The Agency is cognisant of the inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care. To address this risk, a set of security requirements for systems connecting to the My Health Record system have been identified. The controls that are most relevant to the development of software for healthcare organisations, have been selected from the Australian Cyber Security Centre’s Information Security Manual (ISM).
In March 2023, the Agency has completed 3-month stakeholder review on the draft version of Security Requirements for My Health Record Connecting Systems Conformance Profile. The industry feedback has been reviewed and incorporated into the profile as appropriate. The updated security requirements are intended to strike an appropriate balance between strengthening the cyber security posture of all connecting systems and minimising potential impacts on software providers and overall system participation.
Software providers developing software products that access the My Health Record system via the Business-to-Business (B2B) Gateway services are required to read the final draft version of Security Requirements for My Health Record Connecting Systems Conformance Profile.
This document is now open for final stakeholder review for 2 weeks. If you have any feedback, please submit it to [email protected]. Subsequently, the document will be finalised for publication and effective from 1 November 2023.
The Agency will phase the implementation of the profile, with different vendor cohorts required to pass conformance within different time frames. Please see the Phased Implementation Timetable below.
Please note that all clinical information systems that use one or more My Health Record B2B web services will need to conform to the new profile.
The Agency is committed to providing support to vendors to make sure their systems pass conformance.
Benefits of the new security requirements
The new requirements ensure that software developers of connected clinical information systems:
- reduce the likelihood of cyber-attacks by disabling redundant technologies
- strengthen system authentication and application timeouts
- use contemporary encryption methods
- perform third-party security testing (penetration testing and vulnerability testing)
- reduce the risk of security vulnerabilities by keeping software up to date (patching)
- securely back up personal and clinical information.
To gain conformance, software vendors of healthcare software systems connecting to the My Heath Records system will need to take the following steps:
- Read the profile from the Developer Portal (this site):
Security Requirements for My Health Record Connecting Systems Conformance Profile v1.0.
- Identify the requirements that are applicable to your software.
For a healthcare software system to be considered conformant, it must meet the mandatory requirements and all relevant conditional requirements. Conditional requirements are deemed mandatory if the specific conditions are met for the implementation.
While conformance to the recommended requirements is not mandated, it is advisable for healthcare software systems to implement recommended requirements where possible, as these requirements may become mandatory in future releases.
- Conduct a self-assessment against the applicable requirements and your own internal testing.
- If the software system requires a current penetration or vulnerability test report, engage a penetration or vulnerability testing service where appropriate.
- Email the Agency at [email protected] and request a conformance session. Provide your written penetration test and vulnerability reports (if applicable).
- Work with the Agency to complete the conformance session. You’ll be given a test summary report a few days after the session is complete.
- Deploy your conformant software product to your customer base (if necessary).
Phased Implementation Timetable
This phased implementation timetable gives guidance on expected time frames to implement software changes, per product segment for software providers.
This timetable has been reviewed and incorporated industry feedback. If your software falls into multiple product segments, the longest timeframe for conformance will be used.
|Phase||Product segment||Timeframe for conformance|
|Tranche 1||Acute care||6 to 12 months|
|Tranche 2||General practice||12 months|
|Tranche 3||Pathology, radiology||18 months|
|Tranche 4||Aged care||24 months|
|Other (community, allied health etc.)||24 months|
|Products in development (all segments) with no industry offer||24 months|
|Tranche 5||Products in development (all segments) under industry offer||To be agreed with individual vendors|
Questions and further information
Any questions? Please visit:
If you require assistance during any stage of this process, please email the Agency at [email protected].