Weekly Australian Health IT Links – 14 December, 2020.

Here are a few I have come across the last week or so. Note: Each link is followed by a title and a few paragraphs. For the full article click on the link above title of the article. Note also that full access to some links may require site registration or subscription payment.

General Comment

-----

We seem to be moving into the ‘silly season’ so less news around but still the odd morsel. Do enjoy!

-----

https://www.miragenews.com/territory-labor-government-innovating-and-strengthening-nt-health-system/

December 7, 2020 12:40 pm AEDT

Territory Labor Government Innovating and Strengthening NT Health System

NT Government

Northern Territory Health, Aboriginal Medical Services Alliance NT (AMSANT) and Northern Territory Primary Health Network (NT PHN) have partnered to increase the use of digital health technologies.

Digital health enables better coordinated care and better informed treatment decisions.

The NT’s population has some of the most vulnerable people in Australia with high levels of social disadvantage and a high burden of chronic disease.

One of the most significant outcomes for day-to-day provision of health services to come out of the COVID-19 pandemic was the uptake of tele-health services in both urban and remote settings.

-----

https://ajp.com.au/news/over-91-of-consumers-had-at-least-one-discrepancy-in-their-medication-records/

‘Over 91% of consumers had at least one discrepancy in their medication records.’

Sheshtyn Paola 08/12/2020

A pharmacist researcher has warned about high prevalence of medication record discrepancies at a national conference, pointing to digital records as a solution

Medicine-related problems are common because using medicines is our most common healthcare treatment, Professor Amanda Wheeler told delegates at the National Medicines Symposium (NMS), hosted virtually by NPS MedicineWise on Monday.

Over one million Australians experienced an adverse medicine event in the last six months—and some groups are at higher risk, including those with long-term conditions, on multiple medications, older people and migrant populations.

Medicine discrepancies can cause particular problems, said Professor Wheeler, a pharmacist and mental health researcher with Griffith University in Queensland.

-----

https://www.itnews.com.au/news/digital-id-finally-comes-to-mygov-558791

Digital ID finally comes to myGov

By Justin Hendry on Dec 10, 2020 6:59AM

Forgetting your password just became a thing of the past.

Australia’s 15 million-odd myGov account holders can now ditch their password and log into the online services portal using the federal government’s myGovID digital identity offering.

In a major breakthrough for the long-running Govpass digital identity program, the Digital Transformation Agency this week quietly pressed go on the public release of the credential on myGov.

myGovID – a reusable digital identity credential for citizens that works like a digital equivalent of the 100 point ID check  – joins myGov’s existing two factor authentication sign-in option.

The integration means users are now able to sign into myGov using either a one-time code in the myGovID app (as long as they have connected the two platforms) or continue using a password.

-----

https://www.afr.com/technology/healthmatch-raises-18m-as-patients-go-online-for-clinical-trials-20201202-p56k0n

HealthMatch raises $18m as patients go online for clinical trials

Natasha Gillezeau Reporter

Dec 8, 2020 – 12.00am

HealthMatch, an Australian start-up that has built a digital platform to connect patients with upcoming clinical trials, has raised $18 million in an investment round led by venture capital fund Square Peg.

It is the third external funding round for the company, with Square Peg following on from leading a $6 million round last year and Tempus Partners also returning for the third time, having led its first funding round in 2018.

The three year old company has experienced a rapid growth in its user numbers as more patients jumped online to hunt for the latest scientific research to treat their conditions. In June it had 8000 people using the platform, which has grown to 80,000 at the start of December.

HealthMatch founder and chief executive Manuri Gunawardena said she had not planned on raising more funds this year, but the rapid growth meant increased investment in staff and the platform was required, and new strategic investors would be beneficial. She is also planning some Asian expansion.

-----

https://www.itnews.com.au/news/govt-agencies-face-annual-cyber-security-audits-for-next-five-years-558870

Govt agencies face annual cyber security audits for next five years

By Justin Hendry on Dec 10, 2020 5:21PM

On the recommendation of a parliamentary committee.

A parliamentary committee has called for cyber security reviews to become a more permanent fixture on the national auditor’s annual work program after a string of subpar audit results.

The finding is contained in the accounts and audit committee report [pdf] into cyber resilience, which said existing accountability mechanisms under the protective security policy framework (PSPF) were “limited”.

The PSPF requires that agencies self-assess against 16 requirements – one of which is the Top Four and Essential Eight controls – each year using a ‘maturity model’ and report the results to the Attorney-General's Department (AGD).

The report, released on Wednesday, recommends that the Australian National Audit Office (ANAO) conduct an “annual limited assurance review” into the cyber resilience of Commonwealth entities.

