The Australian Digital Health Agency is enforcing new security requirements for software providers whose products connect to the My Health Record system.

From April 2023, the agency will require clinical information systems, including those used in GP clinics, pharmacies, and allied health services, to enact the new mandatory security requirements conformance profile.

"All clinical information systems that use one or more My Health Record B2B web services will need to conform to the new profile," the ADHA said.

Currently in draft, the security conformance profile is said to contain an "evidence-based suite of security requirements that harden clinical information systems from cyber security attacks, uplift information security, and provide better protection for consumer information." 

The security controls, which will be implemented across five tranches within two years, are aligned with the best-practice standards recommended by the Australian Cyber Security Centre's strategies for mitigating cybersecurity incidents dubbed the "Essential Eight."

Clinical software vendors with products connected to My Health Record will be required to submit "extensive" evidence to demonstrate conformance to each requirement and participate in an observation session conducted by a specialist team from the ADHA. They will be provided with support to ensure their systems pass conformance.

The health software industry can still raise questions and comments regarding the new security conformance profile and the proposed phased implementation schedule to the ADHA over the next three months.

WHY IT MATTERS

The ADHA has come up with these new security requirements knowing the "inherent cyber security risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services under its care."

The agency noted several benefits from implementing the Essential Eight-conforming security requirements:

• reduce the likelihood of cyber attacks by disabling redundant technologies; 

• strengthen system authentication and application timeouts; 

• use contemporary encryption methods; 

• perform third-party security testing (penetration testing and vulnerability testing); 

• reduce the risk of security vulnerabilities by keeping software up to date (patching); and

• securely back up personal and clinical information.

"The focus is on incorporating functionality within CISs connected to the My Health Record system that will enable healthcare providers to implement better security within their organisations, while also balancing the potential impacts on software providers and on system participation," it stressed.

THE LARGER TREND

The healthcare industry reported the most data breaches in the first half of 2022 with 79 cases, based on the Notifiable Data Breaches report by the Australian Information Commissioner. 

In October, one of Australia's largest health insurers, Medibank, became the subject of full-scale data hacking, which affected up to 9.7 million customers. 

ON THE RECORD

"Protecting sensitive information is essential in the provision of healthcare services and is a fundamental capability that is required to enable connected healthcare systems and safe, seamless, secure, and confidential information sharing across all healthcare providers. The Agency has and will continue to work with CIS vendors to provide support and guidance to further secure and protect their software for the benefit of patient privacy, national infrastructure, and their own businesses," Dr Holger Kaufmann, ADHA acting chief digital officer, said in a statement.