant to the development of software for healthcare organisations."

The conformance profile is currently in draft, pending industry feedback. Full details are behind a login, accessible to industry participants only.

Although it becomes “effective from April 2023”, implementation will be phased across five tranches and two years, with most clinical software vendors having 18-to-24 months to complete the necessary rework and upgrades on their end.

Tranche one vendors - those making systems used in acute care, which covers hospitals, emergency and the like - have six-to-12 months to make changes.

“Software vendors with clinical software products will be supported to implement changes in their products in a phased approach, to balance the need to strengthen security for all systems connected to My Health Record with the capability of software vendors to make necessary adjustments in a timely manner,” ADHA said.

“The new security requirements profile contains an evidence-based list of security requirements that harden clinical information systems from cyber security attacks, uplift information security and provide better protection for consumer information. 

“Each vendor with software products connected to My Health Record will be required to submit an extensive file of evidence to demonstrate conformance to each requirement, as well as participate in an observation session conducted by the [ADHA] specialist team.”

More here:

https://www.itnews.com.au/news/adha-drafts-new-security-standards-for-my-health-record-interconnection-589327

These 2 paragraphs give the game away:

“Although it becomes “effective from April 2023”, implementation will be phased across five tranches and two years, with most clinical software vendors having 18-to-24 months to complete the necessary rework and upgrades on their end.

Tranche one vendors - those making systems used in acute care, which covers hospitals, emergency and the like - have six-to-12 months to make changes.”

It seems we can all have our Christmas break, come back in February and start work…

Seems a little too relaxed to me, given the data that is at stake….

What do you think?

David.

 

7 comments:

  1. What happened to the end-to-end privacy/security review ANAO asked them to do and they agreed to do about two yeas ago?

    Relaxed to the point of stupor.

    ReplyDelete
  2. Each vendor with software products connected to My Health Record will be required to submit an extensive file of evidence to demonstrate conformance to each requirement, as well as participate in an observation session conducted by the [ADHA] specialist team.”

    Another prune driven statement from the complacent agency. I foresee two year of relaxing of requirements.

    ReplyDelete
  3. It's not a technology issue, it's a matter of user access monitoring and control. Requirements of the original system never implemented. My Health Record is rotten to the core, no matter what ADHA may pretend.

    ReplyDelete
  4. I am a bit puzzled with the use of the essential eight. E8 is not about a single vendor application and even then a vendor cannot be held accountable if a customer does not perform the eight basic maintenance activities to maintain an up to date computing environment.

    If this is to demonstrate the vendor infrastructure and software development platforms meet basic requirements then surely that is a must have for inclusion into the MSIA??

    ReplyDelete
  5. This might be a simple case of “it’s them not us” from the ADHA. The commonwealth collective cannot meet its own mandated obligations. Few departments meet E8 and I do not believe ( even self reporting) that any are above maturity level 2 and definitely not across the board.

    Two years is a good timeframe, the ministers will be distracted with elections and even changing portfolios. Rinse and repeat.

    ReplyDelete
  6. What will ADHA do if a connected system providing lots of data does not meet these requirements?

    ReplyDelete
  7. ADHA subscribes to the hypocrite oath - I will assume, Sarah your question is a rhetorical one.

    Wishing you a happy new year David - thanks for all your efforts

    ReplyDelete