-----

https://medicalrepublic.com.au/questions-over-mandatory-vax-reporting/38341

10 December 2020

No fees for mandatory vax reporting

COVID-19 Government Vaccination

Posted by Bianca Nogrady

Vaccine providers may soon have to report all government-funded immunisations – including against COVID-19 – to the Australian Immunisation Register or face penalties, but the government has no plans to reimburse providers for their efforts.

The federal government has introduced a bill for an amendment to the Australian Immunisation Register Act which would enforce mandatory reporting of COVID-19 vaccinations from 1 March 2021, and all other vaccinations funded under the National Immunisation Program from 1 July 2021.

Speaking on the bill in parliament, Health Minister Greg Hunt said while reporting of vaccinations to the Australian Immunisation Register was currently voluntary and data for childhood immunisations was high, the reporting for adolescent and adult vaccines was far less complete.

Associate director of the National Centre for Immunisation Research and Surveillance Dr Frank Beard said the COVID-19 pandemic and potential cost of COVID-19 vaccination were the main drivers for the government’s shift in policy.

-----

https://www.hinz.org.nz/news/540481/HiNZ-announces-Fellowship-Programme.htm

HiNZ announces Fellowship Programme

Monday, 23 November 2020  

eHealthNews.nz editor Rebecca McBeth

Health Informatics New Zealand announced a new Fellowship Programme at a networking event in Auckland on November 19.

The Fellow of HiNZ Programme recognises Digital Health leaders who demonstrate significant digital and data achievement and contributions, leadership and service for the health and disability sector of New Zealand/Aotearoa.

A group of Founding Fellows will be appointed by the HiNZ Board and announced in early 2021. The Founding Fellows all have a recognised legacy of service and leadership in digital health.

Next year, an annual application process will begin for Fellows, with the first round of applications assessed and appointed by the Founding Fellows and the HiNZ Board.
-----

https://www.afr.com/technology/telehealth-start-up-coviu-banks-6m-after-record-growth-20201204-p56kls

Telehealth start-up Coviu banks $6m after record growth

Yolanda Redrup Reporter

Updated Dec 7, 2020 – 12.50pm, first published at 12.29pm

Telehealth start-up Coviu's growth has been accelerated by up to four years on the back of the COVID-19 pandemic, allowing it to raise $6 million to support its continued expansion.

The business, which was spun out of the CSIRO in 2018, grew from having 400 video visits a day on its platform to 25,000 at the height of the crisis.

Chief executive and co-founder Silvia Pfeiffer said the pandemic had put a rocket under the business.

“We were on a growth path before and were continuing to grow on a steady, nice incline ... but it was slow,” she said.

"[Without the pandemic] we would have done it, but it would have been harder work and we’d have stuck with it."

-----

https://www.itnews.com.au/news/govts-public-sector-data-sharing-bill-enters-parliament-558770

Govt's public sector data sharing bill enters parliament

By Justin Hendry on Dec 9, 2020 12:51PM

After two years of consultation.

The federal government has introduced long-anticipated data sharing laws to parliament in a bid to make it easier for the public sector to share data within government and the private sector.

The Data Availability and Transparency Bill 2020 was introduced by Government Services Minister Stuart Robert on the second last sitting day of 2020.

It follows more than two years of consultation by the Department of Prime Minister and Cabinet, including 76 public roundtables, following a 2018 Productivity Commission report.

An exposure draft was released in mid-September, introducing a requirement for agencies to seek consent before releasing personal information unless unreasonable or impractical.

The government had previously said that consent should only be encouraged, as a consent-based model for data sharing “could create biases in data”.

-----

https://www.itnews.com.au/news/govt-introduces-cyber-incident-response-takeover-bill-to-parliament-558831

Govt introduces cyber incident response takeover bill to parliament

By Justin Hendry on Dec 10, 2020 12:21PM

Ahead of July 2021 start date.

Legislation that will give Australia’s cyber spooks the power to defend networks and systems of critical infrastructure against cyber attacks - much to the alarm of global tech companies - has been introduced to parliament.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced by Home Affairs Minister Peter Dutton on Thursday, just a month after the release of the exposure draft.

The bill will give effect to an “enhanced regulatory framework” for critical infrastructure and systems of national significance, building on the Security of Critical Infrastructure Act (SOCI) passed back in 2018.

It will apply to not only the electricity, gas, water and port entities currently regulated under the SOCI Act, but communication, “data storage and processing” and financial services and markets.

-----

https://www.ausdoc.com.au/practice/app-review-matchfit-addressing-mental-health-little-help-sports-stars

App review: matchFit - addressing mental health with a little help from sports stars

The app features video presentations from past and present soccer players

8th December 2020

By Antony Scholefield

matchFit is a UK-developed mental health app themed around soccer — or football as it’s known there. 

