Security is a key design element of the My Health Record system, which adheres to Australian Government security requirements.
My Health Record system security
The My Health Record system is managed in line with the Australian Government Protective Security Policy Framework. My Health Record data is stored in Australia, and is protected by high grade security protocols to detect and mitigate against external threats. The system is tested frequently to ensure these mechanisms are robust and working as designed.
Design features include many safeguards to protect the information stored within the system, including audit trails, technology and data management controls, as well as appropriate security measures to minimise the likelihood of unauthorised access to information in a patient’s record. In addition to these measures, the My Health Record system is protected by legislation which governs the way the system is accessed, managed and used.
Additional protection is offered by legislation that governs the way the data is managed by the Agency and healthcare providers accessing the data it holds. Applicable legislation includes:
- My Health Records Act 2012,
- My Health Records Rule 2016
- My Health Records Regulation 2012
- Healthcare Identifiers Act 2010 (HI Act).
In addition, most healthcare providers have obligations to protect personal and health information under the Australian Privacy Act 1988.
Information security advice for your business
Your business is responsible for ensuring that the systems you use to access the My Health Record system are secure. To assist you, the Agency and Stay Smart Online have developed the Information Security Guide for small healthcare businesses. This offers five simple steps to protect health, personal and financial information when using computers and other internet connected devices.
A range of additional information security guidance materials for healthcare organisations are also produced by the Digital Health Cyber Security Centre.
The Australian Government strongly encourages individuals, business and organisations to take steps to ensure they provide safe and secure digital health services. The Stay Smart Online website offers a lot of useful advice and tips about online security.
Audit logs
All access and use of the My Health Record system is captured in an audit trail. Activity relating to an individual healthcare consumer’s My Health Record is listed in their access history record, which can be viewed by the individual, their representatives or authorised healthcare providers at any time.
The audit log displays:
- The name of the healthcare organisation that accessed the record;
- When it was accessed;
- The nature of the access, such as viewing a document or uploading a shared health summary; and
- The role of the person who accessed the record, such as General Practitioner (if available).
My Health Record consumer security settings
Healthcare consumers link their My Health Record to their myGov account. Accessing their record requires a password, and either an answer to a secret question or an access code. There are additional access controls that the consumer may set to limit access to the entire record, or specific documents within their record.