ADHA drafts new security standards for My Health Record interconnection

Systems that interconnect with the government’s My Health Record will need to meet elevated security standards that align with the Essential Eight over the next two years.

The Australian Digital Health Agency (ADHA) said in a statement late Tuesday that it would introduce a new - mandatory - security requirements “conformance profile” for clinical software vendors.

“All clinical information systems that use one or more My Health Record B2B web services will need to conform to the new security profile,” the agency said in accompanying release notes.

"The agency is cognisant of the inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care.

"To address this risk, a set of security requirements for systems connecting to the My Health Record system have been identified, comprising controls related to application development and web development, with controls aligned to the Australian Cyber Security Centre’s (ACSC) Essential Eight maturity model.

"These controls are selected as the areas of the ACSC Information Security Manual (ISM) that are most relevant to the development of software for healthcare organisations."

The conformance profile is currently in draft, pending industry feedback. Full details are behind a login, accessible to industry participants only.

Although it becomes “effective from April 2023”, implementation will be phased across five tranches and two years, with most clinical software vendors having 18-to-24 months to complete the necessary rework and upgrades on their end.

Tranche one vendors - those making systems used in acute care, which covers hospitals, emergency and the like - have six-to-12 months to make changes.

“Software vendors with clinical software products will be supported to implement changes in their products in a phased approach, to balance the need to strengthen security for all systems connected to My Health Record with the capability of software vendors to make necessary adjustments in a timely manner,” ADHA said.

“The new security requirements profile contains an evidence-based list of security requirements that harden clinical information systems from cyber security attacks, uplift information security and provide better protection for consumer information. 

“Each vendor with software products connected to My Health Record will be required to submit an extensive file of evidence to demonstrate conformance to each requirement, as well as participate in an observation session conducted by the [ADHA] specialist team.”

ADHA’s acting chief digital officer, Dr. Holger Kaufmann said in a statement that “protecting sensitive information is essential in the provision of healthcare services".

"[It] is a fundamental capability that is required to enable connected healthcare systems and safe, seamless, secure, and confidential information sharing across all healthcare providers," Kaufmann said.