The app has the common tools of CBT exercises and a mood tracker but couched in the language of sport, with video presentations by current and former soccer players.

It was developed at the University of Birmingham in conjunction with the Street Soccer Foundation, a charity run by ex-player Keith Mabbutt.

Admittedly, a cricket-themed mental health app would be more useful in Australia even though the app does feature content from English ex-cricketer Jeremy Snape.

But for young people interested in soccer, it may stand a better chance of securing their engagement than typical mental health interventions.

-----

https://www.theaustralian.com.au/business/technology/neuronode-technology-creator-control-bionics-to-list-on-asx/news-story/847d90f83dad31b4f1c63b364081a734

NeuroNode technology creator Control Bionics to list on ASX

Chris Griffith

·         6:52AM December 7, 2020

A cutting-edge Australian-US tech firm in the disabilities sector will list on the ASX on Monday.

Creating a communications sensor for people unable to speak or barely move, such as sufferers of motor neurone disease, cerebral palsy and strokes, and accident victims, has been the passion of Queenslander Peter Ford.

The former Seven Network journalist, newsreader, and later NBC and CNN anchor, and NASA correspondent enjoyed a distinguished Australian-US media career that included covering Operations Desert Shield and Desert Storm in the Persian Gulf, and, after 9/11, reporting from Pakistan and Afghanistan.

Ford had another passion, technology — learning computer programming in the early 1980s, and in the early 2000s he turned his mind to technology for the disability sector and gained a contract with the US Veterans Administration in 2007.

-----

https://www.csiro.au/en/News/News-releases/2020/New-implants-to-help-detect-and-prevent-brain-seizures

07 Dec 2020

New implants to help detect and prevent brain seizures

Researchers from Australia’s national science agency, CSIRO, have developed new implantable devices equipped with machine learning to help prevent seizures and monitor patients after brain surgery.

The researchers will now use a $1 million Australian Government grant awarded to Australian company Anatomics to develop a ‘smart helmet’ to monitor brain swelling in stroke and traumatic brain injury patients.

Researcher at CSIRO’s data and digital specialist arm, Data61, Dr Umut Guvenc said traumatic brain injuries affect over 69 million people worldwide , including 700,000 Australians , with one in three likely to develop chronic epilepsy due to the high frequency of seizures.

“Monitoring brain activity post-surgery is especially critical to a patient’s recovery as seizures can regularly occur, often leading to patients developing epilepsy,” Dr Guvenc said.

-----

https://www.itwire.com/health/researchers-develop-device-to-help-prevent-seizures-in-patients.html

Tuesday, 08 December 2020 10:19

Researchers develop device to help prevent seizures in patients

By Sam Varghese

Researchers from Australia's national science agency, the CSIRO, say they have developed new implantable devices with machine learning that can help to prevent seizures and monitor patients after brain surgery.

A statement from the agency said the scientists involved would use a $1 million Australian Government grant given to the firm Anatomics to develop what they called "a smart helmet to monitor brain swelling in stroke and traumatic brain injury patients".

Dr Umut Guvenc, a researcher at CSIRO's digital arm Data 61, pointed out that traumatic brain injuries affected more than 69 million people globally, including 700,000 Australians.

One in three of those affected was likely to develop chronic epilepsy due to the high number of seizures.

-----

https://marketplace.service.gov.au/2/digital-marketplace/opportunities/10124

Whole Agency Electronic Documents Record Management System

Opportunity ID 10124

Deadline for asking questions Wednesday 13 January 2021 at 6pm (in Canberra)

Application closing date Friday 15 January 2021 at 6pm (in Canberra)

Published Tuesday 8 December 2020

Panel category Change and Transformation

Overview

Deliver an Electronic Documents Record Management system solution for the Australian Digital Health Agency to comply with the National Archives Act 1983. Ensuring compliance against all relevant ISO standards and legislative requirements are met for a compliant EDRMS in the context of a Federal Government Agency.

Estimated start date

1 March 2021

Location of work

New South Wales
Offsite

Working arrangements

On site at least 1 day a week for the period of the engagement or as required by the project team (subject to Covid-19 restrictions).

Length of contract

12 months

-----

https://itwire.com/mobility/more-australians-going-to-mobile-only-for-making-calls-at-home,-says-acma.html

Friday, 11 December 2020 12:30

More Australians going to mobile-only for making calls at home, says ACMA

By Peter Dinham

A trend in people shifting from fixed to mobile communications is continuing, according to the telecommunications industry regulator, the Australian Communications and Media Authority (ACMA).

The ACMA has just released its interactive report - Mobile-only Australia: living without a fixed line at home - looking at the take-up of mobile devices by Australian adults over the last six years.

The ACMA said on Friday that data for the 12 months to June 2020 shows 60% of Australians are mobile-only for voice calls at home (with a mobile phone but no landline), and this has doubled from 29% in 2015.

