This session happened last week.
----- Begin Transcript
Joint Committee of Public Accounts and Audit
19/05/2020
Cyber Resilience (Auditor-General's Reports Nos 1 and 13 (2019-20))
19/05/2020
Cyber Resilience (Auditor-General's Reports Nos 1 and 13 (2019-20))
Present:
CLEVERLEY, Mr Simon, Acting Assistant Secretary, Digital Health Branch, Department of Health
HEHIR, Mr Grant, Auditor General, Australian National Audit Office
McCABE, Mr Daniel, First Assistant Secretary, Provider Benefits Integrity Division, Department of Health
McMAHON, Ms Bettina, Acting Chief Executive Officer, Australian Digital Health Agency
O'CONNOR, Mr Ronan, National Health Chief Information Officer, Australian Digital Health Agency
RAUTER, Ms Lisa, Group Executive Director, Performance Audit Services Group, Australian National Audit Office
Evidence was taken via teleconference—
Committee met at 10:03
CHAIR ( Mrs Wicks ): I declare open this public hearing via videoconference and teleconference of the Joint Committee of Public Accounts and Audit in reference to the inquiry into cyber-resilience. I thank all witnesses for being here today. Today's hearing is focused on Auditor-General's report No. 13 2019-20, Implementation of the My Health Record system, and Auditor-General's report No. 1 2019-20, Cyber resilience of government business enterprises and corporate commonwealth entities. Before we commence discussions, could I have a member present move that media present may cover today's proceedings on the condition that cameras neither film nor take photos of the private papers or laptops of committee members, secretariat and witnesses, and that the reporting of proceedings be fair and accurate.
Ms BELL: I move that.
CHAIR: Thank you. Those against? I declare that carried. These hearings are formal proceedings of the parliament. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of the parliament. The evidence given today will be recorded by Hansard and attracts parliamentary privilege. I note that the Auditor-General has tabled an opening statement. Before I throw to questions from members of the committee, do the Australian Digital Health Agency or Department of Health wish to make any opening comments?
Ms McMahon : No.
Mr McCabe : No.
CHAIR: I now invite questions from members on the committee.
Mr HILL: Firstly, your submission was a joint submission from the Digital Health Agency and the Department of Health. The submission talks of responding to the ANAO report and its recommendations, but there's no detail as to what is being done or when. It's kind of all process and 'trust us, we'll do it at some point'. The submission refers to an implementation plan, which I found on the internet, but it strangely seems to contain no time frame for implementing the recommendations. So my questions, therefore, are: firstly, why are there no time frames; and, secondly, can you tell the committee and the public when the end-to-end privacy assessment under the opt-out model will be completed, when the review of emergency access function and notifying the Information Commissioner of potential and actual contraventions will be completed, when the assurance framework for the third-party software connecting to the My Health Record system will be completed, when a compliance strategy to monitor compliance with the mandated legislated security requirements will be completed, and when the program evaluation plan will be completed to monitor activities across the coming years?
Ms McMahon : Thank you for your question. We link to the ANAO My Health Record Performance Audit Implementation Plan, which you referred to, in our response. If you refer to section 6 in that plan, you will see we provide a high-level indicative time frame. That includes approval of our plan by the accountable authority, our board, in February; that occurred. We undertook context and analysis that was planned for February and March; that has been completed as well. Engagement was due to be conducted from March to July 2020; we shifted that back slightly to take into account the availability of stakeholders, who we need to work with, in the health sector, and so that instead commenced in April. That's likely to run through to the end of July or August. We're currently negotiating time frames with stakeholders.
We're checking if those other dates in the indicative time frame are still achievable. There's an appendix to our implementation plan which goes into more detail on the time frames for each of the recommendations. I didn't manage to note each of your questions before. Would you like me to go into more detail on each of the recommendations and the time frame in the appendix to our plan?
Mr HILL: I'm happy for you to take them on notice. I was simply asking the question in relation to each of the recommendations that the Auditor-General made and that you committed to implement. I am particularly keen to know when you expect they will be completed. I understand that sometimes these things slip—that's the way of things—where there's good reason. I think it would help the committee assess your response if you could take those questions on notice and provide advice on when you think each of those things will be completed.
Secondly, in reading through the plan, some of the constraints, or rubbery time frames, seem to be about a lack of resources. You note that some of the activities were unfunded and outside the scope of the 2019 work program, and will depend on the resourcing. Are you saying that you got that resourcing in mid-February?
Ms McMahon : Your first question was around time frames and whether we can provide those time frames—
Mr HILL: Focused on when things will be completed; thank you.
Ms McMahon : Yes. In appendix A, there are indicative time frames around completion. The first completion date is around December 2020. The final completion date is October next year, which is within the two-year time frame that we've articulated we'll implement each of the recommendations. Sorry, I've forgotten your second question.
Mr HILL: It was about resourcing. There was some discussion about resourcing not being available.
Ms McMahon : The reason we said it would depend on resourcing is that the Australian Digital Health Agency receives funding in 12-month increments at the moment. At the time we developed the implementation plan, we didn't have the funding concerned for the next financial year. We do now have funding, which was provided through the supply bills in March, through to the end of January. So we do have sufficient funding to implement these recommendations.
Mr HILL: That's great. Thank you.
CHAIR: I've got some questions that follow on from the deputy chair's. My first question is to both the Department of Health and the Digital Health Agency. The implementation plan came from the recommendations in the Auditor-General's report. Has the ANAO seen it?
Ms McMahon : We did consult with the ANAO when we developed the plan in December. They also sit on our audit and risk committee, which is an advisory committee to our board, as an observer. The audit and risk committee plays an oversight role to provide assurance that we're implementing the plan. Through their membership as an observer on our audit and risk committee, they see regular updates on our progress against the plan and they see the plan itself.
CHAIR: Does anyone from the ANAO have any comments on how a detailed implementation plan is of assistance to entities in addressing recommendations?
Mr Hehir : The work that we've done looking at the implementation of recommendations, whether they be from the ANAO or parliamentary committees, indicates that the best chance of successfully implementing recommendations is to have a plan and for it to be monitored, usually through the audit and risk committee. That will put some accountability in terms of who's going to do things and by when. We think setting up those types of frameworks is the best practice way of driving implementation. We've seen the implementation plan and observed it through the committee. We haven't really done any detailed work on it; we've just observed that the agency is going through the process of setting up the plan and reporting back on it to the committee.
CHAIR: To either the Department of Health or the Australian Digital Health Agency—this question is a little bit detailed; I'm happy for you to take this on notice—at paragraph 4.1, you indicate:
Co-design activities are scheduled to run from February 2020—July 2020. This activity is unfunded and outside the scope of the 2019/20 work program.
Have the co-design activities commenced? If not, when? I appreciate some of these questions may overlap with the deputy chair's.
Can I go to my other question. The execution of the solutions is scheduled for August 2020. Is that still the case or is there a revised time line?
Ms McMahon : At the time of writing, the amount hadn't been identified in the current, new budget. We have since done that. The activities both in this financial year and the next financial year to implement the recommendations are funded. On your question about any slips in the time frame: yes, we are foreseeing a slip in some of that co-production due to the availability of stakeholders. The co-production for the privacy risk assessment commenced in April and is about to commence for the other recommendations. We're currently negotiating with stakeholders as to when they'll be able to assist us. We're forecasting around August at the moment for the completion of the privacy risk assessment and we'll finalise our time frames on the other recommendations shortly, based on stakeholder feedback.
CHAIR: Has there been any impact in regard to time lines, resources or engagement of stakeholders due to COVID-19?
Ms McMahon : Yes, absolutely. That is the reason why stakeholders are less available. Resourcing is not an issue for the agency but we're cognisant of the capacities, particularly around emergency access—there are people working in hospitals and running health services who we need to consult with—and other stakeholders are very busy filling electronic prescriptions, for example, for telehealth. Those are the impacts on stakeholders. We want to work around their availability rather than forging ahead.
CHAIR: Thank you.
Mr HILL: I'll just finish off my other questions. Thanks for appendix 1; it was blank in the documents you sent us, but, you're right, we can find it on the website. That clarifies some of the questions I had.
On uptake, the Auditor-General talks about 90 per cent coverage of the population under My Health Record. But it's been put to me by practitioners that very few providers actually upload anything and that too many clinicians are not using the system. It's been described as clunky and hard to use, and people just avoid it. If we're looking at 90 per cent coverage of the population, we could expect 90 per cent of the data from medical appointments, tests and so on to be uploaded. In your view, are 90 per cent of the outcomes of consultations and tests being uploaded to the system? How do you know? How do you measure or assess uptake?
Ms McMahon : In terms of uptake, I can provide you with some of our latest figures. We've seen a significant increase in the use of My Health Record by both consumers and healthcare providers, particularly over the last three months. In relation to general practitioners, the month of March has seen the highest amount of viewing of documents yet, as well as uploads to track use. We saw about a threefold increase in viewing of documents by general practitioners. Around 20,000 documents are viewed each month. That's a threefold increase since the same period last year.
We've also got 95 per cent of the public pathology labs—not private but public—uploading into the My Health Record, which is a threefold increase, again, over the last year of tests being uploaded. We're seeing a significant viewing, particularly in general practices, of the medicines viewed. We're seeing GPs look at current medicines and also a large increase in looking at pathology reports, discharge summaries and the Medicare overview.
In public hospitals, we're seeing, again, medicines largely viewed along with the Medicare overview and prescription and dispense records of medicines in community pharmacies. We've also seen a significant increase in consumers themselves actually looking at the My Health Record. The most popular documents over the last month have actually been pathology test results that consumers are looking at.
