The Australian Digital Health Agency (the Agency) is strengthening My Health Record protections through a new mandatory security requirements conformance profile (the profile) for clinical information systems (including those used in GP clinics, pharmacies and allied health services) connected to the My Health Record system.
The profile will be effective from April 2023 following a 3-month period in which the industry is invited to provide feedback on the profile. Software vendors with clinical software products will be supported to implement changes to their products in a phased approach, to balance the need to strengthen security for all systems connected to My Health Record with the capability of software vendors to make necessary adjustments promptly. The profile was co-developed with stakeholders including regulators, software vendors and security experts.
The Agency is supporting the industry with its preparation by providing visibility of the profile in advance of the official implementation period. Questions and comments from across the software industry on the new profile and the proposed phased implementation schedule can be sent to the Agency until April 2023.
The profile contains an evidence-based suite of security requirements that harden clinical information systems from cyber security attacks, uplift information security and provides better protection for consumer information. Each vendor with software products connected to My Health Record will be required to submit extensive evidence to demonstrate conformance to each requirement, as well as participate in an observation session conducted by an Agency specialist team.
The Australian Digital Health Agency Acting Chief Digital Officer stated that protecting sensitive information is essential in the provision of healthcare services and is a fundamental capability that is required to enable connected healthcare systems and safe, seamless, secure, and confidential information sharing across all healthcare providers.
He noted that the Agency has and will continue to work with clinical information system vendors to provide support and guidance to further secure and protect their software for the benefit of patient privacy, national infrastructure, and their businesses.
Benefits of the new security requirements
The new requirements conform to the ACSC’s Strategies to Mitigate Cyber Security Incidents, known as the Essential Eight, and ensure that software developers of connected clinical information systems:
- reduce the likelihood of cyber-attacks by disabling redundant technologies
- strengthen system authentication and application timeouts
- use contemporary encryption methods
- perform third-party security testing (penetration testing and vulnerability testing)
- reduce the risk of security vulnerabilities by keeping software up to date (patching)
- securely back up personal and clinical information.
About Essential Eight
The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight.
The Essential Eight has been designed to protect internet-connected networks that are based on a group of several proprietary graphical operating system families developed and marketed by an American multinational technology corporation.
While the principles behind the Essential Eight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarily designed for such purposes and alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments. In such cases, organisations should consider alternative guidance provided by the ACSC.