Page 926 - Week 03 - Thursday, 30 March 2023

Next page . . . . Previous page . . . . Speeches . . . . Contents . . . . Debates(HTML) . . . . PDF . . . . Video


We need to get this right, and that is what I have spoken about with the ACT public health services. Our data teams need to be given the space to do the work and obtain quality, trustworthy information.

In relation to personal health information, moving to the Digital Health Record has been a step-change for the security of health records and the way teams respond when they are advised of any privacy breach. When a privacy breach is identified, it is investigated with the highest priority and multiple teams are involved in a detailed investigation with the relevant health service. The investigation includes understanding the source of the problem, immediate rectification and proactively looking into any other patients who could have been impacted.

The move to the Digital Health Record means health records are even more secure. The ACT Health Directorate conducts independent cybersecurity reviews and independent ethical penetration tests to ensure that information is safe from external parties. This is part of the Health Directorate’s comprehensive system security plan that identifies Digital Health Record risks and treatments.

Currently, the Health Directorate meets Australian Signals Directorate Essential Eight maturity level 1 and is targeting towards a maturity level 2. I am assured that the Essential Eight is the standard for cybersecurity and it means we have put in, and continue to put in, the right security measures for the private health information of ACT residents. The Health Directorate also runs daily and weekly vulnerability scans for the internet-facing applications, and privileged access management controls have been implemented to monitor third-party external access to the system. As part of ensuring that users understand their obligations, the ACT government has also developed new cybersecurity training for all staff and executive.

The Health Directorate has further implemented controls to restrict the filtration of data out of the MyDHR environment. For staff, access is via named user accounts only and shared accounts or generic profiles that are not directly linkable to a staff member do not have access to the system.

The Digital Health Record further identifies any misuse of information through: extensive role-based access controls across the Digital Health Record to control users’ access to data, as well as capabilities to ensure that only the information relevant to the health worker is accessible; data export capabilities being tied into the role-based model to control and restrict reporting capabilities; undertaking system audits regarding access to patient records; and design of the system to proactively limit the potential for misuse.

Overall, the Digital Health Record compares better to previous systems by having these user-specific access controls, the increased ability to audit a single system or individual actions and a modern system that is built on current operating systems.

I know recent events have been particularly distressing for many in the community, and particularly those who need to access mental health treatment and care. I would like to reassure the community that specific work was completed to ensure sensitive information had additional protections in the Digital Health Record to ensure that this information remained protected.


Next page . . . . Previous page . . . . Speeches . . . . Contents . . . . Debates(HTML) . . . . PDF . . . . Video