Mr HILL: You can provide some more information. That all sounds very interesting, and it's nice that more people are using the system. That sounds positive, in a sense. But the thing I'm trying to understand is how you measure the total uptake. What are your assessments of what percentage of GPs are actually using the system of specialists? You mentioned a figure of 95 per cent of public pathology tests, but I'm trying to understand that, whilst the trajectories are positive, it could be from five per cent to 10 per cent, which is not a great story, or it could be from 70 to 80 per cent, which is a lot better. How do you measure it in terms of the total number of consultations and interactions that are being had? I suppose that's trying to get to the question: what evidence is there that it's achieving the high coverage really necessary to achieve the overall benefits?
Ms McMahon : Your question goes to uptake of different parts of the health sector. Over recent years, the agency has focused on the public and private hospital system, community pharmacies and general practices, in particular. Those were our focus areas initially. That's why we've seen quite high levels of use in those sectors and we were focused on whether it's professional training and CPD points or other sorts of support and uptake from their software vendors upgrading their system. We're currently working on the specialist sector, so we have much lower levels of use of specialists than we do of general practitioners, for example. I'm happy to provide statistics for you on notice to show different collection levels.
Mr HILL: That would be great. I think that would be of interest to try and understand the trajectory but also how you're going in terms of the total population. I'll just finish my questions; there's just one more brief area. On privacy, the report notes that no end-to-end privacy assessment under the opt-out model was ever undertaken, that none of the four scheduled privacy reviews by the Information Commissioner—who, I think, if I read the report right, was actually given money to do them—were ever undertaken between 2017 and 2019, and that the Digital Health Agency didn't have sufficient assurance arrangements of emergency access arrangements to not constitute an interference with privacy. Why not?
Ms McMahon : I think there are three parts to your question. One relates to the privacy, risk and impact assessment. If I can refer you to appendix 2 of the ANAO audit report, that lists 11 privacy risks and the impact assessments which were carried out on the system since 2011. There are an additional three that were carried out on the healthcare identity side of the service, which is a related system. The privacy settings have been developed and baked into the design of this system. The recommendation from the Auditor-General is that since we have completed the opt-out process we should also consider healthcare providers—whether they be general practitioners, hospital operators or others—as to the risk, holistically, of how that works after opt-out. It's not that we haven't undertaken a risk assessment; it's more that we've been recommended to broaden our scope. That's what we're doing at the moment in relation to the risk assessment.
The second is in relation to the OAIC. Correct—in the appropriation provided to the Australian Digital Health Agency, there is some funding that is earmarked for the OAIC to undertake basically it's regulatory function. The mechanism we used for that is a services agreement to pass through that funding, and we've provided that. But it doesn't really operate in a true services contract way, because they have independence as a regulator. So any question—
Mr HILL: So what happened to the money?
Ms McMahon : We provided it to the OAIC to undertake that and other regulatory work.
Mr HILL: Right. But that function wasn't undertaken. They did something else, did they?
Ms McMahon : No, they aren't with the audits. My understanding is they just haven't published them yet.
Mr HILL: Auditor-General, would you want to comment on that bit?
Ms McMahon : I'm sorry, there was a third question.
Mr HILL: There was a third bit, sorry, about the assurance arrangements on emergency access.
Ms McMahon : In terms of the assurance arrangements, I think they're put out in section 3.42 of the Auditor-General's report. It notes that, in the sample of the period that they looked at, there were 205 instances where basically the privacy settings were overridden in the case of an emergency. The Auditor noted that, in every instance we requested from that healthcare provider, overwhelmingly this happens in emergency departments of state and territory health systems. To confirm that it was an emergency situation, almost all of those providers got back to us. There was one provider who, rather than going back on every single instance, provided assurance over the process that they followed and their assurance of that. So the Auditor-General has said that we should do more to then look at how that assurance was provided. We've agreed with that, and we're working with the states and territories on what a reasonable level of assurance that we can provide is without compromising safe care in an emergency environment.
Mr HILL: I have two final questions then. How many notices or reports have there been to the Information Commissioner regarding concerns or breaches? How many investigations have there been or are underway for fraudulent access?
Ms McMahon : I'll hand to Mr O'Connor to answer that question.
Mr O'Connor : In relation to the data breach notifications for 2019-20, we have notified of two potential data breach notifications within this current year.
Mr HILL: What do they relate to? What were the circumstances—without, obviously, breaching any individual patient privacy?
Mr O'Connor : The first notification was reported to the OAIC, and that was related to a potential compromise to an external information technology infrastructure supporting the wider My Health Record system.
Mr HILL: Can you put that in plain English? What does that mean?
Mr O'Connor : In effect, it meant that our security monitoring tools identified a potential vulnerability within the system. As a consequence of that, we notified the OAIC. The OAIC have reviewed what we shared with them, and we also worked with the Australian Cyber Security Centre. On that basis, they were happy with the outcome and there were no further investigations, so the matter was closed.
