Go to top of page
Date: 
Monday, September 7, 2020
The Australian Information Commissioner has today published summary of access security governance for the My Health Record from assessments of 22 healthcare organisations.
Overview

The Australian Information Commissioner has today published summary of access security governance for the My Health Record from assessments of 22 healthcare organisations.

The Australian Digital Health Agency operates the My Health Record system and the Office of the Information Commissioner (OAIC) oversees the privacy aspects of the system. As part of its supervisory activity, the OAIC assesses compliance of healthcare providers with their obligations under the My Health Records Act 2012 and Privacy Act 1988.

The OAIC has reported areas of good privacy practice, with most organisations having My Health Record security policies, suitable access controls and training. They report broad compliance with processes for suspending or deactivating user accounts, and for identifying and responding to My Health Record-related security and privacy risks. Finally, the OAIC found that most of the assessment targets provided appropriate levels of initial and refresher training to their staff.

The OAIC also identify areas for improvement. They concluded that some providers did not have a written access security policy in place, had not implemented sufficient processes to deactivate accounts, had not provided appropriate initial or refresher training, or had not required sufficiently strong passwords with regard to the sensitive health information being accessed.

The Agency encourages healthcare organisations to consider the Guidance issued by the OAIC today which sets out better practice on how healthcare organisations can comply with their obligations under Rule 42 regarding security and access. This provides clear and current feedback to industry on the regulator’s views on compliant – and non-compliant – practices.

The Agency also publishes guidance to assist healthcare organisations to comply with their obligations, including guidance on security and account management, and training modules on cyber and security awareness for healthcare organisations. The Agency is also working with the healthcare sector to raise cyber maturity through identifying baseline security standards for health software, as part of our response to the recommendation from the ANAO to strengthen the information security assurance framework. Healthcare providers can contact the Agency at [email protected] if they would like assistance in meeting their obligations and implementing security and access controls.