Publication date: 4 September 2020

Part 1: Introduction

1.1 The Office of the Australian Information Commissioner (OAIC) has a range of functions and powers directed towards protecting the privacy of individuals in the handling of personal information in the My Health Record (MHR) system. In addition to the power and functions conferred by the Privacy Act 1988, the OAIC provides independent privacy oversight of the MHR system under the My Health Records Act 2012.

Background

1.2 The MHR system is the Australian government’s digital health record system. A MHR is an online summary of a consumer’s key health information including details of their medical conditions, medicines and allergies.[1] As end-users of the system, pharmacies and diagnostic imaging services are able to view and add information to a MHR when they need to, subject to access controls set by the consumer.

1.3 Healthcare providers that handle personal information in the MHR system are bound by obligations in the Australian Privacy Principles (APPs) and those set out in Rule 42 of the My Health Records Rule 2016 (My Health Records Rule).

1.4 In practice, this means that healthcare providers participating in the MHR system have concurrent obligations to:

  • fulfil the privacy and access security requirements outlined in Rule 42 in relation to end-user access security
  • take reasonable steps to protect personal information and implement practices, procedures and systems to ensure compliance with the APPs.

Objective and scope of the assessment

1.5 This assessment was conducted in April 2019. The objective of the assessment was to examine how staff at pharmacies and diagnostic imaging services access the MHR system, and whether pharmacies and diagnostic imaging services have appropriate governance arrangements to manage security risks in accordance with Rule 42 of the My Health Records Rule.

1.6 Rule 42 requires that all healthcare provider organisations have, communicate and enforce an access security policy for accessing the MHR system. The policy must address a number of prescribed requirements, including:

  • how staff are authorised to access the MHR system
  • staff training in relation to using the MHR system accurately and responsibly, and the legal obligations involved
  • the process for identifying a person who requests access to a consumer’s MHR
  • physical and information security measures, including user account management (linked to Rule 44[2])
  • strategies to identify, mitigate and report MHR system risks.

1.7 The assessment also considered how pharmacies and diagnostic imaging services met the following obligations under the Privacy Act:

  • APP 1.2, which requires an entity to take reasonable steps to implement practices, procedures and systems to ensure that it complies with the APPs
  • APP 11, which requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well unauthorised access, modification or disclosure.

Methodology

1.8 At the time the assessment was conducted, pharmacies and diagnostic imaging services were emerging participants in the MHR system. Fourteen pharmacies and eight diagnostic imaging service providers were selected to participate in the assessment based on MHR system data provided by the ADHA, which indicated that these healthcare providers were accessing consumers’ MHRs.

1.9 The assessment involved the following:

  • a desktop review of the pharmacies and diagnostic imaging services MHR access security policies and any other relevant policy and procedure documents provided to the OAIC
  • review of the results of a self-administered questionnaire
  • analysis of each response against the requirements of Rule 42, and APPs 1.2 and 11.

1.10 The OAIC did not undertake on-site inspections of the pharmacies or diagnostic imaging services privacy practices. The OAIC provided individualised feedback to the pharmacies and diagnostic imaging services on their questionnaire responses and MHR access security policies, and also made recommendations to address any identified privacy risks where applicable.

Reading this report

1.11 The OAIC has summarised the key findings from the assessment and outlined areas of good privacy practices as well as areas for improvement. The findings are presented under five main headings.

1.12 From this point forward we will refer to the pharmacies and diagnostic imaging services collectively as the ‘assessment targets’, aside from instances where the assessments made differing findings between the two cohorts.

Part 2: Summary of findings

My Health Record access security policy

Areas of good privacy practice

2.1 The OAIC found that 17 of the 22 assessment targets had implemented an MHR access security policy at the time of the assessment.

2.2 Of the assessment targets that did not have an MHR access security policy in place, the OAIC observed that most had other procedures in place to address the requirements of Rule 42. There were differences in the comprehensiveness of these procedures and the extent that these were in writing and communicated to staff.

