The Australian Digital Health Agency (ADHA) did not manage shared cyber security risks concerning third-party software vendors and healthcare provider organisations appropriately during the My Health Record implementation and needs to make improvements, an Australian National Audit Office (ANAO) audit has found.
And while the audit found that ADHA’s management of privacy risks was largely appropriate during the period, the ANAO has recommended that ADHA undertake another privacy risk assessment of the operation of the system.
Overall, the audit found that the implementation of My Health Record was largely effective, with appropriate implementation planning, governance and communication.