“However, we are less likely to rely solely on a mobile service for our home internet connection, with only 16% of Australians accessing the internet at home via a mobile network,” the report says.

-----

https://itwire.com/telecoms-and-nbn/improved-access-to-key-online-services-during-covid,-says-accc.html

Thursday, 10 December 2020 11:55

Improved access to key online services during COVID, says ACCC

By Peter Dinham

Increased broadband speeds have improved performances of popular streaming services such as Netflix and YouTube during mid-September and October when compared to a pre-COVID baseline of February 2020, according to the ACCC.

The Australian Competition and Consumer Commission’s second Critical Services Report - released on Thursday, reveals that in the first two weeks of October, Netflix’s daily download speed improved to be between 6% to 7% higher than its February 2020 baseline. Over the same period, YouTube’s daily download speed was between 1% to 4% higher than its February 2020 baseline.

Results also show that streaming services, Netflix and YouTube had typically faster download speeds than in the first Critical Services Report, which showed performance during May 2020.

The Critical Services Report tracks the performance of the NBN fixed-line broadband connections that support streaming and video conferencing services.

-----

https://www.itnews.com.au/news/huawei-australia-still-waiting-for-formal-nbn-5g-ban-notifications-558789

Huawei Australia still waiting for 'formal' NBN, 5G ban notifications

By Ry Crozier on Dec 9, 2020 5:12PM

Says it is 'well placed' to critique 2018 telco security law.

Huawei Australia says it is still awaiting “formal notification” of its bans from the NBN and 5G networks, reiterating long-standing calls for its equipment to be “independently tested” and its cyber security processes reviewed.

Security fears saw Huawei banned from bidding for NBN work back in 2012 and then from participating in 5G networks in mid-2018.

The 5G ban in part leant on the Telecommunications Sector Security Reforms or TSSR, which addressed the threat posed by suppliers of equipment and managed services located in foreign countries.

With a statutory review of the TSSR now underway, Huawei Australia said in a submission [pdf] to that process that it is “well placed to provide first-hand experience of the implementation and impact of the legislation … as one of a handful of corporations to be negatively targeted”.

-----

https://www.itnews.com.au/news/nbn-co-to-undertake-200m-it-transformation-558790

NBN Co to undertake $200m IT transformation

By Ry Crozier on Dec 9, 2020 5:20PM

Largest such project in its history.

NBN Co is set to embark on a $200 million project to simplify and modernise its IT architecture, touted as the “largest IT transformation” it has ever undertaken.

The project, which was first reported by CommsDay, is codenamed the ‘systems digital roadmap’, with works divided among three pillars.

Chief information officer Debbie Taylor said in a statement to iTnews that the program is about “digitising NBN Co”.

Taylor said it would help the company to “drive new pathways for how we work as an industry, building new capabilities quicker and more cost effectively across the telco industry, with the aim of delivering better services for customers.”

-----

https://www.itwire.com/telecoms-and-nbn/nbn-co-starts-rollout-of-disaster-satellite-service.html

Wednesday, 09 December 2020 11:55

NBN Co starts rollout of Disaster Satellite Service

By Peter Dinham

National broadband network operator NBN Co has unveiled the first NBN Disaster Satellite Service in Namadgi ACT, designed to boost the support offered to communities and emergency services personnel during and in the aftermath of emergency events, such as bushfires and floods.

It is the first service to be rolled out though funding provided by the Australian Government’s Strengthening Telecommunications Against Natural Disasters (STAND) package to increase the number of temporary emergency network services.

The services provide additional support for disaster-affected communities where terrestrial communications networks are temporarily impacted due to power loss or damage to communications infrastructure.

NBN Co has been awarded a grant of $7 million to install nbn Disaster Satellite Service units at designated emergency management sites and evacuation centres across the country.

-----

https://www.theaustralian.com.au/business/technology/nbn-co-kicks-off-transformation/news-story/0b193026f2b027ab91eaaa36bc0cca96

NBN Co kicks off transformation

David Swan

·         4:51PM December 8, 2020

NBN Co has kicked off a three-year $200m digital transformation program, greatly simplifying its tech stack in a bid to better resolve customer issues and hold onto tech talent, as the company moves on from the “build” phase of its project.

Customers across the country will have their network experience and services enhanced by the tech overhaul, according to NBN Co chief information officer Debbie Taylor, who told The Australian that NBN was also aiming to use the transformation program to retain its top-end talent.

The NBN has moved from an intensive network infrastructure build operation to an upgrade and maintenance agenda, and the company building it wants to ensure it remains attractive for engineers.

