Description

Without clear and measurable expectations placed on pharmacies, Medmate will likely struggle to manage the relationship and performance with pharmacies as more are onboarded to the platform, leading to poor customer experience and potentially misuse of the platform.

Description

3rd parties like Unmand and Active Campaign are used in automation that tangentially involve Private Health Information (PHI); managing how those 3rd parties manage their risk when it comes to this data is a complicated endeavour. Medmate's 3rd Party Risk Management program (see RSK23) isn't comprehensive, and so it's unlikely that this is being conducted in a manner that appropriately reduces risk.

Description

While a fairly detailed Information Security Management Policy does exist, and in view does likely influence decision making and risk treatment, the consistent and comprehensive application of this is lacking. At the very least, there is a lack of supporting documented information to assert that this happens; with the inherently risky nature of the data that Medmate collects, well-executed ISM is vital.

Description

With access to the Medmate OMS seen as a mission critical component of the relationship between Medmate and pharmacies, there's a trade-off between security and ease-of-access. With some pharmacies encouraged to undertake poor information security practices to ensure availability (for example, writing down login details), risk arises in the ability for a bad actor (e.g. terminated pharmacy employee) to gain access to OMS and exfiltrate data or push orders to a dispense system. Furthermore, the ability to audit actions taken in the system is compromised, as no longer can one guarantee the specific person using an account.

Description

Alongside RSK16, Medmate doesn't maintain a formal method to assess how new programs, initiatives and project may impact their risk exposure and that of their 3rd party partners like Healthylife. In doing so, Medmate may pursue a commercially attractive opportunity without recognising the risks involved, and by extension Healthylife may be exposed to those same risks.

Description

Similar to RSK18, despite conducting a 3rd party review as part of the Tech Risk Review run by Woolworths, ongoing use of 3rd parties is likely not something that Healthylife would have clear visibility over. Any change in 3rd parties processing data involves additional risk--both during the changeover period, and during the operational phase. Without visibility into these changes (e.g. via regular risk reviews, or contractual mechanisms), Healthylife will struggle to understand the ongoing risk exposure from it's relationship with Medmate.

Description

Doctors use their own computers when working for Medmate. Whilst they are logging into a remote secure server where Medical Director is hosted, there is still the possibility for compromise of this device. Medmate has advised they're in the process of deploying mobile device management and antivirus software to treat this risk. This is subject to the ongoing Woolworths-run technology risk review, so we won't comment further. However we will note that some residual risk will always exist under this BYOD model.

Description

While Medmate has a documented 3rd Party Risk Management Program that is reasonably comprehensive, our view is that it doesn't form a major part of their actual, day-to-day approach to risk; the document exists, but isn't used. We formed on the basis of being unable to sight any supporting artifacts that would support the implementation of the program. For example processes, procedures, registers etc. At the very least, Medmate's usage of the documented Program is an informal affair, and they'll therefore struggle to demonstrate it's use as has happened here.

Description

Medmate is moving doctors moving towards a new remuneration model where they're paid per type of appointment, instead of hourly. This is effectively industry standard; most GPs are remunerated in this manner. This does bring about a monetary incentive to complete appointments as fast as possible. While other controls still aim to maintain clinical standards, the speed at which a doctor completes an appointment is not directly treated by a control. Again, while this is industry standard, Medmate could further treat risk arising from this by introducing measures such as a mandated minimum, or at least monitoring of average and unusually quick appointment times. Alternatively, this risk could be accepted as it’s “not worse off” than the rest of the industry. Further, Medmate doesn’t bill to Medicare, so there is arguably less risk surface area here as well.

Description

The nature of the business that Medmate undertakes means they have limited or no access to a patient's prior medical history, notwithstanding anything available in MyHealthRecord. Therefore the doctor's decision to prescribe drugs is on the basis of the virtual consultation only--not a full medical history. Arguably, this is no different to an in-person clinic but with the ability to more easily accces one or many Medmate doctors, the surface area for potential misconduct is increased albeit managed through controls including not prescribing drugs of dependence. While doctors are independent contractors making independent decisions, Medmate by association wears some of the reputational risk should a doctor make a bad decision based on little medical history.

Description

In collecting, managing or storing PHI, there is inherent residual risk that remains regardless of any and all controls applied to treat the risk. As Medmate collects substantial quantities of PHI in the course of doing business, the same is true here.

Description

In collecting, managing or storing PII, there is inherent residual risk that remains regardless of any and all controls applied to treat the risk. As Medmate collects substantial quantities of PII in the course of doing business, the same is true here.

Description

While not in scope for our review, we note multiple offshore employees listing Medmate as their employees with role descriptions similar to "Medical Receptionist"; review of this isn't technically in scope, but we understand this to relate to staff assigning appointments to doctors in Pracsoft, with limited/no PHI data access. While one can treat the risk of offshoring, it's still inherently higher risk than the same activities completed onshore, owing to protections afforded by things like the Privacy Act and Privacy Principles. Further, facilitating offshore staff complicates the implementation of a sound Information Security Management approach as you're introducing both a) more remote workers and remote devices and b) allowing access to systems from outside Australia (noting that this is not an absolute nor particularly reliable protection in of itself).

Description

With a primary focus on onboarding pharmacy networks, there is a lack of documentation to support any current or future independent pharmacies. In doing so, risk management that is offloaded to the Network partner under that model is not adequately treated in a documented manner. For example, independent pharmacies may not be solvent, or may have had issues in the past that Medmate should review and manage.

