The government agency implementing My Health Record failed to appropriately manage cybersecurity risks or complete any of its four planned privacy assessments, according to a performance review by the Australian National Audit Office, which also found emergency access to patient records was routinely misused.
While the implementation has been “largely effective” overall, the national auditor found the $1.5 billion e-health scheme which now includes 90 per cent of Australians needs better management of shared cybersecurity risks and better controls over the “emergency access” to patients’ records which was being used as intended in less than one in 10 cases.
The Australian Digital Health Agency (ADHA), responsible for My Health record, has agreed to complete an end-to-end privacy risk assessment in response to the auditor’s findings but declined to explain why the existing privacy assessments had not been completed.
Privacy advocates say they are concerned with the auditor’s findings as well as the lack of response to the review by the government and medical groups which “seems to be hoping that it will go away if they just ignore it”.
My Health Record is an online document store of patient records aimed at providing continuity of health care across different medical professionals and services. Earlier this year the government switched the model to opt out after being opt in since 2012 when the first iteration of the scheme began.
The switch captured 90 per cent of Australians but was criticised by privacy and technology experts, concerned sensitive patient data would be exposed. More than 22.6 million Australians now have a digital health record.
- Read more: My Health Discord: Digital Record System Can’t Shake Privacy And Security Fears On Deadline Day
A review of the rollout by Australia’s privacy watchdog revealed the opt out switch led to a surge in privacy complaints and there have now been at least 35 related data breaches.
The National Audit Office this week found the implementation of My Health Record “has been largely effective” and the scheme’s planning, governance and communication were “appropriate”.
The review does, however, make several recommendations including the ADHA review its shared cyber risks and mitigation controls, review emergency access procedures, and complete its outstanding privacy assessments.
According to the auditor’s review, the ADHA has failed to complete a single end-to-end privacy risk assessment of the scheme since 2017 despite funding the privacy regulator to conduct four such reviews.
Asked why the reviews have not been completed, an ADHA spokesperson referred Which-50 to the Office of the Australian Information Commissioner.
Update 27/11/19: The OAIC confirmed it commenced three privacy assessments of My Health Record in the last financial year and continued one from the previous financial year but is yet to complete them.
An OAIC spokesperson told Which-50 the privacy regulator has completed the document review and fieldwork stages of all four privacy assessments, leaving only the reporting stage remaining.
But the regulator says it is still “undertaking related inquiries and investigations and will await the conclusion of those matters before all current assessments are finalised”.
The reports are expected to be finalised in the 2019–20 financial year.
“The OAIC welcomes the Australian National Audit Office’s report on My Health Record which identifies some matters that are also being considered within the OAIC’s current privacy assessments,” the spokesperson said.
“The ANAO’s recommendations will inform the OAIC’s forward program as it monitors the privacy aspects of the My Health Record system.”
Despite no extensive privacy assessment having been completed since before the opt out switch was announced, the review says “ADHA’s management of privacy risks was largely appropriate” during implementation.
The ADHA has now agreed to conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls.
The agency and the department of health have also agreed to, in consultation with the information commissioner, review the procedure for emergency access to patients’ records.
“ADHA did not have sufficient assurance arrangements to satisfy itself that all instances of the emergency access did not constitute an interference with privacy,” the audit states.
Currently, registered healthcare provider organisations and other system participants, including the ADHA, can use an “emergency access” override function to access patients’ records in situations “involving a serious threat to an individual’s life, health or safety, or a serious threat to public health or public safety”.
Use of the function more than doubled under the opt-out model but rarely was it used appropriately.
According to the audit, “Monthly use of the function increased from 80 instances in July 2018 – prior to the transition to an opt-out model – to 205 instances in March 2019 … in only 8.2 per cent of instances was it used as intended.”
The ADHA monitors the emergency access and asks the health care organisations which use the emergency access function to provide a valid reason. But the national auditor found the agency failed to follow up when valid responses were not provided and did not notify the privacy regulator when the privacy provisions of the My Health Record Act may have been breached.
Also of concern to the auditor was the management of “shared cyber risks” – managing risks involving third party software vendors and healthcare provider organisations – which it said were not appropriate and should be improved.
An ADHA spokesperson said the agency acknowledged the ANAO’s recommendation that it take the lead on supporting the health sector to improve cyber posture.
“As such, the Agency will work with Commonwealth entities, State and Territory Governments, healthcare providers and professionals, the technology industry and consumer groups to implement the recommendations.”
Dr Bernard Robertson-Dunn, Chair of the Australian Privacy Foundation’s Health Committee says there is no evidence the ANAO review is being taken seriously despite the “obvious risks to the security and privacy of Australian’s health data”.
“The government does not seem to realise that when it comes to privacy and security, near enough is not good enough,” Robertson-Dunn told Which-50.
“The phrase ‘largely appropriate’ was used 11 times in the review and the ANAO concluded that management of shared cybersecurity risks was not appropriate and should be improved.
“Privacy and security issues need to be addressed properly and completely, not half heartedly as has been with My Health Record.”
Robertson-Dunn said Australians “deserve better” from the government.
“What they are getting is totally inadequate. The government needs to show that they really do ‘take your security and privacy seriously’. Platitudes are not good enough.”
Health Minister Greg Hunt’s office did not respond to a request for comment on the ANAO’s findings.