My Health Record Connecting Systems - Security Conformance Profile v1.0

The Agency encourages software developers to begin implementing the required software capabilities in preparation for conformance assessment which will commence from February 2025.  

If you may need further assistance or clarification, please contact us at [email protected] 

The Agency is cognisant of the inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care. To address this risk, a set of security requirements for systems connecting to the My Health Record system have been identified. The controls that are most relevant to the development of software for healthcare organisations, have been selected from the Australian Cyber Security Centre’s Information Security Manual (ISM).

Since December 2022, the Agency offered all software developers, public and private hospitals several opportunities to provide feedback on the draft version of the Security Profile through reviews, discussions, workshops and webinars. The extensive feedback received has been considered and incorporated into the profile where appropriate for delivery of this final Security Profile. 

The focus of this conformance profile is on incorporating the security control functionalities within software systems that are connected to the My Health Record system either directly or indirectly. This conformance profile sets a minimum standard or baseline level of cyber security that is expected of connecting systems, and that is consistently adopted. The requirements in this conformance profile are intended to strike an appropriate balance between strengthening the cyber security posture of all connecting systems and minimising potential impacts on software providers and overall system participation. In doing so, this conformance profile supports the overarching goals of improving security within healthcare software systems and fostering a secure and trusted healthcare ecosystem.

The Agency is in the process of updating the My Health Record System Conformance Assessment Scheme (CAS) for connecting systems that refers to conformance requirements in the profile. It is anticipated that the release of the updated CAS will be available from February 2025.

Benefits of the new security requirements

The new requirements ensure that software developers of connected clinical information systems:

• reduce the likelihood of cyber-attacks by disabling redundant technologies
• strengthen system authentication and application timeouts
• use contemporary encryption methods
• perform third-party security testing (penetration testing and vulnerability testing)
• reduce the risk of security vulnerabilities by keeping software up to date (patching)
• securely back up personal and clinical information.

Conformance steps

The conformance process is being reviewed. The steps that software developers will have to complete in order to achieve conformance will be published on this web page by February 2025.  

Questions and further information

Have any questions?

Please visit:

My Health Record Connecting Systems Security Conformance Profile - Frequently Asked Questions (FAQ)

Contact us:

If you require assistance during any stage of this process, please email the Agency at [email protected]