Description

Weak process version control poses a risk due to the potential for unauthorised or outdated versions of documents to be utilised. This increases the likelihood of errors, delays, and missed checkpoints when executing a process whilst referencing an outdated version.

Description

In connection with RSK03, the assessment of risk involved in onboarding a pharmacy is an informal affair; some of this vetting is effectively offloaded to the Sigma network for relevant pharmacies. While likely legally protected from any misdeeds of a misbehaving pharmacy, Medmate and it's close partners could be exposed to reputational risk should this arise. Further, with decision making reliant on key personnel, the assessment process is inherently subjective. By developed a defined and objective method to assess the suitability of a pharmacy to join Medmate, the level of residual risk (arising from uncovered ground in that assessment) is clearly documented and communicable to 3rd parties like Healthylife.

Description

Doctors go through various phases in their lifecycle on the Medmate platform. Each phase brings about different risks in their ability to uphold Medmate's clinical and quality standards. There is no direct acknowledgement of the alignment between these lifecycle phases and the risk treatments applied to a doctor, for example shadowing all new doctors for their first 30 consults, shadowing doctors returning from leave for their first 10, etc.

Description

While controls are in place to mitigate risks arising from prescribing drugs of dependence, there is no scheme in place to manage patients using the platform in an anomalistic manner. Recall that Medmate primarily exists as a transient part of a patient's healthcare--not as a primary measure. Over-usage of the platform could serve as a useful marker of harm or misuse of the platform. Implementation of a measure to compare each patients usage with the average usage, alongside a measure to monitor the top X patients, would serve to a) protect each individual patient from potential harm, and b) allow Medmate to identify potential misuse of the platform earlier than ad-hoc methods would permit.

Description

Medmate has a structured but undocumented manner to manage it's business and the risks that arise. While reasonably comprehensive, international best standards like ISO9001 would formalise Medmate's approach to delivering a quality product to interested parties like Healthylife. Furthermore, with an ISO9001 accreditation, Healthylife can be assured of it's implement by an independent, 3rd party auditor.

Description

Alongside RSK17, Healthylife likely has very little ability to mandate how Medmate controls its approach to risk management. Medmate would be able to pursue a program beyond the risk appetite of Healthylife with little to no recourse available to Healthylife short of potential early termination of the agreement.

Description

With doctors potentially working multiple jobs whilst being expected to uphold certain (not yet quantified) quality and performance criteria, poor management of their fatigue levels increases the risk of poor outcomes. There are active coronial enquiries and class actions in NSW relating to fatigue management amongst Registrars.

Description

Executing the process to onboard a pharmacy is complex and involves many actors and systems. Without a clearly defined procedure that steps through this setup, the ability to reliably execute the defined process is compromised.

Description

The absence of a clear linkage between policy, process, and procedure results in ambiguity regarding the rationale behind process. This uncertainty undermines the documented information, as stakeholders may struggle to understand the purpose and significance of why specific processes existing, potentially leading to subversion of the process in favour of an easier but less comprehensive route.

Description

The Medical Board implemented changes effective September 2023 effectively banning the use of asynchronous prescribing (prescribing where the doctor doesn't have a "live" consultation over a phone or video call, instead relying on text-based questionnaires). While Medmate has adapted to these changes, one must consider the sweeping authority of the Board to undertake future rule changes that may impact the viability of Medmate's ability to provide services to Healthylife. However, it's likely this would apply to all telehealth providers, not just Medmate.

Description

Pharmacies in the Sigma network make up a substantial proportion of the pharmacies live on the Medmate network, and therefore are a crucial component to Medmate's ability to deliver it's script-filling services. With a potential takeover of Sigma by Chemist Warehouse, there is risk that these pharmacies will be taken off the Medmate platform e.g. in favour of Chemist Warehouse's own technology stack. It must be noted that Medmate still holds contracts with these pharmacies for the provision of their services, and most for 12 months. Additionally, the ACCC is currently considering the deal so there has been no formal indication of it proceeding.

Description

Similar to RSK11, without a complete medical history, it's difficult to guarantee scripts issued through the Script Renewal pathways are indeed renewals at all. In doing so, there is potential for misuse of the platform wherein a patient insists that a drug is a renewal when indeed it is not.

Description

While a monthly manual check can be an appropriate mechanism for a small quantity of doctors, as Medmate scales, this will become less effective owing to the time taken, human error, and the overall scale of the operation increasing risk exposure. Further, conducting this monthly means there is potential for a condition to be unnoticed for up to a month. We must consider that a doctor practicing without AHPRA's approval is subject to significant penalty, so this serves as a built-in control. Medmate has advised they are in the process of integrating with the AHPRA Practitioner Information Exchange which would enable real-time checks of each doctor's status, and will treat this risk to effectively zero residual risk.

Description

While the steps for this process are well defined, the roles within Sigma and Medmate that execute each step are not; by defining the specific role within each organisation that completes the process steps, Medmate treats risk arising from ambiguity on who is responsible for executing each step.

Description

ADHA has developed and is mandating all Electronic Prescribing software products be conformant under v3.0.1 by September 30 2024. Medmate is currently conformant to the v2.2.1 standard, and has advised that they're on track to meet the v3.0.1 standard by August 30 2024 - well ahead of the deadline.