Securing personal information — Australian Digital Health Agency

30 June 2020

Glossary

TermDefinition

Personal Information[1]

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

Sensitive Information[2]

  1. information or an opinion about an individual’s:
    1. racial or ethnic origin; or
    2. political opinions; or
    3. membership of a political association; or
    4. religious beliefs or affiliations; or
    5. philosophical beliefs; or
    6. membership of a professional or trade association; or
    7. membership of a trade union; or
    8. sexual preferences or practices; or
    9. criminal record;

    that is also Personal Information; or

  2. health information about an individual; or
  3. genetic information about an individual that is not otherwise health information; or
  4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
  5. biometric templates.

Abbreviations

AbbreviationDefinition

ACS

Access Control System

ADHA

Australian Digital Health Agency

APP

Australian Privacy Principle

ASD

Australian Signals Directorate

BCP

Business Continuity Plan

CDPP

Commonwealth Data Protection Protocol

CERT

Computer Emergency Response Team

DHS

Department of Human Services

DVA

Department of Veterans’ Affairs

DVS

Document Verification Service

DRP

Disaster Recovery Plan

EHR

Electronic Health Record

HI

Healthcare Identifier

IRAP

InfoSec Registered Assessors Program

IMS

Incident Management System

ISM

Information Security Manual

ISMS

Information Security Management System

LACS

Logical Access Control System

MHR

My Health Record

NASH

National Authentication Service for Health

NEHTA

National E-Health Transition Authority

NIO

National Infrastructure Operator

NRS

National Repositories Service

NTT

Nippon Telegraph and Telephone

OAIC

Office of the Australian Information Commissioner

PACS

Physical Access Control System

PBS

Pharmaceutical Benefits Scheme

PSAC

Privacy and Security Advisory Committee

PCEHR

Personally Controlled Electronic Health Record (now MHR)

PHR

Personal Health Record

PI

Personal Information

PIA

Privacy Impact Assessment

PKI Public Key Infrastructure

PRODA

Provider Digital Access

PSPF

Protective Security Policy Framework

RACGP

Royal Australian College of General Practitioners

SO

System Operator

SNOMED CT‑AU

Systematized Nomenclature of Medicine – Clinical Terms Australia

TRA

Threat & Risk Assessment

Part 1: Executive Summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC’s) privacy assessment of the My Health Record[3] (MHR) system, as operated by the Australian Digital Health Agency (ADHA, as the System Operator) and Accenture (as the contracted National Infrastructure Operator – NIO).

1.2 The purpose of this assessment was to establish whether the ADHA was taking reasonable steps to secure personal information in accordance with Australian Privacy Principle (APP) 11 and the relevant provisions in the My Health Records Act 2012 (Cth). More specifically, this assessment considered whether the ADHA had sufficiently documented its information handling policies, procedures, governance and training.

1.3 The OAIC engaged Lockstep Consulting, a privacy consulting firm, to undertake the privacy assessment jointly with OAIC staff, and to provide analysis of the information security arrangements deployed in the MHR system. The assessment was conducted in June 2018.

1.4 The scope of this assessment included a review of the information security arrangements deployed in the MHR system, in particular a review of System Operator and NIO’s policies, procedures, governance and training applicable to the storage and security of personal information contained in the NRS, as well as the ADHA’s and the implementation of these policies and procedures.

1.5 The assessment did not include a physical review or testing of the technical capabilities of the ICT systems used by the System Operator or NIO, but considered past third-party reviews, which the assessors re-examined.

1.6 The assessment also considered the privacy and security measures put in place by the System Operator, following previous assessments and security reviews. The ADHA’s implementation of the policies and procedures and external reviews were assessed on the basis of staff interviews and review of documents.

1.7 This OAIC found that at the time of the assessment ADHA had taken a number of reasonable steps to secure personal information according to APP 11. However, the assessment also identified some issues relating to document quality, documentation processes, security organisation and management oversight. Establishing the state of security appeared harder than it should be, due to:

  • incomplete and inconsistent documentation
  • management complexities, such as multi-layered security and privacy committees, which seem to have delayed consideration and remediation of security review findings.

1.8 The assessment team considers that going forward mitigating privacy risks depends on improved visibility of security management, responsiveness to findings, and attention to detail.

1.9 The assessment team has made eight recommendations to address a number of medium level privacy risks and one high-level risk identified during the assessment. The recommendations, and ADHA’s responses, are outlined in Parts 4 and 5 respectively of this report.

Part 2: Description of the assessment

Background

2.1 This assessment is the third in a series of OAIC reviews of the MHR System Operator (SO). Previous OAIC assessments were conducted in 2014[4] and 2016[5] when the Department of Health was the System Operator for the Personally Controlled Electronic Health Record (PCEHR).

2.2 In addition to these assessments, an end-to-end security review was commissioned by the Department of Health in 2015 and completed in 2016.

2.3 A two-stage InfoSec Registered Assessors Program (IRAP) assessment commissioned by ADHA was also concluded in 2017.

2.4 The ADHA announced on 14 May 2018 that every Australian will be offered an MHR unless they choose not to have one during a three month opt-out period which initially ran from 16 July to 15 October 2018.[6] Subsequently, the Minister for Health extended the opt-out period which concluded on 31 January 2019.[7] The commencement of the opt-out period for My Health Record was a significant factor in undertaking this assessment. Considering that the SO must be in a position, from both a security and performance perspective to manage a significant increase in the number of health records in the MHR system by the end of 2018, it was timely to conduct a privacy assessment to ensure the security of personal information held in the system.

Objective and scope

2.5 The objective of this assessment was to consider whether ADHA was taking reasonable steps to secure personal information collected and retained under the My Health Record (MHR) system in accordance with APP 11 and relevant provisions of the My Health Records Act 2012 (Cth). APP 11 requires an entity to take reasonable steps to:

  • protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure (APP 11.1)
  • destroy or de-identify personal information (APP 11.2).

2.6 As part of its ongoing oversight role, the OAIC also sought to re-examine the privacy and security measures put in place by the System Operator, following previous assessments conducted in 2014 and 2016, and the end-to-end system security review of 2015. These assessments focused on the storage and security of personal information held in the National Repositories Service (NRS). The NRS is the database system operated by NIO which holds the key data sets which make a My Health Record (see paragraph 3.2 below).

2.7 The scope of this assessment included a review of the information security arrangements deployed in the MHR system, in particular a review of System Operator and NIO’s policies, procedures, governance and training applicable to the storage and security of personal information contained in the NRS and the implementation of these policies and procedures (see Figure 1 below which depicts system components that are within the scope of this assessment). The ADHA’s implementation of the policies and procedures and external reviews were assessed on the basis of staff interviews and review of documents.

