An assessment of My Health Record security governance at 22 healthcare organisations has reported areas of good privacy practice and identified areas for improvement.
The Australian Digital Health Agency operates the My Health Record system and the Office of the Information Commissioner (OAIC) oversees the privacy aspects of the system.
The OAIC has reported areas of good privacy practice, with most organisations having My Health Record security policies, suitable access controls and training. They report broad compliance with processes for suspending or deactivating user accounts, and for identifying and responding to My Health Record-related security and privacy risks. The OAIC found that most of the assessment targets provided appropriate levels of initial and refresher training to their staff.
The OAIC also identified areas for improvement. They concluded that some providers did not have a written access security policy in place, had not implemented sufficient processes to deactivate accounts, had not provided appropriate initial or refresher training, or had not required sufficiently strong passwords with regard to the sensitive health information being accessed.
The agency encourages healthcare organisations to consider OAIC guidance which sets out better practice on how healthcare organisations can comply with their obligations regarding security and access.
The agency also publishes guidance to assist healthcare organisations to comply with their obligations, including guidance on security and account management, and training modules on cyber and security awareness for healthcare organisations. Healthcare providers can contact the Agency at education@digitalhealth.gov.au if they would like assistance in meeting their obligations and implementing security and access controls.