Mr HILL: Does that mean that someone tried to hack your system, there is a vulnerability or someone tried to get into a doctor's surgery? I just don't understand what it means.
Mr O'Connor : That meant somebody tried to hack our system—the external perimeter of our system. I want to assure the committee that there was no access into the My Health Record in any way whatsoever. No health information or personal sensitive information was accessed.
Mr HILL: Is there any conclusion or evidence as to who tried to hack it? Was it a teenage kid sitting at home? Was it a state sponsored actor?
Mr O'Connor : We don't have that level of information. We worked very closely with the Australian Cyber Security Centre, and on that basis we don't know the actor in this instance.
Mr HILL: Right. So, if we were curious about that, we'd need to ask them.
Mr O'Connor : Even then, we weren't able to identify the actor in this instance.
Mr HILL: And what was the second potential breach?
Mr O'Connor : The second potential breach related to a state healthcare facility. They became aware that their system had potentially been accessed without the healthcare recipient's authority. After investigations that were undertaken it was confirmed that the individual whose record was accessed was indeed receiving health care at that facility at the time of access, so there was no—
Mr HILL: Good. Okay.
CHAIR: I might flag that I also have a number of questions in relation to this topic. I'm mindful of the time, so I'd just like to flag that I will put them all on notice and advise the secretariat of that and thank witnesses present in advance for their willingness to respond to those.
Ms McMahon : Perhaps I could just correct my earlier evidence. I said that the arrangement with the OAIC was a services contract. I can confirm that it was actually a memorandum of understanding.
CHAIR: Thank you. Mr Watts?
Mr WATTS: I just want to ask a few questions about the context for both this report and the implementation plan, particularly around the shared risks that are noted in the report. The joint submission to this inquiry notes that the ANAO noted that 'Several state and territory auditors-general have reported on health sector vulnerability to cyberattacks' and that private health providers reported a high proportion of data breaches under the Privacy Act Notifiable Data Breaches scheme, with almost half relating to cybersecurity incidents. It concluded that not all healthcare provider organisations achieve minimum cybersecurity levels. Do you agree with that assessment?
Ms McMahon : We acknowledge that there is variability in the security standards that apply across the health sector in Australia. Some systems have very high standards, and then some less so. I will note, on the Notifiable Data Breaches scheme, that healthcare organisations don't have the exemption that applies to the rest of Australian business with a turnover of $3 million. So, you do actually get higher volumes with notifiable data breaches due to that. But, that aside, those reports have shown that there are risks to the health system from cyberattack, as there are in the rest of the economy, and those need to be managed through improved security over time, which is what we're working with the sector on at the moment.
Mr WATTS: So how do you assess the overall cyberattack threat level of Australian healthcare providers? What's the current level of malicious cyberactivity targeting healthcare providers? What's the potential damage that we could expect from these attacks?
Mr McCabe : We watch quite closely the broader health sector and impacts with cybersecurity, and it's an area we constantly look at with our service delivery partners—both the Digital Health Agency and our colleagues at Services Australia—to look at how we can strengthen those parts of the health sector that government participates in. I think when we look more broadly across the private landscape we also have to acknowledge that there are challenges that we've got to continue to work through with peak organisations around how they continue to lift their cybermaturity, and that comes through increased education, working with them on incentives where it's appropriate for updating their systems and updating their IT equipment and the like.
We're also conscious, though—and it is part of the work we continually do—of the need to work with states and territories. They are obviously key participants in the health system, and they have a lot of challenges in the cyberrealm as well. Really from where we sit we are looking at how we strengthen all the Commonwealth infrastructure to make sure that our infrastructure is protected while acknowledging that they also need to make investments in their infrastructure to protect security as well. So, it's a complex and quite distributed landscape that we need to manage, and we are always quite conscious of the challenges and risks around cyber.
Mr WATTS: Yes, I'll get to those shared risks and how that's managed briefly. But I just want to put to you that, say, Emisoft, a security firm, identified 764 ransomware attacks affecting US healthcare providers in 2019 alone. These attacks included impacts on organisations that resulted in emergency patients having to be redirected to other hospitals, medical records being inaccessible and in some cases permanently lost, surgical procedures being cancelled, tests being postponed and admissions being halted. These ransomware attacks are generally targeted at specific providers. Do you agree that Australian healthcare providers are at risk of being targeted by cybercrime groups in much the same way as US healthcare providers have been to a very significant degree in recent times?
Mr McCabe : The Australian Cyber Security Centre's probably better positioned to answer that, but I think those risks are equally prevalent in our jurisdiction and also prevalent in other sectors of the economy. But really the Australian Cyber Security Centre's probably better positioned to comment on that than we are.
Mr WATTS: I am intrigued that you can't do threat modelling in this sector. How do you do standards improvement throughout the sector if you can't model the threat? To that point, the implementation plan that you've developed in response to the ANAO recommendations recognises:
… risks to the System arising from less mature data management standards and practices that exist in healthcare settings when compared to the standards and practices adopted by the core infrastructure.