2.8 This assessment was risk based. It focused on identifying privacy risks to the effective and secure handling of personal information in the MHR system, as informed by APP 11 and relevant provisions of the MHR Act by examining whether the ADHA had sufficiently documented policies, procedures and training in place.

2.9 DHS systems leveraged by (but not part of) the NRS were outside the scope of this assessment. These included the Access Management System, the Customer Relationship Management System, the Client Data Management System, the MyGov system, other DHS repositories, along with Department of Veterans’ Affairs (DVA) systems, which provide data to the MHR system as a trusted source.

Approach

2.10 The assessment was guided and informed by the OAIC’s Guide to securing personal information - ‘Reasonable steps’ to protect personal information. The Guide identifies operational aspects of relevance, including:

  • governance, culture and training
  • internal practices, procedures and systems
  • ICT and access security
  • third party providers
  • data breaches
  • destruction and de-identification
  • information security standards.

Privacy risks

2.11 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

2.12 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken (June 2018).

Assessment methodology

2.13 The assessment team, comprising of staff from Lockstep Consulting and the OAIC, conducted a desk-top review of relevant security policy, design, operations documents and staff training materials.

2.14 Past security review reports were also examined to identify any risk control deficiencies relevant to this assessment and ensure they had been remedied

2.15 The assessment team also conducted in-depth interviews with key staff from the SO and NIO at ADHA’s Canberra office in June 2018.

2.16 The assessment did not include a physical review or testing of the technical capabilities of the ICT systems used by the SO or NIO but relied (in part) upon past third-party reviews, which the assessors re-examined.

2.17 The OAIC considered the findings and recommendations made by Lockstep Consulting in the process of writing this report.

Reporting

2.18 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Part 3: Introduction

Overview of My Health Record

3.1 The My Health Record system is the Australian government’s digital health record system and provides a My Health Record for each consumer.[8] My Health Record is an online summary of a consumer’s key health information including details of their medical conditions and treatments, medicine, allergies, tests and scans. This information can be viewed online from anywhere at any time. Healthcare providers (such as doctors, specialists and hospital staff) are able to view and add information to a My Health Record, subject to access controls set by the consumer.

3.2 Consumers’ health records are either uploaded into the NRS or fetched as needed from participating repositories (Registered Repository Operators). The NRS holds the key data sets which make up a My Health Record, including:

  • shared health summaries
  • event and discharge summaries
  • medical records (Medicare Benefits Schedule, Pharmaceutical Benefits Scheme)
  • clinical documents
  • specialist letters
  • consumer entered notes and health summaries
  • child development
  • organ donor status
  • prescription / medication information.

3.3 My Health Record was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.[9] The operational activities of the then PCEHR was managed by the Department of Health until the Australian Digital Health Agency (ADHA) became the My Health Record System Operator on 1 July 2016. The ADHA is a statutory authority reporting to State and Territory Health Ministers through the Council of Australian Governments (COAG) Health Council. It was established to improve health outcomes for Australians through the delivery of digital innovation, health systems and services.

3.4 The MHR system is regulated under the My Health Records Act 2012 (Cth), My Health Records Regulation 2012 (Cth), My Health Records Rule 2016 (Cth) and the My Health Records (Assisted Registration) Rule 2015 (Cth).

Participants in the MHR System

ADHA – the MHR System Operator

3.5 ADHA has a lead role in operating and developing Australia’s digital health foundations, the national infrastructure underpinning the delivery of digital health in Australia including:

  • the My Health Record (MHR) system
  • The Healthcare Identifiers (HI) Service[10]
  • The National Authentication Service for Health[11] (NASH)
  • Provider Digital Access[12] (PRODA)
  • Secure Messaging[13]
  • Supply Chain[14]
  • Clinical Terminology[15]
  • Clinical Document Specifications such as discharge summaries and electronic referrals.

Other participants in the MHR system

3.6 In addition to ADHA as System Operator, a number of other participants assist in the operation of MHR, in particular:

  • Accenture Australia was contracted as the National Infrastructure Operator (NIO) of the system, responsible for providing and managing the system on behalf of the SO including managing MHR’s security. The NIO has a subcontractor, Nippon Telegraph and Telephone (NTT), which provides data centre services for the system
  • the Department of Human Services (DHS) assists with consumer and provider registration. It also provides access to Medicare and Department of Veterans’ Affairs (DVA) data, which can be included in consumers’ MHR records with their consent.

3.7 Healthcare providers participate in the MHR system as end-point users. Consumer healthcare information contained in provider records are uploaded into the NRS via clinical software or a national provider portal.

3.8 Individual health records are automatically created for consumers (unless they choose to opt out of the MHR system). Consumers can change their privacy and security settings to control which healthcare providers can access their health information. Consumers can also add their own information such as personal notes, review the information on their record, and set up notifications to monitor which healthcare provider has accessed their record.

Summary

3.9 Figure 1 below provides a high-level summary of the different participants in the MHR system and how they interact. It also depicts the system components that are within the scope of this assessment.

Figure 1 – Overview of the My Health Record system

Link to long text description follows image

Part 4: Findings

Governance, culture and training

Management, oversight and accountability

Observations

4.1 The requirements for the ADHA’s governance framework are set out in the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016 (Cth). The Agency Rule established the Board, Advisory Committees and the position of the CEO, and defined their roles and responsibilities.

4.2 Established in 2016-17, the 11-member ADHA Board is the accountable authority for the agency. It sets the agency’s strategic direction and is responsible for its operations. The Board is supported by independent advisory committees:

  • Clinical and Technical Advisory Committee
  • Jurisdictional Advisory Committee
  • Consumer Advisory Committee
  • Privacy and Security Advisory Committee (PSAC)
  • Digital Health Safety and Quality Governance Committee[16]), and
  • Audit and Risk Committee (compulsory under the Public Governance, Performance and Accountability Act 2013 (Cth)).

4.3 As outlined in Division 5, Section 51 of the Agency Rule, the PSAC’s functions are to:

  • examine legal issues in relation to digital health systems, including copyright, data privacy issues, confidentiality issues, data security and legal liability
  • to make recommendations to the Board about the long-term legal framework of digital health systems
  • to monitor privacy and security issues in relation to digital health systems and to provide advice to the Board on resolution of any problems arising from such issues;
  • to provide advice and recommendations to the Board in relation to standards (including compliance with standards) relating to privacy and security in relation to digital health systems
  • to provide advice to the Board about privacy and security issues encountered by users of digital health systems.

4.4 The 2016 OAIC assessment recommended that ‘the role and operation of the PSWG [Privacy and Security Working Group, within the Department of Health as the then SO] is reviewed to ensure that it has an effective role as a focal point for strategic and significant privacy advice and solutions’. Assessors were advised that following the establishment of ADHA, the PSWG ceased to operate.