“This is really about attracting and retaining the best people,” Ms Taylor said. “The war on talent is not anything that’s new, but what is new is that we have moved through the last 10 months or so of a global pandemic, which has meant that a lot of companies have been reconsidering their digital capabilities and demand for these skills and resources is significantly higher than when we started this plan. We’re competing against many more companies for the same skills.

-----

https://itwire.com/telecoms-and-nbn/lack-of-a-national-plan-for-5g-could-threaten-global-competitiveness-of-australian-farmers,-miners,-report-warns.html

Tuesday, 08 December 2020 15:14

Lack of a national plan for 5G could threaten global competitiveness of Australian farmers, miners, report warns

By Peter Dinham

Australian farmers and miners could become less competitive than their global rivals unless a national plan is developed to expedite 5G coverage to rural and regional Australia, according to a new report jointly commissioned by Huawei Australia and the Telecommunications Association TelSoc.

The Connecting Rural and Regional Australia report from UK-based telecoms research company OMDIA says that 5G technology is already being used by farmers and miners in Europe, North America and Asia to operate their businesses more efficiently.

But according to the report, by contrast 5G coverage in Australia remains “primarily focused on urban areas with no clear time-table in place to deliver 5G coverage to regional and rural Australia where our farmers and miners generate much of the country’s wealth”.

“The highly competitive international agriculture market demands continued improvements in productivity, as does the appetite of the growing global population,” the report says.

-----

https://www.computerworld.com/article/3600116/australian-broadband-has-gotten-faster-during-the-pandemic.html

Australian broadband has gotten faster during the pandemic

ACCC’s latest broadband report shows that providers achieved up to 98.5% of maximum plan speed on the NBN.

By Samira Sarraf

Senior Writer, Computerworld | 7 December 2020 6:00 AEDT

The latest ‘Measuring Broadband Australia’ quarterly report from the Australian Competition and Consumer Commission (ACCC) has found that delivered broadband speeds have gotten faster. That follows efforts by the Australian government and the broadband providers early in the COVID-19 pandemic to boost internet performance to support increased home usage by workers and students caused by the lockdowns.

In October 2020, retail services providers (RSPs) achieved between 84.8% and 98.5% of maximum plan speed on the National Broadband Network (NBN) during the busy hours of 7 p.m. to 11 p.m. Users on NBN experienced an average download performance of 95.7% of plan speeds, down to 94.9% during the busy hours. The report for September showed a lower average download performance of 88.5%, down to 87.6% during the busy hours.

Delivered broadband speeds have been increasing sice the start of the COVID-19 pandemic. This increase in the average download speed is largely due to the NBN provisioning more connectivity virtual circuit (CVC) capacity for RSPs and to overprovisioning the download component of some speed tiers by about 10% to 15%. “This change is clearly evident in our results. Across October, 53.9% of NBN services we monitored had an average download speed higher than the plan speed,” the report said. The average upload performance ranged between 83.0% and 90.2% during all hours across RSPs.

-----

https://www.theaustralian.com.au/nation/great-balls-of-fire-space-capsule-back-safely/news-story/78de81f526f387b905b7fe632be921ef

Great balls of fire: space capsule back safely

Victoria Laurie

·         10:17PM December 6, 2020

A manmade fireball that fell to Earth in the South Australian desert­ was seen and heard by more than 80 instruments that were placed across 600km of outback country around Woomera.

The Hayabusa2 capsule briefly turned into a fireball as it re-entered­ the atmosphere 120km above Earth in the early hours of Sunday, creating a blaze of light visible over the state’s north.

The slender, suitcase-sized capsule landed safely with its precious cargo of asteroid dust after a remarkable space journey. The capsule has travelled 5.2 billion kilometres over the past six years, and took two samples last year from the 4.5 billion-year-old aster­oid Ryugu.

The capsule was released by its orbiting “mother’’ spaceship, ­Hayabusa2, in a precise operation in which it landed safely on the ground at the end of a parachute in the Woomera Prohibited Zone at 4am on Sunday.

-----

Enjoy!

David.

Do Not Imagine That Remote Access To The #myHealthRecord Is In Any Way Properly Secured Or Private!

Here is the report of a review of a few of the thousands of places where access to the #myHR is available. Report dated 4 September 2020 but published later.

---- Begin report

Summary of the OAIC’s assessment of 14 pharmacies and eight diagnostic imaging services access security governance for the My Health Record system

Part 1: Introduction

1.1               The Office of the Australian Information Commissioner (OAIC) has a range of functions and powers directed towards protecting the privacy of individuals in the handling of personal information in the My Health Record (MHR) system. In addition to the power and functions conferred by the Privacy Act 1988 (Privacy Act), the OAIC provides independent privacy oversight of the MHR system under the My Health Records Act 2012 (My Health Records Act).