So we're getting to the broader terrain here. Are Australia's GP practices aware of and prepared for this risk?
Mr McCabe : There are probably two comments there. I'll get the agency to comment on standards, but yes, I think in terms of the wider health sector, including GPs, their professional organisations do a lot of work to explain the risks and the mitigations that GPs need to have in place to safely manage the privacy and integrity of their patient data. The royal college of GPs and even pharmacy peak bodies have continuing professional development for their members to really explain their obligations and what they need to do around information security. So this is, going to your point, a shared risk that we have to work not only as government but also with the sector on to continue to lift the security posture of all of the systems and the data that are held in these systems.
Ms McMahon : I can add to that. We take advice from the Australian Cyber Security Centre on that risk. I don't want you to form a view that we're not aware of that. We take their advice on it, and we have our own cybersecurity team, who works closely with them. Then in terms of communicating what some of those drivers of risk are, I'll hand over to Mr O'Connor, who can reassure you of the communication that we have with the sector and the security standards community, including getting advice from our privacy and security advisory committee, which is advisory to our board and has experts on security on it.
Mr O'Connor : In addition to what my colleagues have said, yes, the agency's absolutely aware that there is a broad range of actors that are targeting the health sector in Australia and for that reason we absolutely work very closely with the Australian Cyber Security Centre, as Bettina mentioned. In recent weeks, threat actors have been conducting a range of COVID-19-themed social engineering attacks, which have impacted all sectors, including the health sector. On that basis, we work with the Australian Cyber Security Centre to issue alerts into the health sector. Some of the other work that we do in this regard links to other outreach initiatives whereby we work very closely with healthcare providers in relation to those alerts to assist them with improved security awareness and maturity.
We also have a range of cybersecurity guidance materials that we update on a regular basis. They were designed to encourage improved information security practices across the health sector and into GP practices. We work very closely with the peak organisations, including the Royal Australian College of General Practitioners, in this regard. And all our security guidance materials are published on our digital health and the website.
In addition to that, we have a range of presentations and workshops that we work with the industry on. Only recently, in relation to the social distancing, we have moved those seminars to virtual arrangements. In addition to that, we're just about to launch, next month, a digital health security awareness e-learning course, and provider organisations can access that course as well. There are a range of other activities that the agency undertakes. In relation to governance, we have a privacy and security advisory committee whereby we seek advice. There are a range of privacy and security experts who sit on that committee, and they advise the agency board on going forward. So those are a number of initiatives that we do to try and reach out into the community and improve the level of awareness and education.
CHAIR: I have a question on that, very quickly. In your view, then, is there a greater requirement—an ongoing increase to the requirement—for better education and awareness for GP practices, allied health practices and other healthcare providers on the risks of cyberthreats and the importance of cyber-resilience?
Mr O'Connor : The comment I would make here is that this is a continuing, ongoing improvement process. The landscape changes on a minute-by-minute, daily basis. On that basis, this is just ongoing in relation to the support that we provide to those organisations.
CHAIR: I have some questions to the ANAO, but I'm conscious that to some degree I'm interrupting Mr Watts, so I'll throw to Mr Watts and just flag that I've got some questions in relation to this.
Mr WATTS: I might just sneak a couple of questions in, and then I'm happy to hand over. Just on that, I fully appreciate that this is a moving landscape, but what benchmarking are you doing about existing practices amongst healthcare providers here? There are measurable things that we can track over time. For example, what proportion of GP practices have written contingency plans for ransomware attacks—contingency plans not just around data protection but about continuity of service and things like that?
Mr Cleverley : In the context of the My Health Record system, all registered participants—being GPs, pharmacists and the like—require a written security policy that outlines a whole range of different matters, including user account management requirements, training requirements, physical information security measures and mitigation strategies. There are written policies available on the My Health Record website to help guide general practices and pharmacists about how they adopt and implement these sorts of policies.
Mr McCabe : These policies are subject to audit or review by the Office of the Australian Information Commissioner as well. In terms of oversight, there is a role for the Information Commissioner to make sure, if they have a concern, that the relevant healthcare participant actually has these policies in place.
Mr WATTS: I just want to push beyond the core services here, though. Your submission notes, recognising what the ANAO had found:
It concluded that not all healthcare provider organisations achieve minimum cybersecurity levels and that this presented a broader shared cyber security risk that the Agency had a role in managing—beyond hardening the perimeter of the system.
I'm just trying to get to who is driving improving these baseline cybersecurity practices in GP clinics. Are you tracking progress on that? Are you measuring targets? How can we assess whether you're succeeding at this?
Mr McCabe : In the way that we're looking at this, there are a couple of factors. One is that obviously we've still got work ahead of us in terms of more detailed consultation with the peak organisations about lifting the security posture of all of those participants that interact with the Commonwealth government, and specifically with My Health Record. So that is a detailed design piece of work that we need to do with them about what is their current level of conformance and then how we might continue to attest that and its improvement.
