General questions
What does the new Security Requirements for My Health Record Connecting Systems Conformance Profile contain?
The Security Requirements for My Health Record Connecting Systems Conformance Profile (the profile) contains software requirements that harden clinical information systems from cyber security attacks, uplift information security and protect patient information and your software product. The requirements are based on the Australian Cyber Security Centre Information Security Manual (ISM). The controls have been selected from ISM to help protect systems against a range of online and cyber security threats.
Where can I find the new profile?
The new profile is published on the Agency Developer Portal (this site):
- Security Requirements for My Health Record Connecting Systems Conformance Profile v1.0
When does the new profile commence?
The Agency will phase the implementation of the profile, with different vendor cohorts required to pass conformance within different time frames. All feedback received on the draft profile and proposed implementation timetable will inform the final release of the profile.
Why is the commencement of the profile being phased?
The Agency anticipates that current cyber security posture for many vendors means their software products may already conform to the new requirements. However, the Agency also recognises that the capability and capacity for security uplift across the sector is highly variable. The Agency is seeking to balance the imperative of strengthening security for all systems connected to My Health Record with the feasibility for vendors to do so, considering the varying levels of product maturity and potential administrative and financial burden.
How do I provide feedback on the profile and implementation approach?
You can email the Agency at [email protected] to share your views.
What do I need to do to pass conformance?
The steps for passing conformance are listed on the Security Requirements for My Health Record Connecting Systems Conformance Profile webpage. You can also register for an information session which will provide an overview of the profile and steps required. You can email the Agency at [email protected] if you would like to register your interest in an information session or have questions specific to your product.
Background questions
Why is the Agency publishing the profile?
Cyber security is a continuing threat worldwide, and the Agency understands the importance of protecting connected systems and patient information. The Agency will use the profile, in partnership with software developers, to ensure appropriate security posture through maturing systems and reinforcing the cyber security Essential Eight.
Which systems need to conform to the profile?
All clinical information systems that use one or more My Health Record B2B web services need to conform to the profile.
I already have production access to My Health Record. Do I need to do this extra conformance?
Yes. The profile is new and will apply to clinical information systems retrospectively.
Can I opt out?
No. The profile applies to all clinical information systems that use one or more My Health Record B2B web services. The profile is applied retrospectively.
What is the time frame for passing security conformance?
The Agency is phasing the implementation approach for the profile once it becomes effective. The phased approach is designed to balance the imperative of strengthening security for all systems connected to My Health Record with the feasibility for vendors to do so, considering the varying levels of product maturity and potential administrative and financial burden. All feedback received will inform the final release of the timetable.
What support is available from the Agency?
Information about the profile and conformance workflow is available in the Security Requirements for My Health Record Connecting Systems - Conformance Profile - Final Draft v1.1. You can register for an information session which will provide an overview of the profile and steps required to meet conformance. You can email the Agency at [email protected] if you would like advance notice of future information sessions or have questions specific to your product.
Is there a cost to conform to the security requirements?
Costs will depend on whether or not there are product changes required to conform to the new security requirements and how these changes are typically managed. Penetration and vulnerability testing conducted by third parties is likely to incur a cost, though most vendors who need to conform with this requirement will already be undertaking this testing as part of their core business and product management. There is no cost for the Agency conformance assessment.
Will there be financial compensation to cover independent testing services?
No. Ensuring your software products are hardened against cyber security threats is a core part of every business connecting to My Health Record. The Agency expects that most vendors who need to conform to the requirements for independent penetration and vulnerability testing are already undertaking this testing as part of their core business and product management.
Will the security requirements affect healthcare providers or clinical workflow?
The security requirements are intended to minimise the impact on existing clinical workflow. However, some minor impact may be introduced for some software.
Will the security requirements affect mobile services?
Mobile devices using the My Health Record mobile channel are not impacted by the profile.
Conformance and compliance security requirements from the profile are to be applied to connecting systems that access the My Health Record system via the Business-to-Business (B2B) Gateway services. If your software accesses the My Health Record system via the My Health Record FHIR Mobile Gateway, your software will not be impacted by the profile.
Will this affect a healthcare provider’s access to My Health Record?
No. The security requirements harden clinical information systems without interfering with the ability to access My Health Record.
The Agency will partner with you to help you protect your systems and your client’s information. Contact [email protected] to speak to a specialist.
What will happen if businesses don’t comply with the security requirements?
The Agency will work with your organisation to understand your barriers and to assist you in the uplifting of your software product. Your participation in the My Health Record program is important and the Agency will assist you as best it can.
Do businesses need to do self-assessment or observed assessment?
The Agency will apply an observed assessment process when your product is ready for conformance testing. You can contact [email protected] for more information or to book an observation session. You will need to ensure your product is ready before booking an observation session.
Technical questions
Will I have to repeat Notice of Connection (NOC) testing with Services Australia or Accenture?
No. Your letter stating you have notice of connection is still valid and NOC testing need not be repeated.