2.3 The majority of assessment targets communicated their MHR access security policy to staff as part of induction and MHR training. Most pharmacies made their policies available to staff in hard copy whereas most diagnostic imaging services made their policies available via their intranet.

2.4 Nearly all assessment targets who had an MHR access security policy reviewed it annually, or when any material new or changed risks are identified.

Areas for improvement

2.5 Five out of 22 assessment targets did not have a written MHR access security policy at the time of the assessment. Further, of the assessment targets that did have a written policy, some of the assessment targets had not implemented the policy until after staff were given access to the MHR system.

2.6 These results indicated that five assessment targets did not comply with the minimum requirements of Rule 42 of the My Health Records Rule (implementing an access security policy), which was also not consistent with the reasonable steps to secure personal information required under APP 11.

Rule 41 and 42(1) require healthcare providers to have a written access security policy to be eligible to be registered, or remain registered, under the MHR system. The policy underpins the security governance for end-users of the MHR system, and is therefore critical for pharmacies to ensure protection of sensitive information. It also helps build staff awareness of obligations under MHR legislation.

2.7 Having regard to the circumstances, the Privacy Commissioner exercised her discretion to take further regulatory action by opening Commissioner initiated investigations under section 40 of the Privacy Act.

2.8 The purpose of the investigations was to inquire about the circumstances in which these assessment targets were accessing the MHR system without an access security policy. In particular, the OAIC sought assurance that, despite the absence of an access security policy, there had been no instances of unauthorised access to the MHR system.

2.9 The investigations were finalised on the basis that:

  • two assessment targets implemented an access security policy that met the requirements of Rule 42 of the My Health Records Rule
  • two assessment targets elected to deregister from the MHR system
  • further information and submissions was provided, including that there had been no instances of unauthorised access to the MHR system.

Access to the My Health Record system

Areas of good privacy practice

2.10 All assessment targets with an MHR access security policy outlined the process for authorising staff access in the policy. All pharmacies and five out of six diagnostic imaging services with an MHR access security policy limited access to those staff who require access as part of their duties.

2.11 Most assessment targets (16 out of 17) with a MHR access security policy stipulated a process for identifying individual access to the MHR system. Almost all assessment targets reported assigning internal identification numbers to staff via their respective clinical software systems.

2.12 While 13 out of 14 pharmacies reported that they record this internal identification number each time a staff member accesses the MHR system, only four out of eight diagnostic imaging services reported doing so.

Areas for improvement

2.13 All assessment targets with an MHR access security policy outlined the process for deactivating user accounts, including the requirement to deactivate user accounts whose security has been compromised.

2.14 The majority of pharmacies’ MHR access security policies did not address every circumstance that require deactivation as prescribed by the My Health Records Rule. Under Rules 42(4)(a), 44(d) and 44(e), healthcare providers must have a process for suspending or deactivating the user accounts of staff:

  • who leave the organisation
  • whose security has been compromised
  • whose duties no longer require them to access the MHR system.

2.15 All diagnostic imaging services that had an MHR access security policy addressed these circumstances.

2.16 The majority of assessment targets reported that they do not immediately suspend or deactivate user accounts after becoming aware that the user account has been compromised, as required under Rule 44(e), however most assessment targets did so within 24 hours.

Rule 44(e) requires healthcare providers to employ reasonable user account management practices including suspending a user account that enables access to the MHR system as soon as practicable after becoming aware that the account or its password or access mechanism has been compromised. These steps will assist healthcare providers to reduce the risk of unauthorised access to the MHR system.

Training

Areas of good privacy practice

2.17 Most assessment targets (15 out of 17) with a MHR access security policy address the training to be provided to staff who access the MHR system in their respective policies. Further, 15 out of 22 of the assessment targets provide training to their staff before they are given access to the MHR system.

2.18 Most assessment targets (16 out of 22) had provided MHR training within the 12 months prior to the assessment.

2.19 Of the assessment targets that provided MHR training to their staff, the majority deliver the training either in person or via an online learning course. All assessment targets that engage short-term staff and contractors provide training to those who access the MHR system as part of their role.

