In December 2022, the Agency released a draft of the Security Requirements for My Health Record Connecting Systems Conformance Profile v1.0 (refer to release note). The draft profile was released for a 3-month review period, during which all stakeholders were invited to provide feedback.
The review period is now complete, and detailed analysis of the feedback has begun. This is likely to result in amendments to the draft profile. We anticipate being able to release an updated draft version around July 2023.
The Agency will phase the implementation of the profile, with different vendor cohorts required to pass conformance within different time frames. An updated implementation timetable will also be published with the profile, informed by feedback received on the proposed segmentation and conformance time frames.
Please note that all clinical information systems that use one or more My Health Record B2B web services will need to conform to the new profile.
The Agency is committed to providing support to vendors to make sure their systems pass conformance.
Benefits of the new security requirements
The new requirements conform to the ACSC’s Strategies to Mitigate Cyber Security Incidents, known as the Essential Eight, and ensure that software developers of connected clinical information systems:
- reduce the likelihood of cyber attacks by disabling redundant technologies
- strengthen system authentication and application timeouts
- use contemporary encryption methods
- perform third-party security testing (penetration testing and vulnerability testing)
- reduce the risk of security vulnerabilities by keeping software up to date (patching)
- securely back up personal and clinical information.
To pass conformance, most vendors will need to take the following steps:
1. Download and read the profile from the Developer Centre:
Security Requirements for My Health Record Connecting Systems Conformance Profile v1.0.
2. Decide which of the 4 use cases best matches your product.
3. Adjust your software product, if necessary, so that it satisfies the requirements applicable to your chosen use cases. The profile supports the cyber security Essential Eight, so your software might already satisfy some requirements.
4. Using your internal testing processes, self-test your software product so you are certain it is conformant.
5. If use cases 2 or 3 apply to your product and you require a current vulnerability test report, engage an accredited vulnerability tester and receive a written vulnerability report.
6. If use case 4 applies to you and you require a current penetration report, engage a CREST-accredited penetration testing service and receive a written penetration test report.
7. Email the Agency at [email protected] and request a conformance session. Provide your written penetration test and vulnerability reports when you request a session.
8. Work with the Agency to complete the conformance session. You’ll be given a test summary report a few days after the session is complete.
9. Deploy your conformant software product to your customer base (if necessary).
Phased Implementation Timetable
This draft phased implementation timetable gives guidance on expected time frames to implement software changes, per product segment for software providers.
This proposed timetable is currently being reviewed, and an updated implementation timetable will be released with the updated draft version of the conformance profile.
|Phase||Product segment||Timeframe for conformance|
|Tranche 1||Acute care||6 to 12 months|
|Tranche 2||General practice||12 months|
|Tranche 3||Pathology, radiology||18 months|
|Tranche 4||Aged care||24 months|
|Other (community, allied health etc.)||24 months|
|Products in development (all segments) with no industry offer||24 months|
|Tranche 5||Products in development (all segments) under industry offer||To be agreed with individual vendors|
Questions and further information
Have any questions?
Security Requirements Conformance Profile for systems connected to My Health Record Frequently Asked Questions (FAQ)
If you require assistance during any stage of this process, please email the Agency at [email protected]