4.5 In relation to executive management, the ADHA CEO was supported by an executive leadership team comprising five Executive General Managers (Division heads) and a Chief Medical Adviser. The team meets weekly with the CEO and is involved in the implementation of the governance framework through strategic and financial planning, consideration of ongoing and emerging risks, review of controls, and monitoring the delivery of performance outcomes. It is the primary forum for operational decision making in the agency. When the assessment was undertaken (June 2018), the executive structure was as follows[17]

4.6 A range of internal committees also support ADHA leadership and its ability to deliver on strategic priorities. The assessment team observed that there is no dedicated internal privacy or security committee. Assessors were advised that internal operational arrangements between the risk, security and privacy teams, in addition to reporting mechanisms to PSAC and Board, aim to ensure that security and privacy are effectively managed. The internal committees are outlined below:

Internal committee[18]

Purpose

Portfolio Management Committee

Oversees the planning and delivery of the agency’s annual work program

Clinical Programs Management Committee

Manages operational aspects of the agency’s Clinical Programs: Medicines Safety, Pathology and Diagnostic Imaging programs, and any new programs identified by the agency’s Board

Digital Health Safety and Quality Management Committee

Establishes a forum where clinical governance mechanisms are in place and effective across the agency

Workplace Health and Safety Steering Committee

Brings together staff and management to develop and review health and safety policies and procedures across the agency

4.7 The assessment team observed that ADHA has an experienced and active Chief Information Security Officer who operates as such for MHR.

4.8 Nevertheless, assessors noted through the desk-top review that recommendations for a Privacy Impact Assessment (PIA) of the Incident Management System (IMS) had passed with little or no action across several external audits. PIAs, as part of risk management arrangements more generally, are separately discussed from paragraph 4.21.

4.9 The assessment team was provided with a copy of the SO’s recently released ‘Guide to Undertaking a Privacy Impact Assessment’ (PIA Guide). Assessors observed that while it provides useful guidance as to if, when and how a PIA should be undertaken, it provides little information on how the outcomes of any PIA would be addressed by ADHA.

4.10 In this regard the assessment team also considered the introduction of the Australian Government Agencies Privacy Code on 1 July 2018, which at the time of fieldwork had not yet commenced. The Code impacts on how AHDA manages its obligations under the Privacy Act, in particular the requirement to appoint a senior official as a Privacy Champion. While the SO’s PIA Guide refers to the new Code, assessors observed that its focus is on the role of the Privacy team and makes no reference to a Privacy Champion. Privacy management and governance requirements under APP 1.2, and specifically the Code, may be considered in a future OAIC assessment.

4.11 The assessment team understands the NIO’s security management to include:

  • Production Operations team, which is onshore and responsible for the production environment
  • Offshore team, requiring no access to production data, and responsible for development and testing against non-production environments (with fabricated data)
  • Security Operations team, responsible for handling security and privacy incidents, as well as patch and vulnerability management, security monitoring, and threat & risk assessments
  • Service Management team, the central liaison point for the NIO, providing regular reports to the SO and other MHR stakeholders on incidents and system performance, and responsible for day to day production issues, incident management and internal incidents as well as errors and failures
  • Change Management team controls the implementation of changes to the system and is responsible for testing vendor software.
Analysis

4.12 ‘Reasonable steps’ under APP 11 include establishing clear procedures for oversight, accountability and lines of authority for decisions regarding personal information security. This could involve having a body or designated individual(s) who is aware of what, where and how personal information is held, and is responsible for ensuring that it is held securely. This role could include defining information security measures and implementing, maintaining and evaluating those measures. The role should be overseen by, and accountable to, senior management.

4.13 The governance arrangements established by the SO, while still maturing, appear adequate. However, assessors note that consideration of certain security and privacy matters raised by external reviews have been delayed. There is a medium risk that delays can negatively impact the proper handling of sensitive personal information, in particular where timely management attention is expected in response to identified and emerging issues. In the assessors’ view, operational matters are dealt with quickly and effectively by a day-to-day manager in a dedicated role with direct exposure to the operational environment.

4.14 Given that the SO is a relatively new agency, the OAIC would expect that its governance arrangements for privacy and information security are reviewed regularly so that they remain relevant and responsive to emerging issues.

Recommendation 1

The System Operator should:

  • review its privacy and security governance arrangements and internal privacy management processes to improve the timeliness of responses to external reviews, including considering whether operational information security and privacy matters are better handled by a day-to-day manager.
  • as it continues to mature, regularly review its governance arrangements around privacy and information security to ensure their continued relevance and effectiveness.

Risk management

Observations

4.15 MHR risk management practices were acknowledged by the SO as being relatively immature, considering the young age of the agency. The ADHA was benchmarked in 2017 as part of the Comcover Risk Management Benchmarking Survey and rated as ‘Developed’[19]. While a relatively low rating, the agency is establishing more robust risk management policies and practices and is expected to rate more highly in subsequent benchmarking exercises. Following this assessment, the OAIC was advised that the ADHA was benchmarked again in 2018 and 2019 as part of the same methodology, and was rated as ‘Advanced’.

4.16 The SO maintains an overarching risk framework. It has established an integrated risk register and conducts security risk management exercises in relation to each new release. The risk register is reviewed with each new release to ensure that relevant (and new) risks are adequately captured and addressed. The SO is aware of the need to more tightly manage the risk register and develop improved traceability between strategic, system and operational risks. Close collaboration is required with the NIO in this regard.

4.17 Furthermore, in the context of findings and recommendations regarding security documentation (discussed below from paragraph 4.43), it will be important for the SO to ensure traceability of decision making processes in response to external assessment (such as IRAP assessments, Threat & Risk Assessments (TRAs) and OAIC assessments).

4.18 In the assessors’ view there remains some work to be done to enhance the relationship between the Audit and Risk Committee and the Privacy and Security Advisory Committee, in terms of responsibilities and transparency of activities. Assessors were advised that a risk toolkit to enhance and streamline the agency’s risk management practices will be implemented in the near future.

Analysis

4.19 Noting the relative immaturity of the SO’s risk management practices, the assessment team considers that it is to be expected that planned improvements will enhance the agency’s risk posture.

4.20 With the exception of PIAs (discussed below), the assessment team did not identify any serious privacy risks in relation to the SO’s overall risk management and therefore makes no recommendations.

Privacy impact assessments

Observations

4.21 The System Operator has conducted several PIAs on the MHR system since 2015:

  • May 2015 – PIA analysed flows of personal information and potential privacy risks and impacts of an opt-out model
  • March 2016 – PIA assessed the design of the participation trials
  • October 2016 – PIA assessed proposals for third party mobile applications to access the My Health Record system
  • December 2016 – PIA assessed the proposed bulk transfer of records to the contracted National Infrastructure Operator for record creation as part of the opt-out process
  • July 2017 – PIA further examined privacy risks and impacts of the proposed implementation of the opt-out process

4.22 ADHA has developed its own PIA guide in line with the new Australian Government Agencies Privacy Code which commenced on 1 July 2018.

