The private health sector also reported the highest number of data breaches, with 40 per cent in 2018 due to malicious or criminal attacks.
“Management of shared cyber security risks was not appropriate and should be improved with respect to those risks that are shared with third-party software vendors and healthcare provider organisations,” the report says.
The agency directly involved in managing My Health, the Australian Digital Health Agency (ADHA), needed better oversight of the system. The auditor recommended it set up the means to monitor compliance by third parties using My Health.
Not all healthcare providers achieved the minimum of cyber security levels, the report said.
The digital health agency also did not properly check if third-party software providers to healthcare agencies complied with the government’s cyber-security framework.
Outside of cyber security, the auditor-general recommended the ADHA should be setting time frames and benchmarks for My Health.
The agency agreed with all of the audit recommendations.