Background

1.2               The MHR system is the Australian government’s digital health record system. A MHR is an online summary of a consumer’s key health information including details of their medical conditions, medicines and allergies.^[1] As end-users of the system, pharmacies and diagnostic imaging services are able to view and add information to a MHR when they need to, subject to access controls set by the consumer.

1.3               Healthcare providers that handle personal information in the MHR system are bound by obligations in the Australian Privacy Principles (APPs) and those set out in Rule 42 of the My Health Records Rule 2016 (My Health Records Rule).

1.4               In practice, this means that healthcare providers participating in the MHR system have concurrent obligations to:

• fulfil the privacy and access security requirements outlined in Rule 42 in relation to end-user access security
• take reasonable steps to protect personal information and implement practices, procedures and systems to ensure compliance with the APPs.

Objective and scope of the assessment

1.5               This assessment was conducted in April 2019. The objective of the assessment was to examine how staff at pharmacies and diagnostic imaging services access the MHR system, and whether pharmacies and diagnostic imaging services have appropriate governance arrangements to manage security risks in accordance with Rule 42 of the My Health Records Rule.

1.6               Rule 42 requires that all healthcare provider organisations have, communicate and enforce an access security policy for accessing the MHR system. The policy must address a number of prescribed requirements, including:

• how staff are authorised to access the MHR system
• staff training in relation to using the MHR system accurately and responsibly, and the legal obligations involved
• the process for identifying a person who requests access to a consumer’s MHR
• physical and information security measures, including user account management (linked to Rule 44^[2])
• strategies to identify, mitigate and report MHR system risks.

1.7               The assessment also considered how pharmacies and diagnostic imaging services met the following obligations under the Privacy Act:

• APP 1.2, which requires an entity to take reasonable steps to implement practices, procedures and systems to ensure that it complies with the APPs
• APP 11, which requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well unauthorised access, modification or disclosure.

Methodology

1.8               At the time the assessment was conducted, pharmacies and diagnostic imaging services were emerging participants in the MHR system. Fourteen pharmacies and eight diagnostic imaging service providers were selected to participate in the assessment based on MHR system data provided by the ADHA, which indicated that these healthcare providers were accessing consumers’ MHRs.   

1.9               The assessment involved the following:

• a desktop review of the pharmacies and diagnostic imaging services MHR access security policies and any other relevant policy and procedure documents provided to the OAIC
• review of the results of a self-administered questionnaire
• analysis of each response against the requirements of Rule 42, and APPs 1.2 and 11.

1.10            The OAIC did not undertake on-site inspections of the pharmacies or diagnostic imaging services privacy practices. The OAIC provided individualised feedback to the pharmacies and diagnostic imaging services on their questionnaire responses and MHR access security policies, and also made recommendations to address any identified privacy risks where applicable.

Reading this report

1.11            The OAIC has summarised the key findings from the assessment and outlined areas of good privacy practices as well as areas for improvement. The findings are presented under five main headings.

1.12            From this point forward we will refer to the pharmacies and diagnostic imaging services collectively as the ‘assessment targets’, aside from instances where the assessments made differing findings between the two cohorts.

Part 2: Summary of findings

My Health Record access security policy

Areas of good privacy practice

2.1          The OAIC found that 17 of the 22 assessment targets had implemented an MHR access security policy at the time of the assessment. 

2.2          Of the assessment targets that did not have an MHR access security policy in place, the OAIC observed that most had other procedures in place to address the requirements of Rule 42. There were differences in the comprehensiveness of these procedures and the extent that these were in writing and communicated to staff.

2.3          The majority of assessment targets communicated their MHR access security policy to staff as part of induction and MHR training. Most pharmacies made their policies available to staff in hard copy whereas most diagnostic imaging services made their policies available via their intranet.

2.4          Nearly all assessment targets who had an MHR access security policy reviewed it annually, or when any material new or changed risks are identified.

Areas for improvement

2.5          Five out of 22 assessment targets did not have a written MHR access security policy at the time of the assessment. Further, of the assessment targets that did have a written policy, some of the assessment targets had not implemented the policy until after staff were given access to the MHR system.

2.6          These results indicated that five assessment targets did not comply with the minimum requirements of Rule 42 of the My Health Records Rule (implementing an access security policy), which was also not consistent with the reasonable steps to secure personal information required under APP 11.     

Rule 41 and 42(1) require healthcare providers to have a written access security policy to be eligible to be registered, or remain registered, under the MHR system. The policy underpins the security governance for end-users of the MHR system, and is therefore critical for pharmacies to ensure protection of sensitive information. It also helps build staff awareness of obligations under MHR legislation.

2.7          Having regard to the circumstances, the Privacy Commissioner exercised her discretion to take further regulatory action by opening Commissioner initiated investigations under section 40 of the Privacy Act.