4.23 The 2016 OAIC assessment recommended[20] that a PIA should be undertaken on the SO’s Incident Management System (IMS). The assessment team was advised that all information is stored in an encrypted form in the IMS. A review of the information in the IMS is underway in advance of the intended implementation of a new cloud-based, fit for purpose IMS system to address security concerns. The cloud provider is accredited by ASD to the PROTECTED security classification. It was not clear to assessors if the review and new IMS will be informed by a PIA.

4.24 Assessors note the fact that recommendations raised in the 2016 OAIC assessment report related to the Department of Health as the then SO and that, while the recommendations have been addressed in the establishment of ADHA as the new SO and in its current work to develop the MHR system, no further action is intended in response to those recommendations.

Analysis

4.25 PIAs are the cornerstone of privacy management and should be part of the overall risk management and planning processes of organisations. PIAs help organisations assess security risks to personal information by identifying the privacy impacts of changes that may have privacy implications. These changes may include a changing regulatory environment such as new legislation, the implementation of new or amended systems or databases, or changes to how information is stored. PIAs make recommendations for managing, minimising or eliminating those privacy impacts.

4.26 PIAs help to identify and mitigate against emerging privacy risks. Without recent PIAs, the concerns raised in the 2016 OAIC assessment as to whether reasonable steps have been taken to protect personal information held on the IMS remain. In this context, it is reasonable to seek assurances from the SO that previously identified and emerging privacy and security concerns are being addressed.

4.27 The OAIC notes that under the Australian Government Agencies Privacy Code, from 1 July 2018 it is mandatory for agencies to undertake PIAs for all high privacy risk projects. While acknowledging that this assessment took place prior to the Code’s commencement, for the purposes of this report it is worth noting that the SO will be subject to a mandatory requirement in relation to PIAs.

4.28 In addition to the new, mandatory requirement to conduct PIAs, the assessment team considers that, in the context of upcoming development of a new IMS, it is reasonable under APP 11 to conduct an independent PIA to systematically assess the new IMS.

4.29 PIAs assist in demonstrating good personal information handling practices and engender public trust and confidence.

Recommendation 2

The System Operator must undertake PIAs in line with the new Australian Government Agencies Privacy Code. PIAs ensure that high risk projects are compliant with privacy laws and reflect community values around privacy and the handling of personal information. By demonstrating to stakeholders that a project has been designed with privacy in mind, PIAs can assist the SO to substantiate claims that privacy and security risks in the MHR system are being addressed.

Recommendation 3

The System Operator should undertake an independent PIA, conducted by a reputable external consultant, if it is not already part of the planned review of information contained in the IMS and the design and development of the new IMS system. This would assist in ensuring that all reasonable steps are taken to protect personal information.

Training

Observations

4.30 The assessment team reviewed three MHR staff training packages:

  • security awareness training for new joiners
  • working with sensitive data
  • security awareness training.

4.31 Assessors found a number of references in the NIO’s training materials that were inconsistent with Australian privacy legislation. For example, a foreign definition of Personal Information is used (i.e. ‘Personally Identifiable Information’) and the NIO’s use of the term ‘Sensitive Information’ is at odds with the Privacy Act. Further, the term ‘Technically Sensitive Information’ is introduced and covers such data as IP addresses.

4.32 Assessors note that use of non-standard definitions was a finding of the 2014 OAIC assessment. It is not clear why definitional errors have persisted.

4.33 The issue of data classification and handling processes was also raised. The NIO advised that, notwithstanding general issues with staff correctly identifying data and applying appropriate Australian government data classifications, all information that is contained in the MHR production database is regarded as ‘sensitive’ (in keeping with Australian legislation) and treated accordingly. Staff are also trained accordingly.

4.34 Security training for new NIO staff (including contractors) focuses on:

  • improving security awareness
  • providing background information about MHR
  • security expectations for MHR
  • staff responsibilities for security of MHR
  • tools/measures available to fulfil them
  • consequences of breaches or compromises.

4.35 NIO security training is heavily focused on operational security considerations, including:

  • use of Accenture issued equipment only
  • security at the client’s premises
  • access to MHR assets and documents
  • physical security including Clean Room access controls
  • data protection and information classification / protective markings
  • use of Accenture offshore based systems
  • social media.

4.36 The NIO also provides six monthly refresher training on security and privacy for all employees that work in the clean room[21] with access to production data. Training for other staff is less frequent.

4.37 The SO conducts annual training for all staff. As the agency grows, these training programs are being run on a monthly basis. The SO also runs training tailored to specific areas of the agency on an as needs basis in relation to data breach notification. It has also developed a privacy e-learning module for staff to use (accessible via the intranet). Security training presentations focus on issues such as:

  • password security and ISM standards for complexity
  • email security (phishing etc)
  • malicious macros
  • surfing the web and social media
  • remote access
  • information classification
  • physical security (clean desk, passes etc)
  • personnel security (vetting)
  • incident reporting.
Analysis

4.38 The assessment team considers that the training arrangements established by the SO and NIO are adequate, except for the issue that erroneous privacy definitions have persisted for some years in security documents[22].

4.39 The use of foreign terms and definitions can negatively impact on staff awareness of their obligations under Australian privacy legislation. For example, there is a medium risk that:

  • training new staff to use inappropriate foreign terms is likely to confuse and hinder their compliance with the Privacy Act
  • when implementing critical de-identification procedures, using foreign definitions can lead to inadequate de-identification of patient information that would be treated as ‘Personal Information’ in Australia
  • MHR designers and operators can misjudge privacy risks, especially as they put into effect de-identification and data sanitisation.

4.40 Moreover, the concept of ‘Technically Sensitive Information’ is not necessary given the Australian legislated concepts of Personal Information and Sensitive Information, and because it is novel, may be an unnecessary distraction.

4.41 The fact that incorrect definitions have persisted in NIO documentation raises the possibility that Accenture, as ADHA’s client, is not scrutinising training materials as closely as it should with regards to legal compliance. A more rigorous review process would guard against other similar types of governance errors appearing in future.

4.42 ‘Reasonable steps’ under APP 11 include ensuring that all staff (including new starters, contractors and temporary staff) are aware of their privacy and security obligations. As staff awareness is commensurate with quality of training, it is reasonable to expect that training materials should accurately reflect Australian legislation. This ensures that staff are trained appropriately to handle personal information in accordance with the Privacy Act.

4.43 The SO should improve the ongoing quality of training materials in respect of definitions and data classifications, particularly in light of intended changes to the classification system in the Protective Security Policy Framework.

