The Gillard government's personally controlled e-health record system, developed by Accenture, contained a staggering 142 risks of which 32 were rated extreme, 77 high and 33 medium.
The detailed risk assessment study, obtained by The Australian, was prepared by the National E-Health Transition Authority (Nehta) and submitted to the Health Department and other relevant parties about two months before the July go-live date.
The department did not directly respond when asked to confirm that all the risks were resolved by July 1.
However, a spokeswoman said: "By July 1 we had safeguards in place to avoid those risks we identified from occurring.
"For example, to safeguard against security breaches, we have put in place strong encryption and firewalls and implemented all of the recommendations from (Defence's) information security manual," she said.
One severe risk cited in the report was individuals being granted access to health information they were not entitled to if the PCEHR registration process did not adequately authenticate a user.
The five consequences of such access included a user's safety being compromised or, worse, inappropriate medical treatment being given to an individual.
The report did not spell out that this could lead to death, but it is well known that people can pay a high price when they receive wrong medical advice or treatment. Another adverse result could be that an individual's privacy would be compromised.
The report also said that under these circumstances the Health Department could be exposed to legal action and penalties if deemed to be negligent.
It warned that Health could "sustain considerable reputational damage" if security controls were compromised as a result of these risks.
The report suggested 13 actions to control or mitigate this situation, including developing and implementing processes that include a requirement for individuals to produce 100 points of identity to register for a PCEHR.
The Australian can confirm that this was not a requirement when people signed up in the first few days post-July 1.
When registering over the phone, consumers were asked only for their Medicare number, name, date of birth and address. It was not mandatory to physically produce any form of identification at Medicare or elsewhere.
Other actions floated include developing and implementing processes whereby "an individual's 'sensitivity' or 'criticality' or 'importance' is checked at registration and relevant authentication and authorisation mechanisms applied to each registration process".
The report said processes and controls for assessing end-point risks and applying relevant levels of access, audit and logging based on risk should also be in place.
In another example, the report said the department could suffer financial loss if individuals received incorrect medical treatment.
The department declined to comment when asked to guarantee that the system would not lead to people's safety being jeopardised or people getting the wrong medical treatment.
It also was silent on the possibility of getting sued if found to be negligent.
The spokeswoman said the risk report and other reports that "The Australian continues to refer to are for a period prior to the final go-live decision".
"As we've said before, the system released was safe and secure, as confirmed by the IT and cyber-security experts at the Defence, Finance and the Attorney-General's departments. The PCEHR system has high strength security features including extremely strong encryption and firewalls."
The Australian reported that Nehta had advised against pushing the PCEHR system live prior to go-launch due to the high number of bugs in the system.
The medical software industry's has consistently requested a copy of these risk assessments, but has been denied access by Nehta. More than 13,600 consumers have registered to use the PCEHR system.
More than $1 billion has been spent on the national e-health infrastructure, including $777m from the federal government for specific PCEHR-related activities since July 2010. Rolled out in phases, the final completion date is unknown.
---
Autor(en)/Author(s): Fran Foo
Quelle/Source: Australian IT, 23.10.2012
Bitte besuchen Sie/Please visit:
