My Health Record Connecting Systems - Security Conformance Profile v1.0.1

This document lists the security requirements that are applicable for healthcare software systems integrating with the My Health Record system.

The profile includes two main sections:

Conformance requirements that apply to the healthcare software system
Compliance requirements that apply to the software provider organisation.

Important Update

We are sharing a few document artefacts have been uplifted to provide clearer guidance on processes, requirements, and formatting. This is to support software developers in planning and implementing changes. Please familiarise yourself with the refreshed artefacts:

NOTE: The core MHR Connecting Systems Security Conformance Profile v1.0.1 requirements remain unchanged from version 1.0

The Agency is cognisant of the inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care. To address this risk, a set of security requirements for systems connecting to the My Health Record system have been identified. The controls that are most relevant to the development of software for healthcare organisations, have been selected from the Australian Cyber Security Centre’s Information Security Manual (ISM).

The focus of this conformance profile is on incorporating the security control functionalities within software systems that are connected to the My Health Record system either directly or indirectly. This conformance profile sets a minimum standard or baseline level of cyber security that is expected of connecting systems, and that is consistently adopted. The requirements in this conformance profile are intended to strike an appropriate balance between strengthening the cyber security posture of all connecting systems and minimising potential impacts on software providers and overall system participation. In doing so, this conformance profile supports the overarching goals of improving security within healthcare software systems and fostering a secure and trusted healthcare ecosystem.

Benefits of the new security requirements:

The new requirements ensure that software developers of connected clinical information systems:

reduce the likelihood of cyber-attacks by disabling redundant technologies
strengthen system authentication and application timeouts
use contemporary encryption methods
perform third-party security testing (penetration testing and vulnerability testing)
reduce the risk of security vulnerabilities by keeping software up to date (patching)
securely back up personal and clinical information.

Conformance steps

The below table describes the activities for each step of the conformance process.

Process Activity	Description/Action
Access and review all artefacts in Developer Portal	MHR Connecting Systems Security Conformance Profile is a prerequisite to a software product being connected to the My Health Record system. All documentation is published on the Agency’s Developer Portal.
Complete pre-conformance testing	Execute software pre-conformance testing based on the security profile conformance test specification. Collect relevant test evidence (e.g., screenshot, recording) based on MHR Connecting Systems – Security Conformance Profile Conformance Test Specification. Complete an MHR Software Vendor Product Details form, and make sure to update your software to the latest software version. Schedule a mini-NOC (Notice of Connection) with relevant vendor e.g., Deloitte. Arrange and secure either a penetration test, vulnerability test or both with an accredited third-party security organisation (if applicable). If the security organisation is not a member of CREST, please send a request to the Agency.
Submit Conformance Assessment documents to the Agency	Send an email to help@digitalhealth.gov.au with the following information: Completed MHR Software Vendor Product Details form and ensure that the software version has been incremented. Request access to Agency’s secure collaboration platform (e.g., GOVTEAMS), if not already granted. Upload the following documents for Conformance Assessment: A completed My Health Record Connecting Systems – Security Conformance Profile Conformance Test Specification spreadsheet. Collected test evidence to support My Health Record Connecting Systems – Security Conformance Profile Conformance Test Specification. Penetration testing, vulnerability testing or both test reports, where applicable.
Submit Conformance Vendor Declaration to the Agency	Submit the following documents for Conformance Declaration. My Health Record Software Vendor Welcome Pack - Conformance Vendor Declaration Form My Health Record Connecting Systems Security Conformance Profile – Test Completion Report. This document is provided by the Agency upon successful assessment completion.

Questions and further information

Visit:

Contact us:

If you require assistance during any stage of this process, please email the Agency at help@digitalhealth.gov.au

Download Security Conformance Profile v1.0.1

DH_4187_2025_MyHealthRecordConnectingSystems_SecurityConformanceProfile_v1.0.1.pdf ()

Checksum: fc60c41c28ccefce1250b973df62ef98b01f2d165728cfd6ffe5e640994c56b0

This component belongs to the following product:

My Health Record Overviews, Guides and Conformance Material v2.0 - current

Previous versions