Recommendation 4

The System Operator should:

  • review the scrutiny given to internal training materials to guard against the use of non-standard language (such as ‘Technically Sensitive Information’), and inappropriate foreign definitions (such as ‘Personally Identifiable Information’)
  • ensure security documentation and data handling processes align with current Australian government data classifications.

Recommendation 5

The National Infrastructure Operator should review training materials to ensure they use Australian terminology for privacy, security and data classification.

Internal practices, procedures and systems

Security documentation

Observations

4.44 Documents provided for assessment by the System Operator (SO) and National Infrastructure Operator (NIO) covered a range of security and privacy management policies and procedures, including[23]:

  • system security plans
  • risk management frameworks
  • key management plans
  • data breach policies
  • threat & risk assessments
  • business continuity plans.

4.45 It was the assessment team’s expectation that the SO and NIO would maintain and provide a complete and up-to-date suite of security documentation. In the assessors’ view, the desk-top review process was complicated by the following:

  • the documents were provided to the assessment team in three tranches
  • many documents were outdated (some dating back to 2015), and some were in draft form
  • there were some inconsistencies within and between documents provided (e.g. between the Commonwealth Data Protection Protocol and the System Security Plan relating to back-ups of the Incident Management System), indicating possible lack of coordination across MHR system participants.

4.46 The assessment team therefore observed that the documents did not stand alone to present a cohesive view of the SO’s approach to managing the security of the MHR system. However, this concern was mitigated as a result of fieldwork interviews conducted with SO and NIO staff. These interviews provided a more complete explanation of the SO’s security policies and procedures, as well as the opportunity to review more up to date documentation.

4.47 It was evident from the interviews that security risks identified in the available documentation had either been or were in the process of being addressed. Particular examples include the SO’s response to findings and recommendations from the most recent independent TRA exercises, and its response to the recommendations contained in the 2017 IRAP report. While security considerations mean specific issues cannot be recorded in this unclassified report, assessors were advised that controls were being introduced to address each of the findings.

4.48 The assessment team also notes that, in general, the 2017 IRAP assessment was reassuring, indicating a strong security management position.

4.49 Based on the nature of the documents and subsequent interview discussions, the assessment team considers that the state of the security documentation has likely resulted from several factors:

  • the relative immaturity of the SO as a new agency (it was evident that it is still bedding down its policies and procedures)
  • the high percentage of contractors in the agency (over 50%) who, in the assessors’ experience, are not generally engaged as document writers
  • the relatively new governance arrangements that have been implemented and which are still being matured
  • the pressure to deliver a secure and robust system solution within very short timeframes including what may be described as a fast-track program of new product releases.

4.50 The assessment team found that the SO has placed a greater importance on product delivery, and that documentation has been viewed largely as a compliance-related activity. A similar inference was drawn by the IRAP assessor in 2017.

Analysis

4.51 Deficiencies in documented security and privacy management policies and procedures have the potential to affect privacy and security practices if left unaddressed.

4.52 Documentation is the main way that the state of a project is communicated to external stakeholders, assessors, new hires, contractors and so on.

4.53 ‘Reasonable steps’ under APP 11 involve documenting the internal practices, procedures and systems used to protect personal information. Documentation should be regularly reviewed and updated to ensure it reflects current practices. Clear documentation is important as a design tool, for communicating to designers the details of requirements, and recording development decisions. Documentation guides designers as they work over typically long periods of time on complex systems.

4.54 Without clear, consistent and up to date documentation, there is a medium risk that complex system security requirements could be poorly communicated to internal staff and external stakeholders. In the assessors’ view, good documentation is key, and a reasonable step under APP 11, to ensure system security over time.

4.55 These documentation issues were raised with and acknowledged by SO and NIO officials over the course of the fieldwork interviews.

Recommendation 6

The System Operator and National Infrastructure Operator should:

  • update security documentation to ensure that all documents are current, complete, and provide a coherent picture of the security and risk management policies and practices as they relate to the MHR system
  • conduct internal document reviews to improve consistency within and between security documents, and to better support external governance reviews
  • strengthen privacy culture within their respective organisations by re-prioritising security documentation as a more active and important design activity rather than a lower priority compliance activity.

Documentation of decision making

Observations

4.56 During the course of fieldwork interviews, the assessment team observed relatively poor documentation of internal decision making. The SO was unable to provide documentary evidence of the processes involved where the SO/NIO analysed the findings, determined the most appropriate response and obtained management agreement to implement the required measures. While such steps are probably taken in practice, it was not evident to the assessors that they were being followed systematically.

Analysis

4.57 ‘Reasonable steps’ under APP 11 involve documenting decisions made about security decisions to protect personal information, such as why certain measures have or have not been adopted.[24]

4.58 The apparent lack of documentation of decisions by the SO means that documentation will always lag behind systems development. This creates gaps in relation to the management of privacy and security risks.

4.59 Given the operational scale of the MHR system and relative complexity of decisions about security and privacy controls, it is reasonable to ensure that decisions are traceable and transparent. Without appropriate documentation procedures in place, there is a medium risk that decisions about privacy and information security are made without proper scrutiny and decision rationales remain undocumented.

4.60 The SO should document decision making processes to ensure transparency and accountability.

Recommendation 7

The System Operator should improve documentation of decisions to better demonstrate to governance bodies and relevant third parties the rationale for decisions taken to implement required security and privacy controls.

ICT and access security

Observations

4.61 Information was sought about external security assessments and the ADHA’s implementation of the recommendations relevant to the scope of this assessment.

4.62 The assessment team was advised that the Australian Signals Directorate’s Essential 8[25] ISM controls (including the mandatory Top 4) have been implemented and that a successful two-stage IRAP assessment was completed in 2017 with 97% compliance.

4.63 The 2017 IRAP report identified some concerns with respect to the SO’s ability to protect against Advanced Persistent Threats.[26] Assessors were advised that end-point protection[27] is a major consideration and that a range of security measures have been introduced in response to the IRAP report and other external reviews, including:

  • intrusion detection/prevention
  • data encryption both at rest and in transit (using ASD approved cryptographic algorithms)
  • whitelisting across the front end and back end systems[28]
  • improved vulnerability management.

4.64 The SO and NIO also employ a variety of security measures, including data encryption (at rest and in transit), personnel vetting, and physical access controls to the data centre, clean room and production data. Analytics are being increasingly used to analyse data logs to enhance system security.

4.65 The Department of Health’s end-to-end security review of 2015 also highlighted end-point security as a key risk to the MHR system. The assessment team was advised that this review was tabled with the Privacy and Security Advisory Committee at its first meeting and that the recommendations contained in that report have been considered as part of further system development.

