The Australian Digital Health Agency (the Agency) is strengthening My Health Record protections through a new mandatory conformance profile for clinical information systems (including those used in GP clinics, pharmacies and allied health services) connected to the My Health Record system.
The security requirements profile will be effective from April 2023 following a 3-month period where industry is invited to provide feedback on the profile. Software vendors with clinical software products will be supported to implement changes in their products in a phased approach, to balance the need to strengthen security for all systems connected to My Health Record with the capability of software vendors to make necessary adjustments in a timely manner. The conformance profile was co-developed with stakeholders including regulators, software vendors and security experts.
The Agency is supporting industry with their preparation by providing visibility of the conformance profile in advance of the official implementation period. Questions and comments on the new conformance profile and the proposed phased implementation schedule from across the software industry can be sent to the Agency until April 2023.
The new security requirements profile contains an evidence-based list of security requirements that harden clinical information systems from cyber security attacks, uplift information security and provide better protection for consumer information. Each vendor with software products connected to My Health Record will be required to submit an extensive file of evidence to demonstrate conformance to each requirement, as well as participate in an observation session conducted by the Agency specialist team.
Australian Digital Health Agency Acting Chief Digital Officer, Dr. Holger Kaufmann said, "Protecting sensitive information is essential in the provision of healthcare services and is a fundamental capability that is required to enable connected healthcare systems and safe, seamless, secure, and confidential information sharing across all healthcare providers."
"The Agency has and will continue to work with clinical information system vendors to provide support and guidance to further secure and protect their software for the benefit of patient privacy, national infrastructure, and their own businesses" he said.
The new requirements align to the best-practice standards recommended by the Australian Cyber Security Centre (ACSC), detailed in the ACSC's Strategies to Mitigate Cyber Security Incidents, known as the Essential Eight, that help protect systems against a range of online and cyber security threats.