An audit by the office of the Auditor-General found patient data stored in Victoria's public health system is highly vulnerable to cyber-attacks, and many health agencies have low risk awareness of the security flaws.
The audit exploited weaknesses in four audited agencies and accessed patient data to demonstrate the multitude of risks to the security of patient data and hospital services.
The report found deficiencies in how health services manage user access to digital records, including unused and terminated employee accounts still enabled, and failure to keep user access forms as proof that users have had their access approved.
The work also uncovered a lack of any formal, regular user access review to ensure only staff who need access have it—only one audited health service was found to provide mandatory cyber and data security training to all staff.
“Given that staff actions can undermine ICT and physical controls, it is vital that all staff—including clinical staff—can identify and manage the risks to patient data,” the audit reported.
The report stated that Victoria’s public health system is “highly vulnerable” to the kind of cyber attacks recently a Melbourne-based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.
The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff,” the report concluded.
The Auditor-General Andrew Greaves examined Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH), and also examined how two areas of the Department of Health and Human Services (DHHS), the Digital Health branch and Health Technology Solutions (HTS), are supporting health services.
“This weak security culture among government staff is a significant and present risk that must be urgently addressed,” the report said. “At one site, we accessed discarded, sensitive information too easily.
The audit also noted there is no statewide oversight or coordination of protective security or any leadership to provide strategic direction on physical security policies and guidelines.
Among the other issues uncovered by the audit were weaknesses in physical security, which would allow a malicious actor to bypass information and communications technology (ICT) controls and connect directly to hospital systems.
In two of the audited agencies auditors gained access to areas used to store critical ICT infrastructure, such as servers.
“While hospitals are public places, all the audited health services need to improve the physical security of sensitive areas,” the audit noted.
The report recommended that the DHSS continue to support the Digital Health cybersecurity program, and through Digital Health review and expand cybersecurity controls where appropriate, as well as develop and deliver specialist cybersecurity training for health sector staff.