Systems connected to the government’s My Health Record must meet increased safety standards consistent with the Essential Eight over the next two years.
The Australian Digital Health Agency (ADHA) said in a statement late Tuesday that it would introduce a new – mandatory – security requirement “compliance profile” for clinical software vendors.
“All clinical information systems using one or more My Health Record B2B web services must comply with the new security profile,” the agency said in the accompanying release notes.
“The Agency is aware of the inherent cybersecurity risks posed by systems connected to and accessing the My Health Record system, as well as potentially vulnerable aspects of the national infrastructure and all services it oversees.
“To address this risk, a set of security requirements for systems connected to the My Health Record system have been identified, including controls related to application development and web development, aligning the controls with the Australian Cyber’s Essential Eight maturity model Security Center (ACSC) .
“These controls were selected as the areas of the ACSC Information Security Manual (ISM) most relevant to the development of software for healthcare organizations.”
The compliance profile is currently in draft and awaiting industry feedback. All details are behind a login that only industry participants can access.
Although “effective from April 2023,” implementation will be phased over five tranches and two years, with most clinical software vendors having 18 to 24 months to complete the required revisions and upgrades on their part.
Tranche 1 providers — those who make acute care systems that cover hospitals, emergencies and the like — have six to 12 months to make changes.
“Software vendors with clinical software products are supported to implement changes to their products in a phased approach to balance the need to increase security for all systems connected to My Health Record with the ability of software vendors to make necessary adjustments in a timely manner ‘ said ADHA.
“The new Security Requirements Profile provides an evidence-based list of security requirements that protect clinical information systems from cyberattacks, enhance information security, and better protect consumer information.
“Any vendor with software products connected to My Health Record must submit an extensive evidence file to demonstrate compliance with each requirement and attend an observation session conducted by the [ADHA] team of specialists.”
ADHA’s acting Chief Digital Officer, Dr. Holger Kaufmann said in a statement that “protecting sensitive information is essential in the delivery of health services”.
“[It] is a fundamental capability required to enable connected healthcare systems and enable the safe, seamless, secure and confidential exchange of information between all healthcare providers,” said Kaufmann.
https://www.itnews.com.au/news/adha-drafts-new-security-standards-for-my-health-record-interconnection-589327?utm_source=feed&utm_medium=rss&utm_campaign=iTnews+ ADHA is drafting new security standards for connecting My Health Record – security – software