The other point I want to make is that, from a Commonwealth perspective, we also look at this from another dimension. We also work very closely with our colleagues in Services Australia, who provide the Medicare and PBS services. In that regard, there are, I guess, a number of requirements that the same groups in the health sector have in terms of connectivity of systems into Medicare and the PBS. So part of the work that we're trying to do collectively at the Commonwealth level is to have a look at how we continue to lift the minimum level of conformance with security requirements for all participants that connect to Commonwealth infrastructure.
So really our focus is on what we can do at the Commonwealth level. As I mentioned before, there are many participants in the health sector. There are also state and territory governments, so I guess we have to be cognisant that we need to work with them on their requirements and what they're doing to lift their cybersecurity posture as well.
Mr O'Connor : In addition to the comments that Mr McCabe has made, I note that in relation to the national infrastructure and the My Health Record, which the agency has responsibility for, we have quite a comprehensive program of system and security monitoring whereby we have specialist security real-time monitoring tools configured and tuned to automatically detect any anomalies or unusual behaviour in the system itself. This monitoring of activity includes system-to-system activity in relation to endpoints. All traffic to and from the My Health Record system is monitored and, if there is any unusual behaviour or activity, we have the opportunity to notify that organisation. In instances where we have particular concern, we can suspend access from that organisation to the My Health Record system. So, as I say, the amount of work that we do is quite comprehensive. We have set up a dedicated and staffed cybersecurity centre here within the agency, and there is a particular team that's solely responsible for monitoring the system and any activity and behaviour.
Mrs WICKS: I have a quick question following on from that. Are these requirements that you're referring to formalised? Is this part of a structured framework? Is this something that all healthcare reporters are required to do in a consistent manner? If not, do you have any plans, or are there any proposals, to do something like that? Things like cyber-resilience and cybersecurity are not something that you learn in the same way you learn the basics of English, maths and some of these other things, and it's not necessarily a specialty of individual healthcare providers. So my question is: what can the Australian Digital Health Agency and the Department of Health contribute to ensure that we are cyber-resilient, broadly speaking, across the health industry?
Ms McMahon : In terms of having a base level of requirements, which I think is what you're asking about, first of all the My Health Records Act itself has some provisions in there. My colleague Mr Cleverley has outlined the plans and training that are required for healthcare providers. Section 61 of the act specifically talks about user account management and protection mechanisms required for robust security and privacy and preventing unauthorised access. We also have conformance requirements. Before software is able to connect to the My Health Record system and the Healthcare Identifiers Service as a connected system, there are standards in that conformance scheme that those software packages must meet. Then there are the other professional standards around record keeping, which Mr McCabe mentioned earlier. So there are a number of measures in place. However, we do recognise that we want to continually improve those, and that's the work that we've embarked on in terms of identifying those standards and aligning them to other standards in place for the MBS and PBS software, which makes sense to us at a Commonwealth level and also minimises impact. For the software vendors, there'll be a consistent set of standards across all of their connections. That's the work that we're doing at the moment.
Mr McCabe : I will just add to Ms McMahon's comments. One of the things that we're very conscious of is that the health profession—not unlike the rest of society, including private organisations—is still bound by the Privacy Act or specific privacy provisions in the My Health Records Act. That is a foundation for the work that we need to do around security. Part of the work that we do and will continue to do with our health stakeholders is really to look at security as a control for privacy risk. Doctors have obligations under their indemnity insurance, under the Privacy Act and under state and territory legislation to maintain privacy. But security is a key control for privacy, so part of the work we continue to do with them is to look at how we can strengthen security controls at a Commonwealth level and what we can require them to conform to and, obviously, to assist them with meeting their broader privacy requirements as well.
Mr WATTS: I've only got two or three more questions, but I want to start by asking any of the ANAO people on the call—maybe Mr Hehir—if you have a perspective on this discussion, particularly in the context of shared risks around healthcare providers.
Mr Hehir : Most of the discussions have been about the complexity of the sector and how you get change in the sector to meet the requirements. Our report points out what those statutory requirements are with respect to the parties, particularly around the requirements for them to be compliant with cybersecurity standards on registration and then ongoing. The issues we raised were largely around how effective the process was in ensuring that compliance. Part of the response to our report from the agencies and what you've heard today was the balance between meeting statutory requirements and ensuring broad uptake of a system. I think, at the end of the day, parliament has put through some legislation saying that certain things have to happen before someone can be registered as a provider, and that's sort of where we landed with respect to the recommendations.
Mr WATTS: Back to the department: maybe this is something you need to take on notice, but I didn't get the impression listening to your answer that there are existing benchmarks of cybersecurity practice within healthcare providers. I'm thinking particularly about GPs, although you completely correctly identified pharmacies and other smaller providers. I'm just thinking that there has been benchmarking done in other sectors. The current government undertook an ASX 100 cyberhealth check report to try and access practices and governance across ASX 100 companies with the intent of creating a benchmark to improve performance throughout the ASX. I suppose my question to you—and I'm happy for you to take it on notice— is: what is the best benchmarking the government has done on this practice, and how can we measure improvement on this over time as a committee?
