A new security requirements conformance profile (the profile) has been released for clinical information systems (CIS) systems connected to My Health Record effective from April 2023.
The Agency will phase the implementation of the profile, with different vendor cohorts required to pass conformance at varying intervals as outlined in the timetable. This new profile and implementation timetable is initially released as a draft, for review and comment. All feedback received on the draft profile and proposed implementation timetable will inform the final release of the profile.
This new profile is known as the Security Requirements for My Health Record Connecting Systems Conformance Profile v1.0
(refer to release note)
This page describes what vendors need to do and how to get assistance at any stage of the process.
Please note that all clinical information systems that use one or more My Health Record B2B web services will need to conform to the new profile.
The Agency is committed to providing support to vendors to make sure their systems pass conformance. Information sessions will also be available, following the final release of the profile, which will provide an overview of the profile and detail of the steps to conform.
You can email the Agency at [email protected] to share your views during the review period.
Benefits of the new security requirements
The new requirements conform to the ACSC’s Strategies to Mitigate Cyber Security Incidents, known as the Essential Eight, and ensure that software developers of connected clinical information systems:
- reduce the likelihood of cyber attacks by disabling redundant technologies
- strengthen system authentication and application timeouts
- use contemporary encryption methods
- perform third-party security testing (penetration testing and vulnerability testing)
- reduce the risk of security vulnerabilities by keeping software up to date (patching)
- securely back up personal and clinical information.
To pass conformance, most vendors will need to take the following steps:
1. Download and read the profile from the Developer Centre:
Security Requirements for My Health Record Connecting Systems Conformance Profile v1.0
2. Decide which of the 4 use cases best matches your product.
3. Adjust your software product, if necessary, so that it satisfies the requirements applicable to your chosen use cases. The profile supports the cyber security Essential Eight, so your software might already satisfy some requirements.
4. Using your internal testing processes, self-test your software product so you are certain it is conformant.
5. If use cases 2 or 3 apply to your product and you require a current vulnerability test report, engage an accredited vulnerability tester and receive a written vulnerability report.
6. If use case 4 applies to you and you require a current penetration report, engage a CREST-accredited penetration testing service and receive a written penetration test report.
7. Email the Agency at [email protected] and request a conformance session. Provide your written penetration test and vulnerability reports when you request a session.
8. Work with the Agency to complete the conformance session. You’ll be given a test summary report a few days after the session is complete.
9. Deploy your conformant software product to your customer base (if necessary).
Phased Implementation Timetable
|Phase||Product segment||Timeframe for conformance|
|Tranche 1||Acute care||6 to 12 months|
|Tranche 2||General Practice||12 months|
|Tranche 3||Pathology, Radiology||18 months|
|Tranche 4||Aged Care||24 months|
|Other (Community, Allied health etc)||24 months|
|Products in development (all segments) with no industry offer||24 months|
|Tranche 5||Products in development (all segments) under industry offer||To be agreed with individual vendors|
Questions and further information
Have any questions?
If you require assistance during any stage of this process, please email the Agency at [email protected]