The Agency is cognisant of the inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care. To address this risk, a set of security requirements for systems connecting to the My Health Record system have been identified, comprising controls related to application development and web development, with controls aligned to the Australian Cyber Security Centre’s (ACSC) Essential Eight Maturity Model. These controls are selected as the areas of the ACSC Information Security Manual (ISM) that are most relevant to the development of software for healthcare organisations.
The focus is on incorporating functionality within Clinical Information Systems (CIS) connected to the My Health Record system that will enable healthcare providers to implement better security within their organisations, while also balancing the potential impacts on software providers and on system participation.
The Agency is in the process of updating the My Health Record System Conformance Assessment Scheme (CAS) for connecting systems that refers to conformance requirements in the profile. It is anticipated that the release of the updated CAS will coincide with the release of the final version of the new profile, following the review period.