2.8          The purpose of the investigations was to inquire about the circumstances in which these assessment targets were accessing the MHR system without an access security policy. In particular, the OAIC sought assurance that, despite the absence of an access security policy, there had been no instances of unauthorised access to the MHR system.  

2.9          The investigations were finalised on the basis that:

• two assessment targets implemented an access security policy that met the requirements of Rule 42 of the My Health Records Rule
• two assessment targets elected to deregister from the MHR system
• further information and submissions was provided, including that there had been no instances of unauthorised access to the MHR system.

Access to the My Health Record system

Areas of good privacy practice

2.10       All assessment targets with an MHR access security policy outlined the process for authorising staff access in the policy. All pharmacies and five out of six diagnostic imaging services with an MHR access security policy limited access to those staff who require access as part of their duties.

2.11       Most assessment targets (16 out of 17) with a MHR access security policy stipulated a process for identifying individual access to the MHR system. Almost all assessment targets reported assigning internal identification numbers to staff via their respective clinical software systems.

2.12       While 13 out of 14 pharmacies reported that they record this internal identification number each time a staff member accesses the MHR system, only four out of eight diagnostic imaging services reported doing so.

Areas for improvement

2.13       All assessment targets with an MHR access security policy outlined the process for deactivating user accounts, including the requirement to deactivate user accounts whose security has been compromised.

2.14       The majority of pharmacies’ MHR access security policies did not address every circumstance that require deactivation as prescribed by the My Health Records Rule. Under Rules 42(4)(a), 44(d) and 44(e), healthcare providers must have a process for suspending or deactivating the user accounts of staff:

• who leave the organisation
• whose security has been compromised
• whose duties no longer require them to access the MHR system.

2.15       All diagnostic imaging services that had an MHR access security policy addressed these circumstances.

2.16       The majority of assessment targets reported that they do not immediately suspend or deactivate user accounts after becoming aware that the user account has been compromised, as required under Rule 44(e), however most assessment targets did so within 24 hours.

Rule 44(e) requires healthcare providers to employ reasonable user account management practices including suspending a user account that enables access to the MHR system as soon as practicable after becoming aware that the account or its password or access mechanism has been compromised. These steps will assist healthcare providers to reduce the risk of unauthorised access to the MHR system.

Training

Areas of good privacy practice

2.17       Most assessment targets (15 out of 17) with a MHR access security policy address the training to be provided to staff who access the MHR system in their respective policies. Further, 15 out of 22 of the assessment targets provide training to their staff before they are given access to the MHR system.

2.18       Most assessment targets (16 out of 22) had provided MHR training within the 12 months prior to the assessment.

2.19       Of the assessment targets that provided MHR training to their staff, the majority deliver the training either in person or via an online learning course. All assessment targets that engage short-term staff and contractors provide training to those who access the MHR system as part of their role.

Areas for improvement

2.20       Three assessment targets reported that their staff do not receive any MHR-related training. Three assessment targets advised that their staff were provided access to the MHR system without having first received training. Implementing MHR-specific training is one of the minimum requirements for accessing the MHR system under Rule 42 of the My Health Records Rule. Healthcare providers must be able to train staff before their organisation connects to the MHR system.

2.21       Several assessment targets (12 out of 22) do not offer MHR refresher training to staff. 

Training helps ensure staff are aware of their MHR and privacy obligations and handle personal information in a consumer’s MHR accordingly. This can reduce the likelihood of a breach of MHR privacy and access security obligations. Healthcare providers should provide regular and ongoing training to staff annually, in addition to ad hoc training when there are changes to legislation or MHR system functionalities.

2.22       The training offered by the majority of assessment targets does not cover the legal obligations on the organisation and their staff accessing MHRs, and the consequences of breaching those obligations, as part of their training.

2.23       Only 13 out of 22 assessment targets maintain a register of staff who have attended training.

Physical and information security measures

Areas of good privacy practice

2.24       Most assessment targets reported good physical security measures such as:

• requiring staff to login to devices using a username and password, or similar approach
• locking staff out of accounts after a specified number of failed logins
• positioning monitors so they cannot easily be read by unauthorised persons
• maintaining an up-to-date register of staff who are authorised to access the MHR system
• automatically locking devices if left inactive or unattended.

Areas for improvement

2.25       Two of the assessment targets did not require staff to use a password when accessing MHRs.

2.26       Most assessment targets had a required minimum length of less than 10 characters for passwords, and some had no requirement to use a combination of letters, numbers and symbols.

