What does the new security requirements conformance profile contain?
The security requirements conformance profile (the profile) contains software requirements that harden clinical information systems from cyber security attacks, uplift information security and protect patient information and your software product. The requirements are based on the Essential Eight mitigation strategies that help protect systems against a range of online and cyber security threats.
Where can I find the new profile?
The new profile is published on the Agency Developer Centre:
When does the new profile commence?
The profile will apply from April 2023. The Agency will phase the implementation of the profile, with different vendor cohorts required to pass conformance at varying intervals. This new profile and implementation timetable is initially released as a draft, for review and comment for a period of 3 months from its publication. All feedback received on the draft profile and proposed implementation timetable will inform the final release of the profile.
Why is the commencement of the profile being phased?
The Agency anticipates that current cyber security posture for many vendors means their software products may already conform to the new requirements. However, the Agency also recognises that the capability and capacity for security uplift across the sector is highly variable. The Agency is seeking to balance the imperative of strengthening security for all systems connected to My Health Record with the feasibility for vendors to do so, considering the varying levels of product maturity and potential administrative and financial burden.
How do I provide feedback on the profile and implementation approach?
You can email the Agency at [email protected] to share your views.
What do I need to do to pass conformance?
The steps for passing conformance are listed on the Security Requirements Conformance Profile webpage. You can also register for an information session which will provide an overview of the profile and steps required. You can email the Agency at [email protected] if you would like to register your interest in an information session or have questions specific to your product.
Why is the Agency publishing the profile?
Cyber security is a continuing threat worldwide, and the Agency understands the importance of protecting connected systems and patient information. The Agency will use the profile, in partnership with software developers, to ensure appropriate security posture through maturing systems and reinforcing the cyber security Essential Eight.
Which systems need to conform to the profile?
All clinical information systems that use one or more My Health Record B2B web services need to conform to the profile.
I already have production access to My Health Record. Do I need to do this extra conformance?
Yes. The profile is new and will apply to clinical information systems retrospectively.
Can I opt out?
No. The profile applies to all clinical information systems that use one or more My Health Record B2B web services. The profile is applied retrospectively.
What is the time frame for passing security conformance?
The Agency is phasing the implementation approach for the profile once it becomes effective in April 2023. The phased approach is designed to balance the imperative of strengthening security for all systems connected to My Health Record with the feasibility for vendors to do so, considering the varying levels of product maturity and potential administrative and financial burden. We invite you to provide feedback on the proposed implementation timetable so we can consider any specific impacts to your product roadmap.
What support is available from the Agency?
Information about the profile and conformance workflow is available in the Developer Centre. You can register for an information session which will provide an overview of the profile and steps required to meet conformance. You can email the Agency at [email protected] if you would like advance notice of future information sessions or have questions specific to your product.
Is there a cost to conform to the security requirements?
Costs will depend on whether or not there are product changes required to conform to the new security requirements and how these changes are typically managed. Penetration and vulnerability testing conducted by third parties is likely to incur a cost, though most vendors who need to conform with this requirement will already be undertaking this testing as part of their core business and product management. There is no cost for the Agency conformance assessment.
Will there be financial compensation to cover independent testing services?
No. Ensuring your software products are hardened against cyber security threats is a core part of every business connecting to My Health Record. The Agency expects that most vendors who need to conform to the requirements for independent penetration and vulnerability testing are already undertaking this testing as part of their core business and product management.
How often will I have to do testing?
If penetration testing is required for your product, it will need to be performed at least once per year. For vulnerability testing, the Agency will work with you to understand and explain your testing requirements.
Will the security requirements affect healthcare providers or clinical workflow?
The security requirements are intended to minimise the impact on existing clinical workflow. However, some minor impact may be introduced for some software.
Will the security requirements affect mobile services?
Mobile devices using the My Health Record mobile channel are not impacted by the profile.
Will this affect a healthcare provider’s access to My Health Record?
No. The security requirements harden clinical information systems without interfering with the ability to access My Health Record.
The Agency will partner with you to help you protect your systems and your client’s information. Contact [email protected] to speak to a specialist.
What will happen if businesses don’t comply with the security requirements?
The Agency will work with your organisation to understand your barriers and to assist you in the uplifting of your software product. Your participation in the My Health Record program is important and the Agency will assist you as best it can.
Do businesses need to do self-assessment or observed assessment?
The Agency will apply an observed assessment process when your product is ready for conformance testing. You can contact [email protected] for more information or to book an observation session. You will need to ensure your product is ready before booking an observation session.
Do I need to get independent penetration testing?
Clinical information systems that fit the description for use case 4 (refer to the profile) will need to have their software product penetration tested by a CREST member organisation or CREST-accredited individual. The CREST-accredited individual may be within the software developer organisation. Email the Agency at [email protected] if you would like to know more about the use cases.
Do I need to get independent vulnerability testing?
Clinical information systems that fit the description for use case 2 or use case 3 (refer to the profile) will need to have their software product vulnerability tested by a CREST member. Email the Agency at [email protected] if you would like to know more about the use cases.
I did penetration and vulnerability testing recently. Do I need to repeat that testing again?
The Agency will consider written test reports for testing undertaken recently. Email the Agency at [email protected] so we can verify and assess the currency of the test reports.
Will I have to repeat Notice of Connection (NOC) testing with Services Australia or Accenture?
No. Your letter stating you have notice of connection is still valid and NOC testing need not be repeated.