Areas for improvement

2.20 Three assessment targets reported that their staff do not receive any MHR-related training. Three assessment targets advised that their staff were provided access to the MHR system without having first received training. Implementing MHR-specific training is one of the minimum requirements for accessing the MHR system under Rule 42 of the My Health Records Rule. Healthcare providers must be able to train staff before their organisation connects to the MHR system.

2.21 Several assessment targets (12 out of 22) do not offer MHR refresher training to staff.

Training helps ensure staff are aware of their MHR and privacy obligations and handle personal information in a consumer’s MHR accordingly. This can reduce the likelihood of a breach of MHR privacy and access security obligations. Healthcare providers should provide regular and ongoing training to staff annually, in addition to ad hoc training when there are changes to legislation or MHR system functionalities.

2.22 The training offered by the majority of assessment targets does not cover the legal obligations on the organisation and their staff accessing MHRs, and the consequences of breaching those obligations, as part of their training.

2.23 Only 13 out of 22 assessment targets maintain a register of staff who have attended training.

Physical and information security measures

Areas of good privacy practice

2.24 Most assessment targets reported good physical security measures such as:

  • requiring staff to login to devices using a username and password, or similar approach
  • locking staff out of accounts after a specified number of failed logins
  • positioning monitors so they cannot easily be read by unauthorised persons
  • maintaining an up-to-date register of staff who are authorised to access the MHR system
  • automatically locking devices if left inactive or unattended.

Areas for improvement

2.25 Two of the assessment targets did not require staff to use a password when accessing MHRs.

2.26 Most assessment targets had a required minimum length of less than 10 characters for passwords, and some had no requirement to use a combination of letters, numbers and symbols.

Rule 44(c) requires healthcare providers to employ reasonable user account management practices including having password and/or other access mechanisms that are sufficiently secure and robust given the security and privacy risks associated with unauthorised access to the My Health Record system. The OAIC recommends for healthcare providers to apply the ADHA’s recommended standard of 13 or more characters (using a combination letters, numbers and symbols) to all passwords used to access the My Health Record system. This will ensure that passwords used to access the MHR system are sufficiently complex and secure to comply with Rule 44(c).

2.27 Seven assessment targets required staff to change passwords either annually or bi-annually. Where this was the case, the OAIC recommended passwords to be changed every 90 days in order to reduce the risk of unauthorised access to the MHR system.

Risk management and risk mitigation strategies

Areas of good privacy practice

2.28 Most assessment targets (17 out of 22) reported having a procedure in place for identifying and responding to MHR-related security and privacy risks.

2.29 Most assessment targets (16 out of 22) kept an incident log of suspected or actual MHR system breaches that records the date and time of breach, the user account involved and the patient whose information was involved in the breach.

Areas for improvement

2.30 Whilst most assessment targets maintained an incident log of suspected or actual MHR system breaches, the level of information recorded varied amongst targets. The majority of assessment targets (18 out of 22) did not record the following matters relevant to managing a security breach under APP 11:

  • how the incident occurred
  • how the incident was contained and rectified.

2.31 The assessment also identified that monitoring user access to the MHR system through audit logging was a recurring area for improvement with only nine out of 22 assessment targets reporting using audit logs to monitor staff access to the MHR system.

2.32 Of the pharmacies that did not use audit logs, the majority of pharmacies undertook no other form of monitoring staff access to the MHR system.

Under Rule 42(4)(e), healthcare providers must have mitigation strategies to ensure MHR system-related security risks can be promptly identified, acted upon and reported to management. Audit logs are an important tool that can be used to monitor staff access to the MHR system. Maintaining a chronological record of system activities is key to detecting unauthorised access to the MHR system. Audit logs should record the user identity, date and time of access, whose MHR was accessed and the type of information that was accessed.

Footnotes

[1] In this report, ‘consumers’ is used to describe individuals as recipients of healthcare. This is consistent with terminology in the My Health Records Act 2012.

[2] Rule 44 states that healthcare provider organisations must ensure that their information technology systems, which are used by people to access the MHR system via or on behalf of the healthcare provider organisation, employ reasonable user account management practices.