4.66 ADHA established the Digital Health Cyber Security Centre[29] to strengthen the security of the digital health system overall and promote increased security awareness and maturity across the digital health sector. The SO has produced a range of educational material to assist healthcare providers meet their security obligations. It also audits provider systems to ensure security standards are met and providers comply with security requirements under MHR legislation, specifically MHR Rule 42 which requires an access control policy for MHR participants/healthcare providers. The SO also maintains close relationships with peak industry bodies such as the RACGP to help providers maintain these security and privacy standards.

4.67 End-point security remains a high risk for the system and is being actively addressed by the SO and NIO on a number of fronts. In addition to producing educational material and carrying out audits, several TRAs were conducted with respect to key endpoints to the system including call centres, mobile gateway, and administration and provider portals. Continued monitoring and appropriate governance around the identification and mitigation of privacy risks (see Recommendation 1) will assist the SO to manage the challenge of a system with a significant number of end-points. For example, while approval processes are in place to sign up provider organisations to the MHR system, they represent a vulnerability that will need to be monitored.

4.68 Further potential threats exist in relation to registration and authentication of both consumers and healthcare providers. While acknowledged by the SO, which advised that they are being actively managed, these threats were not explored in detail as they are the operational responsibility of DHS.

Analysis

4.69 The decentralised nature of end-point users presents unique challenges for a central system operator who is several steps removed from directly managing end-point security vulnerabilities. This is an ongoing risk for the MHR system. If end-point security is not managed effectively by healthcare providers and other agencies responsible for user registration and authentication, there is a high risk that the integrity of the MHR system can be compromised.

4.70 The SO must take ‘reasonable steps’ under APP 11 to address the risks and mitigation strategies identified by external security assessments, including providing assistance to healthcare providers, by:

  • continuing to proactively engage with end-point users through educational and audit initiatives
  • staying up to date with the real state of end-point security at healthcare practices
  • providing timely and effective guidance to health practitioners, as and when tangible security issues are identified.

Recommendation 8

The System Operator must continue to proactively engage with end-point users by:

  • staying up to date with the real state of end-point security at healthcare practices
  • providing timely and effective guidance to health practitioners, as and when security issues are identified
  • continuing audits of healthcare provider security to provide assurance that end-point security vulnerabilities are being effectively managed by providers, and therefore help protect the integrity of the MHR. The findings of these audits can inform continuous improvement of security advice developed and provided by the Cyber Security Centre.

Third party providers

Observations

4.71 Two principal third party providers support the operation of the NRS:

  • Accenture as the National Infrastructure Operator (NIO)
  • Nippon Telegraph and Telephone (NTT) as the data centre provider.

4.72 Both Accenture and NTT have strong contractual commitments in relation to managing the security of the MHR system. NTT’s data centres have been subject to IRAP assessments and are rated to PROTECTED. The assessment team was advised that physical and logical access controls at NTT and the NIO ensure that only authorised personnel have access to the MHR system.

Analysis

4.73 The assessment team did not identify any serious privacy risks in relation to third party providers and therefore makes no recommendations.

Data breaches

Observations

4.74 Under the MHR Act it is mandatory for the SO to notify the OAIC of data breaches relating to unauthorised collection, use or disclosure of health information, or relating to issues that affect the security or integrity of the system. Between 2016 and 2018 the agency notified 11 data breaches to the OAIC.[30]

4.75 The SO maintains a Data Breach Response Plan that outlines staff roles and responsibilities in managing actual and suspected data-related incidents. Complementing this plan are comprehensive incident management plans and procedures (for both privacy and security incidents), as well as incident identification and prioritisation procedures. The Incident Management System is discussed in detail under Privacy Impact Assessments from paragraph 4.21.

4.76 The SO has and continues to implement measures to protect the MHR system from data breaches, including:

  • sourcing new health-sector specific threat intelligence to assist the agency in early identification of threats
  • improving information sharing nationally and internationally with health sector CERTs
  • improving vulnerability management techniques and active penetration testing at each new release.
Analysis

4.77 The assessment team did not identify any privacy risks in relation to the SO’s management of data breaches and therefore makes no recommendations.

Destruction and de-identification

Observations

4.78 At the time of the assessment the SO was obliged under the MHR Act to maintain individual health records for 30 years after the verified death of an individual (or 130 years in the event that a person’s death cannot be verified).[31] At the time of the assessment, if an individual chose to cancel their MHR record, the data contained in that record was neither de-identified nor destroyed; rather, the record was marked as inactive and stored in encrypted form by the system, inaccessible to either the individual or any healthcare practitioner.

4.79 Based on the SO’s obligations under the MHR Act at the time of the assessment, the assessment team considers that the requirements of APP 11.2 (relating to data de-identification and destruction) do not apply while a person’s health information is retained within MHR.

Analysis

4.80 In future, it will be necessary for the SO to develop and document a destruction procedure for MHR records to be deleted post-mortem. At the time of this assessment, there was no urgency for this, given that the earliest destruction was still 24 years away.[32] As time goes by and the MHR system evolves (together with the legislative and e-health landscape), the data destruction procedure can be reviewed.

4.81 Following this assessment, on 26 November 2018, the Australian Parliament passed the My Health Records Amendment (Strengthening Privacy) Bill 2018 which introduced a number of changes to the MHR system. Under these changes, a person can permanently delete their MHR at any time in their life, with no archived copy or back up kept. Any destruction procedures developed in response to these changes could also be applied to MHR records that will be deleted post-mortem.

4.82 The assessment team did not identify any privacy risks in relation to destruction and de-identification of personal information and therefore makes no recommendations.

Information security standards

Observations

4.83 As a government agency the SO must meet the security requirements set out in the Protective Security Policy Framework and Information Security Manual. These policies reference accepted international standards for risk management (ISO 31000) and information security (ISO 27000).

4.84 The assessors’ desk-top document review confirmed these policies and standards are implemented across the SO, NIO and NTT.

Analysis

4.85 The assessment team did not identify any privacy risks in relation to information security standards and therefore makes no recommendations.

Part 5: Recommendations and responses

OAIC recommendation 1

The System Operator should:

  • review its privacy and security governance arrangements and internal privacy management processes to improve the timeliness of responses to external reviews, including considering whether operational information security and privacy matters are better handled by a day-to-day manager
  • as it continues to mature, regularly review its governance arrangements around privacy and information security to ensure their continued relevance and effectiveness.

ADHA response

Agreed and fully implemented. Since the fieldwork was conducted in July 2018, the Agency has reviewed and updated its privacy governance arrangements. This has included the implementation of a Privacy Management Plan, with regular scheduled updates provided through to PSAC. Operational privacy matters are raised through the Executive Leadership Team meetings, which also include regular updates on Agency privacy.

The Agency has been regularly meeting with the OAIC to discuss any privacy matters to note between the two organisations.

In relation to security, the Agency also has a working group called Cyber Security Assurance and Design Authority that meets monthly and draws participants from security, the National Infrastructure Operator and compliance. The group considers security operational matters including responses to external reviews as relevant.

