The Agency is cognisant of the inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care. To address this risk, a set of security requirements for systems connecting to the My Health Record system have been identified. The controls that are most relevant to the development of software for healthcare organisations, have been selected from the Australian Cyber Security Centre’s Information Security Manual (ISM).
The Agency released 2 draft versions of the Security Requirements for My Health Record Connecting Systems Conformance Profile between December 2022 and October 2023, and invited stakeholder review and feedback with each draft release. Detailed feedback provided to the Agency during the review periods is being used to make final updates to the profile which will be published in 2024. For more information, refer to Update - Security Requirements for My Health Record Connecting Systems - Conformance Profile - Draft v1.1.
Benefits of the new security requirements
The new requirements ensure that software developers of connected clinical information systems:
- reduce the likelihood of cyber-attacks by disabling redundant technologies
- strengthen system authentication and application timeouts
- use contemporary encryption methods
- perform third-party security testing (penetration testing and vulnerability testing)
- reduce the risk of security vulnerabilities by keeping software up to date (patching)
- securely back up personal and clinical information.
The conformance process is being reviewed while the conformance profile continues to be iteratively developed. The steps that software developers will be required to complete in order to achieve conformance will be published on this web page when the final version of the profile is released.
Questions and further information
Have any questions?
If you require assistance during any stage of this process, please email the Agency at [email protected].