Third party minimum cyber compliance for My Health Record skipped: Audit Office

Would you consider self-certification sufficient for ensuring the privacy and effectiveness of your healthcare record system?…:

[…] With users able to limit visibility of their record, a function exists within My Health Record to allow health personnel to access the complete record in times of an emergency. This function is used in 0.1% of record accesses, or 205 instances in March 2019, ANAO said. However, it also found only 8.2% of those emergency accesses were on records with access control.

“ADHA sought written responses from healthcare provider organisations in relation to each instance of emergency access, and maintained detailed records and analysis of provider responses. In a number of instances, ADHA did not receive a response from specific healthcare provider organisations,” the report said.

“In these cases ADHA could not satisfy itself that the circumstances of the emergency access did not constitute an interference with privacy. In other instances, some of the responses indicated a potential contravention of the Act. To date, ADHA has not notified the Information Commissioner of any of these instances, and nor have the healthcare provider organisations.”

In terms of the when records are deleted from My Health Record, ANAO said permanent deletion occurs via an automated two-step process. Firstly, the record is cancelled to prevent documents being stored against it, and then within 48 hours, a record is deleted from various data stores.

But deleted records stored on backups are not as timely.

“The information is also removed from system back-ups, but this may not occur immediately: ADHA stated that ‘deleted records are removed from the backup when a new backup is created during regular backup cycle’,” ANAO said.

Despite not doing a test of the system, nor a technical review of it, ANAO gave the deletion process the tick.

“The ANAO assessed that the documents reflected a design that was consistent with the legal requirement to permanently delete clinical data and documents,” it said.

Indeed, despite the cyber issues encountered, ANAO gave the system a tick overall.

“Implementation of My Health Record has been largely effective,” the report said.

[…]

Original Article