OAIC recommendation 2

The System Operator must undertake PIAs in line with the new Australian Government Agencies Privacy Code. PIAs ensure that high risk projects are compliant with privacy laws and reflect community values around privacy and the handling of personal information. By demonstrating to stakeholders that a project has been designed with privacy in mind, PIAs can assist the SO to substantiate claims that privacy and security risks in the MHR system are being addressed.

ADHA response

Agreed and fully implemented. At the time this assessment was undertaken the Agency was operating in line with its own internal guidelines, and as noted above routinely undertook PIAs as appropriate. The Agency developed its own PIA guide in line with the new Australian Government Agencies Privacy Code, and has implemented practices to support this guide.

OAIC recommendation 3

The System Operator should undertake an independent PIA, conducted by a reputable external consultant, if it is not already part of the planned review of information contained in the IMS and the design and development of the new IMS system. This would assist in ensuring that all reasonable steps are taken to protect personal information.

ADHA response

Not agreed. The Agency recognises the importance of undertaking privacy and security assurance activities, noting that one function of a PIA is to identify if further security assurance is needed. The Agency has guidelines to determine the most appropriate privacy and security assurance activities for projects it undertakes, particularly in identifying steps to protect personal information.

The Agency conducted such assurance activities in 2018 when it moved the IMS function to an existing Microsoft cloud-based product already used by the Agency. In addition to internal privacy and security assurance the product had undergone an IRAP assessment, which included independent review against the Australian Government Information Security Manual.

The above OAIC recommendation was that a PIA would assist in ensuring all reasonable steps are taken to protect personal information. The Agency agrees with the intent of this recommendation, but it is the view of the Agency that this outcome was achieved through the assurance activities taken. The Agency is undertaking ongoing assurance activities, including having conducted a further security audit of the IMS through an external provider.

OAIC recommendation 4

The System Operator should:

  • review the scrutiny given to internal training materials to guard against the use of non-standard language (such as ‘Technically Sensitive Information’), and inappropriate foreign definitions (such as ‘Personally Identifiable Information’)
  • ensure security documentation and data handling processes align with current Australian government data classifications.

ADHA response

Agreed and fully implemented. The Agency accepts this finding and has undertaken a review of internal training materials, security documentation and data handling processes for alignment with standard language and Australian government data classifications.

OAIC recommendation 5

The National Infrastructure Operator should review training materials to ensure they use Australian terminology for privacy, security and data classification.

ADHA response

Agreed and fully implemented. The Agency accepts this finding and worked with the National Infrastructure Operator to update the training materials to align with Australian terminology for privacy, security and data classification.

OAIC recommendation 6

The System Operator and National Infrastructure Operator should:

  • update security documentation to ensure that all documents are current, complete, and provide a coherent picture of the security and risk management policies and practices as they relate to the MHR system
  • conduct internal document reviews to improve consistency within and between security documents, and to better support external governance reviews
  • strengthen privacy culture within their respective organisations by re-prioritising security documentation as a more active and important design activity rather than a lower priority compliance activity.

ADHA response

Agreed and fully implemented. Within four weeks of the fieldwork of this assessment the Agency undertook a review of security and risk management policies and procedures.

Ongoing review will be undertaken of security and risk management policies and procedures as they relate to the My Health Record system.

OAIC recommendation 7

The System Operator should improve documentation of decisions to better demonstrate to governance bodies and relevant third parties the rationale for decisions taken to implement required security and privacy controls.

ADHA response

Agreed and fully implemented. The Agency, as part of updating its PIA processes, has created a central register of PIA recommendations across all relevant projects so that it can monitor how these are implemented. Operational privacy matters brought up through the Executive Leadership Team meetings, and meetings between the Agency and the OAIC, are similarly logged and monitored.

The Agency has also implemented an enhanced Governance Framework since 2018 which includes a Service Management and Operations Committee responsible for considering matters including implementation of security controls. Matters brought to this Committee are considered first by the Technical Design and Delivery Authority which is responsible for considering proposals and ensuring the rationale for pending decisions is documented. The decisions of the Service Management and Operations Committee are documented in minutes for transparency and accountability.

OAIC recommendation 8

The System Operator must continue to proactively engage with end-point users by:

  • staying up-to-date with the real state of end-point security at healthcare practices
  • providing timely and effective guidance to health practitioners, as and when security issues are identified
  • continuing audits of healthcare provider security to provide assurance that end-point security vulnerabilities are being effectively managed by providers, and therefore help protect the integrity of the MHR. The findings of these audits can inform continuous improvement of security advice developed and provided by the Cyber Security Centre.

ADHA response

Agreed and fully implemented. The Agency accepts this finding and notes the engagement initiatives already in place to address this recommendation:

  • regular security monitoring in relation to healthcare provider interactions with the My Health Record System, to identify any security issues;
  • prompt engagement with impacted healthcare practices to offer guidance and technical support as applicable;
  • regular quality assurance checks of selected healthcare provider My Health Record policies to ensure providers are aware of their security obligations under the My Health Record legislation;
  • development and distribution of educational materials in print and electronic format, on good security practice, security behaviours and security threat prevention; and
  • ongoing delivery of security awareness roadshows in all capital centres and regional Australia offering education and engagement on security issues.

The Agency is continuing to consider how it can provide further leadership across the health sector to improve practices, to meet increasing community expectations on privacy and the security of personal information.

Responding to recommendations of the Australian National Audit Office Report: Implementation of My Health Record (November 2019), the Agency has agreed to undertake co-design across a range of activities across the health sector, to improve end point security and privacy practices and mature management of shared risks.

Appendix A: Privacy risk guidance

Privacy risk ratingEntity action requiredLikely outcome if risk is not addressed

High risk
Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required.
This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk
Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected.
This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk
Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.
This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] Privacy Act 1988 (Cth)

[2] Privacy Act 1988 (Cth)

[3] My Health Record is an online summary of a consumer’s key health information including details of their medical conditions and treatments, medicine, allergies, tests and scans. This information can be viewed securely online from anywhere at any time. Healthcare providers (such as doctors, specialists and hospital staff) are able to view and add information to a My Health Record when they need to, subject to access controls set by the consumer.

[4] See OAIC Assessment Report: National Repositories Service — eHealth record System Operator: Audit report

[5] See OAIC Assessment Report: National Repositories Service: Implementation of recommendations – My Health Record System Operator

[6] See https://www.myhealthrecord.gov.au/news-and-media/media-releases/my-health-record-opt-out-date-announced

[7] See https://www.myhealthrecord.gov.au/news-and-media/my-health-record-stories/opt-out-period-extended-january-2019

[8] In this report, ‘consumers’ is used to describe individuals as recipients of healthcare. This is consistent with terminology in the My Health Records Act 2012 (Cth). Between 16 July 2018 and 31 January 2019, Australians had the opportunity to decide if they wanted a My Health Record and to opt out if they didn’t want a MHR. Records have now been created for eligible Australians who did not opt out.

