The AMA is urging the government to beef up cybersecurity standards for the My Health Record, but also to lower the administrative burden on its users.
The AMA has warned the Department of Health, Disability and Aged Care that sensitive health data is a prime target for malicious actors, and that patients will likely perceive a breach of the My Health Record as the fault of their specific doctor.
The DoHDA’s digital health branch is currently reviewing the MHR legislative instruments, four of which are due to sunset in April 2026.
Legislative instruments, in this context, are essentially the sets of rules which govern how providers and patients use MHR.
This review is separate to the Modernising My Health Record – Sharing By Default Act which was passed earlier this year, and deals more with the types of providers who can access MHR and the obligations on software vendors to be compliant with the system.
Related
In a submission to the review, which was published on Friday, the AMA zeroed in on MHR’s cybersecurity settings.
“The current provisions are insufficiently prescriptive and leave too much room for interpretation, particularly for small and medium-sized providers,” it said.
“The AMA recommends the rules specify minimum technical and organisational standards, including requirements for encryption, access controls, incident response planning, and regular staff training.
“There should also be clear guidance and support for providers to achieve compliance, recognising the diversity of the healthcare sector.”
The AMA said these provisions should hold all participants – government, health providers and vendors – to “a high and consistent standard”, which it also said could only be achieved by embedding these requirements in law.
“Given the majority of patients will gain their understanding of the MHR through interactions with their GP, any breach of patient data is likely to be perceived as the fault of both the government, and the doctor who uploaded the information to the MHR,” the submission said.
The association also advocated to end the existing exemptions on participation requirements for smaller organisations.
“Exemptions for small operators may no longer be appropriate, as any weak link can compromise system security and trust,” it said.
“The AMA recommends a review to ensure requirements are robust, enforceable, and adaptable to new risks and technologies, with regular audits and clear accountability.”
At the same time, it also called for more support for smaller practices and providers to meet high cybersecurity standards.
Despite calling for more stringent cybersecurity measures, the AMA also noted that clinicians frequently express frustration with the inefficiencies of the MHR, especially in relation to logging into separate portals and manually uploading documents.
Improvements like auto-populated fields and streamlined authentication, it said, could meaningfully reduce clinician workload.
Other suggested measures were to set out explicit, enforceable requirements and timelines for software vendors to implement interoperability features and explicit requirements for MHR to be integrated into clinical workflows for clinicians.
Submissions for the review closed in early September.