Rule 44(c) requires healthcare providers to employ reasonable user account management practices including having password and/or other access mechanisms that are sufficiently secure and robust given the security and privacy risks associated with unauthorised access to the My Health Record system. The OAIC recommends for healthcare providers to apply the ADHA’s recommended standard of 13 or more characters (using a combination letters, numbers and symbols) to all passwords used to access the My Health Record system. This will ensure that passwords used to access the MHR system are sufficiently complex and secure to comply with Rule 44(c).

2.27       Seven assessment targets required staff to change passwords either annually or bi-annually. Where this was the case, the OAIC recommended passwords to be changed every 90 days in order to reduce the risk of unauthorised access to the MHR system.

Risk management and risk mitigation strategies

Areas of good privacy practice

2.28       Most assessment targets (17 out of 22) reported having a procedure in place for identifying and responding to MHR-related security and privacy risks.

2.29       Most assessment targets (16 out of 22) kept an incident log of suspected or actual MHR system breaches that records the date and time of breach, the user account involved and the patient whose information was involved in the breach.

Areas for improvement

2.30       Whilst most assessment targets maintained an incident log of suspected or actual MHR system breaches, the level of information recorded varied amongst targets. The majority of assessment targets (18 out of 22) did not record the following matters relevant to managing a security breach under APP 11:

• how the incident occurred
• how the incident was contained and rectified.

2.31       The assessment also identified that monitoring user access to the MHR system through audit logging was a recurring area for improvement with only nine out of 22 assessment targets reporting using audit logs to monitor staff access to the MHR system.

2.32       Of the pharmacies that did not use audit logs, the majority of pharmacies undertook no other form of monitoring staff access to the MHR system.

Under Rule 42(4)(e), healthcare providers must have mitigation strategies to ensure MHR system-related security risks can be promptly identified, acted upon and reported to management. Audit logs are an important tool that can be used to monitor staff access to the MHR system. Maintaining a chronological record of system activities is key to detecting unauthorised access to the MHR system.  Audit logs should record the user identity, date and time of access, whose MHR was accessed and the type of information that was accessed.

----- End Extract

Here is the link:

https://www.oaic.gov.au/privacy/privacy-assessments/summary-of-the-oaics-assessment-of-14-pharmacies-and-eight-diagnostic-imaging-services-access-security-governance-for-the-my-health-record-system/

The report – which is just a summary – shows the on-the-ground security of pharmacies and DI service providers is basically a joke. No audits, minimal training, no user de-activation  no passwords on access of infrequent password changes and so the list goes on!

And this was found without site-visits!

Those responsible for this should hang their heads in shame! Also note that the Audit Office and this blog and its readers have warned of these issues for ages! What a fiasco! 

I wonder how many of the issues found have been addressed across the thousands of sites provided this access? I am sure the answer is "no one knows"!

David.

 

A Golden Age Of Health IT Is Coming According To One Expert.

This appeared a few days ago.

Wachter believes world will enter ‘a golden era’ of health IT

A US ‘digital doctor’ has said he believes the world is about to enter ‘a golden era’ of health IT which will lead to better care for patients.

Hanna Crouch – 9 December, 2020

Speaking at the openEHR 2020 digital event on November 24, Robert Wachter, a professor and chair of the department of medicine at the University of California in San Francisco, gave his view on ‘healthcare’s digital revolution’.

Wachter is a known figure in NHS IT after he led a 2016 review into how the health service can harness the power of technology in order to improve care.

The author gave a keynote which included looking at what lies ahead in terms of healthcare IT.

“I think we are going to enter a golden era where healthcare is going to be better, safer and less expensive and more satisfying, ultimately for not only patients, but clinicians as well,” Wachter said.

“But that is utterly dependant on getting a whole lot of things right that we have not got right so far, including moving effectively into an era where we take advantage of the EHR but we are no longer dependent on them and we enter a post-EHR era.”

Another part of Wachter’s keynote was “several easy predictions and a hard one”. The easy predictions included the notion that “health IT will, ultimately, transform health and healthcare” but the hardest to predict is when.

“I have no idea when, not next year, but maybe five years, maybe ten years – but probably not longer than that,” Wachter added.

More here:

https://www.digitalhealth.net/2020/12/wachter-believes-world-will-enter-a-golden-era-of-health-it/

Do you agree?

David.

AusHealthIT Poll Number 557 – Results – 13th December, 2020.

Here are the results of the poll.

Do You Believe Use Of The Australian Immunisation Register To Record COVID19 Shots Should Be Compulsory And Associated With Heavy Fines For Failure To Record Doses?

Yes 44% (32)

No 49% (36)

I Have No Idea 7% (5)

Total votes: 73

A split vote, with compulsion not favoured by a small margin. May have been a slightly confusing question

Any insights on the poll welcome as a comment, as usual.

A pretty low number of votes.  

It must also have been a very hard question with 5/73 readers were not sure how to respond.

Again, many, many thanks to all those who voted!  

David.