[9] In November 2013, the Australian Government commissioned a review of the Personally Controlled eHealth Record (PCEHR) to assess the status of its implementation and to work with health professionals and industry to prioritise further implementation. The Review was released in May 2014. Subsequently, the 2015-16 Federal Budget announcement My Health Record - A New Direction for Electronic Health Records in Australia provided funding to strengthen eHealth governance arrangements consistent with the Review. This included transitioning relevant activities and resources from the National E-Health Transition Authority (NEHTA) to the new ADHA and transferring the operation of My Health Record from the Department of Health to ADHA.

[10] The Healthcare Identifiers Service provides nationally unique identification numbers for patients, healthcare providers and healthcare provider locations, for indexing health records and transactions.

[11] The National Authentication Service for Health is a national PKI system for issuing digital certificates to healthcare providers, to help secure e-health transactions.

[12] Provider Digital Access is a digital and portable online authentication system used to securely access government online services through a two-step verification process.

[13] For more information, see https://digitalhealth.gov.au/get-started-with-digital-health/what-is-digital-health/secure-messaging

[14] For more information, see https://digitalhealth.gov.au/get-started-with-digital-health/what-is-digital-health/supply-chain

[15] For more information, see https://digitalhealth.gov.au/get-started-with-digital-health/what-is-digital-health/clinical-terminology

[16] DHSQGC was established in March 2017 by the ADHA Board under Part 6, Division 1, Subdivision B, Section 43 of the Agency Rule. DHSQGC was decommissioned by the Board in April 2019.

[17] See https://www.digitalhealth.gov.au/about-the-agency/publications/reports/annual-report/part-1-introduction-and-overview/the-agency-at-a-glance

[18] See https://www.digitalhealth.gov.au/about-the-agency/publications/reports/annual-report/part-3-management-and-accountability/corporate-governance

[19] Comcover Risk Management Benchmarking Survey 2017 (Australian Digital Health Agency Executive Report).

[20] See recommendation 2 of the assessment report: ‘[I]t is recommended that the System Operator undertake a PIA (and, if necessary, a TRA) into the use of the IMS with particular reference to its adequacy in the My Health Record system incident management context and the effectiveness of its access controls. A PIA may not be necessary if the System Operator is satisfied that the end to end security review and the external security review of the IMS adequately set out the privacy impacts from using the IMS to share incident information’. The OAIC understands that the end to end review did not consider the use of the IMS.

[21] The clean room is a controlled environment that has been specifically built at the NIO’s offices for accessing the system’s production environment (including the databases which make up the NRS) and managing the daily operation of the MHR system. Only security cleared staff have access to the clean room.

[22] See 2014 OAIC Assessment Report: National Repositories Service — eHealth record System Operator: Audit report at paragraphs 4.10-4.21.

[23] For security reasons document titles are not recorded in this assessment report. Similarly, detailed discussion of security threats and risks and associated control mechanisms are excluded from the report.

[24] Refer to the ‘Internal practices, procedures and systems’ section of the Guide to securing personal information.

[25] The Essential Eight are key mitigation strategies designed to assist agencies to prevent cyber security incidents. For more information, see https://asd.gov.au/publications/protect/essential-eight-explained.htm

[26] Advanced Persistent Threats are sophisticated, customised and targeted cyber-attacks employing a range of attack vectors (often over long periods of time) and are often (but not always) considered to be undertaken by state-based actors.

[27] The MHR system has multiple entry points where a range of external providers, developers, healthcare providers, consumers and so on are able to access the system. Each of these endpoints represents a potential vulnerability to the MHR system and the data it holds.

[28] For example, the administration portal is whitelisted to DHS only, and it is intended that call-centres will also be whitelisted.

[29] More information is available at https://www.digitalhealth.gov.au/about-the-agency/digital-health-cyber-security-centre/about

[30] ADHA Document: ‘Breaches of the My Health Record System 2016-2018’.

[31] Following this assessment, on 26 November 2018, the Australian Parliament passed the My Health Records Amendment (Strengthening Privacy) Bill 2018 which introduced a number of changes to the MHR system. Following these changes, a person can permanently delete a My Health Record at any time in their life. No archived copy or back up will be kept and deleted information won’t be able to be recovered.

[32] The earliest time at which an MHR record would need to be destroyed is set by the oldest record in the system, which is approximately six years old now. If the individual concerned dies in 2018, the 30-year retention period will expire in 24 years.

Long text descriptions

Figure 1: Overview of the My Health Record system

Figure 1 describes the following MHR participants and MHR system components within the scope of the assessment:

  • The System Operator-ADHA. Within System Operator-ADHA are the following MHR participants and components:
    • Digital Health Cyber Security Centre
    • ADHA Privacy Team
    • National Infrastructure Operator (Accenture)
    • Data centre (NTT)
    • National Repository Service which holds the MHR. Each MHR may contain the following information:
      • Shared health summaries
      • Event and discharge summaries
      • medical records (MBS, PBS)
      • clinical documents
      • specialist letters
      • consumer entered notes and health summaries
      • child development
      • organ donor status
      • pathology reports

Within System Operator-ADHA but outside of the scope of the assessment are customer management/call centre.

A system component outside of the System Operator-ADHA but within the scope of the assessment and a component which interacts with the System Operator and Registered Repository Operators (RROs) is the Incident Management System.

Figure 1 also describes the following participants and system components which interact with the System Operator-ADHA and healthcare providers and are outside the scope of the assessment:

  • Registered Repository Operators (RROs), these are:
    • Services Australia (formerly DHS) which is responsible for the following MHR system components:
      • Healthcare Identifiers
      • NASH
      • PRODA
      • MyGov
      • Medicare Database
    • eRx Script Exchange
  • Clinical software or national provider portal (operated by ADHA)
  • Healthcare providers and provider records which can include the following:
    • GPs
    • Hospitals
    • Pathology labs and diagnostic imaging services
    • Allied health
    • Pharmacists
    • Aged care

Back to Figure 1

Executive structure

  • Tim Kelsey: Chief Executive Officer
    • Rachel de Sain: Executive General Manager, Innovation and Development
    • Meredith Makeham: Chief Medical Adviser
    • Bettina McMahon: Executive General Manager, Government and Industry Collaboration and Adoption
    • Ronan O’Connor: Executive General Manager, Core Services Operations
    • Terence Seymour: Executive General Manager, Organisational Capability and Change Management
    • Monica Trujillo: Executive General Manager, Clinical and Consumer Engagement and Clinical Governance

Back to Executive structure

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au