Mr McCabe : I guess there is no holistic end-to-end benchmarking that we have done in this space. Rather, we look at this with our colleagues at the Digital Health Agency or with our colleagues at Services Australia on a program-by-program basis, so it's not something we've done end to end. I guess as we engage more deeply with key stakeholders in this space there will be opportunities for us to contemplate how we might be able to expand the overall posture for all of the participants. But that's probably still ahead of us.
Mr WATTS: Just to confirm, none of the healthcare provider peak groups are members of the Joint Cyber Security Centres, are they?
Mr McCabe : Not that I'm aware of.
Mr WATTS: We've established that there has been a tidal wave of cyberattacks targeting US healthcare providers in recent times. The threat environment is pretty acute here. We've seen some incidents in Australia, but we can expect that the risk of this could grow significantly if threat actors turn their attention our way. In this context, the implementation plan that you've sent to us states:
Our target state by November 2021 is to see measurable improvements in security standards in priority parts of the health system, and a roadmap for improving standards and practices across the rest of the sector.
Given the volume of cyberattacks being experienced by healthcare providers around the world and the imminent threat that these groups could turn their attention to Australia, why are you only aiming to achieve measurable improvements two years after the release of this ANAO report?
Ms McMahon : Just to confirm, that comment in our implementation plan was in relation more to the time frame of two years from the tabling of the report. We are constantly working with the sector both to issue alerts on current threats as they emerge, particularly the ones that you referred to at the moment, and to equip the sector, so this work is ongoing. Our comment in the implementation plan is more specifically around the recommendations of this report and the consistency of meeting those standards across the sector.
CHAIR: By leave of the committee and if it is okay with our witnesses, I would like to potentially extend this hearing by up to another 15 minutes. With no objection, I'll take that as read. Thank you all very much.
I'd like to go to three parts, and I'll just flag that I'll ask a couple of questions and may put a couple of additional questions on notice as a result of some of the information that's come out of today's hearing. Firstly, I'd like to turn to the Protective Security Policy Framework, which I'll refer to as the PSPF. A question to the Australian Digital Health Agency: in terms of your use of the PSPF and the information security manual, I understand that it's mandatory for you to apply the Top Four strategies from the PSPF. My question is: how do you assess your compliance with those strategies?
Mr O'Connor : The first thing to say is that we're fully compliant with not just the Top Four but the Essential Eight with regard to what you're referring to. We continually assess ourselves against that. Since the agency has responsibility for the My Health Record and the wider structure associated with that, we had, essentially, a compliance mark in 2017. That was renewed again in 2019. We're due to have another assessment in June 2020.
CHAIR: Is this largely a self-assessment in terms of compliance? How does it actually work? Could you explain what the process is? Is it more of a self-assessment, or is there an expert group within your organisation?
Mr O'Connor : It's actually done by an independent. It's an ongoing accreditation. Security assessments are undertaken. It's called an IRAP assessment, which is in line with the Australian government's Information Security Registered Assessors Program—so it's IRAP. It facilitates accreditation of the system.
CHAIR: A question to the ANAO in relation to compliance with cybersecurity controls: in reference to this audit report, how would the agencies audited in this report—for the benefit of the Hansard record I'll make it very clear that I'm referring to Auditor-General's report No. 13 of 2019-20—sit against any other corporate Commonwealth entities that you have audited?
Mr Hehir : With this particular audit we didn't do the same type of cyberassessment that we do in our cyberaudits. In this case what we looked at was the codes that the agency had in place for its assessment. Effectively, it was more of a positive assurance. We looked at the external reviews that they had done and their internal processes, and we reported that, effectively, they had provided assurance that they met the mandatory four and the top eight. We didn't do an independent assessment of those things in that audit like we do in the cyberaudits, so it's hard to do a comparison from that point of view with respect to other agencies.
We've reported in other audit reports that sometimes we've found that IRAPs haven't always provided an accurate indicator of cyber-resilience. In a number of audits we've said that. That said, they are a key part of the framework, so it's an important part of what agencies undertaking them do.
CHAIR: Your report indicates in paragraph 3.71 that there were assessments of shared cybersecurity risks but also makes reference to potential consequences to vendors, healthcare providers and healthcare recipients. I'm just wondering if you'd like to elaborate further on that. To assist: what I'm actually asking is where the burden is for the management of cyber-resilience in a program like this.
Ms Rauter : As we've discussed before, the burden is actually on ADHA. Under chapter 11 of the PSPF, the burden or responsibility for those full cybersecurity controls is on ADHA. They need to give themselves assurance that the entities that are accessing the My Health Record system, which are the third-party software vendors and the healthcare providers, have a sufficient level of security control in place that they would accept that risk into their own cybersecurity system. This is where our recommendation in the report comes from in terms of having some kind of accreditation system to give themselves assurance that those appropriate levels of cybersecurity controls are in place.
In paragraph 3.71, which you referred to, there are in place the National Infrastructure Operator and Services Australia as well as numerous other organisations, but the ADHA have focused quite strongly on their core infrastructure. But we think there should be more assurance frameworks in place for the access outside of that core infrastructure that connects into that core infrastructure. Does that answer your question?
CHAIR: Thank you very much. I'm hearing a lot about very commendable efforts to make sure that there is awareness education and strong compliance in terms of individual entity risk assessments et cetera. My question is whether there is an overarching role or a greater role—what role the policy owner would have. Or does it come down to the individual entity and their risk assessment?
Ms Rauter : There is a greater role for ADHA, particularly in terms of the monitoring work and the compliance that they do out in health provider land. We found that there was some compliance checking happening in terms of whether those health suppliers had a security plan in place, but there could have been much more robust checking in terms of the number of health providers that they did those compliance checks on and also what they looked at. What we reported in the audit was that they looked at whether the health providers had a security plan in place but they didn't look at their other controls that are required under the My Health Record legislation in terms of organisational policies for user authorisation, whether they had appropriate training in place for those using the system, whether they had appropriate arrangements in place to identify the recipient of the information, whether they had good physical security for their IT systems—regularly changing user passwords and things like that—whether they had appropriate data backup systems and so on. So we think that, from the ADHA's point of view, there could be more thorough checking of those controls that are required under the legislation for them to be a regular user of the system.
CHAIR: Paragraph 3.84 notes:
The ADHA Board noted dedicated cyber security briefings on four occasions between July 2016 and February 2019.
I've got that right? That's four over the course of not quite three years. Is four sufficient?
Ms Rauter : What we've implied in 3.84 is that we would have expected at least progress on those reviews to have been reported back to the board. Given that it's a high risk in their own risk register, the board would have had more regular reporting than that.
CHAIR: Thank you. A further question to a representative of the ANAO: with regard to the appropriateness of risk management, could you expand on why risks are increased in this program because they're shared risks between the number of entities and individuals? I think we've already touched on this, but do you have any further comment on that?
Mr Hehir : Shared risks bring additional risks, I suppose, and the increase is because there needs to be coordination between various agencies to manage the risk. That is what it comes down to. The more third parties and other players have to do with ensuring that you can mitigate a risk, the more complex it is to deal with it. So it's simply the number of players involved and getting accountability in the right spot for where mitigation can best occur.
CHAIR: Okay. I have a number of other questions, but I realise that, if I start asking them, we'll probably go significantly over time. I indicate that I will place the remainder of my questions on notice and ask if there are any final comments or questions from members of this committee.
Mr HILL: With regard to the Auditor-General, the discussion much earlier in the hearing and the questions that I put regarding the privacy assessments and so on, I just wanted to give you the opportunity to make any further comments on those aspects.
Mr Hehir : No, I don't think I have any other comments.
Mr HILL: I had half got back to you, but then we kind of moved on. That's fine. Thank you.
CHAIR: I would like to thank all witnesses present today, via teleconference or videoconference or in person. If you've been asked to provide additional information or responses to questions taken on notice, could you please forward them to the secretariat by Tuesday 2 June 2020. Further questions will be sent through to you in writing through the secretariat. Thank you very much for your attendance.
Mr O'Connor : Chair, I just want to make a correction to something that I said earlier in relation to the certification process for Essential Eight and the IRAP. I got the dates slightly mixed up. We received compliance in 2017, as I mentioned; the next compliance date was 2018, not 2019; and we are due for renewal again in 2021. I just wanted to correct that for Hansard. Apologies.
CHAIR: Thank you. We are now moving to new witnesses, but ANAO representatives will remain on the line.
----- End Transcript.
Here is the link:
I think it would be fair to say that Ms McMahon managed to block and tackle all the questions just as nicely as her predecessor. To me it is clear the ADHA is moving very slowly on fixing its security and has no real idea of how it can solve the security of the endpoint access issue. They just have to watch closely.
This paragraph is interesting:
“Ms McMahon : In terms of uptake, I can provide you with some of our latest figures. We've seen a significant increase in the use of My Health Record by both consumers and healthcare providers, particularly over the last three months. In relation to general practitioners, the month of March has seen the highest amount of viewing of documents yet, as well as uploads to track use. We saw about a threefold increase in viewing of documents by general practitioners. Around 20,000 documents are viewed each month. That's a threefold increase since the same period last year.”
Noting that there are 36,000 active GPs in Australia that means that each GP is viewing a #myHealthRecord about once every 2 months. Hardly what I would call active use!
Here is the source of the GP number information.
Basically the system is an unused pile of aging documents that is costing as all heaps!
David.