Audit rules Victoria’s public health system as ‘highly vulnerable’ to cyber attacks
The Victorian Auditor-General’s Office (VAGO) has labelled the state’s public health system as highly vulnerable to cyber attacks, with a report flagging that security weaknesses within the Department of Health and Human Services’ (DHHS) own technology arm are increasing the likelihood of a breach in 61% of the state’s health services.
In Security of Patients’ Hospital Data [PDF], VAGO said the state’s public health system is in a similar position to its international peers in both the United Kingdom and in Singapore when they were respectively breached in 2017 and 2018.
“There are key weaknesses in health services’ physical security, and in their logical security, which covers password management and other user access controls,” VAGO wrote. “Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located.”
In its audit, VAGO probed three health providers — Barwon Health, the Royal Children’s Hospital, the Royal Victorian Eye and Ear Hospital — and examined how two different areas of the DHHS — the Digital Health branch and Health Technology Solution (HTS) — provide health services in the state.
VAGO said it exploited weaknesses in all four audited entities and accessed patient data to demonstrate the significant risks that are currently exposed to patient data and hospital services.
“The audited health services are not proactive enough, and do not take a whole‐of‐hospital approach to security that recognises that protecting patient data is not just a task for their IT staff,” the report says.
While VAGO said DHHS’ Digital Health branch has filled an important gap by acting as the central point for advice and developing common cybersecurity standards — 72 baseline cybersecurity controls that were initially detailed in March 2017 — the security measures have not yet been fully implemented by the Digital Health branch .
No Victorian public health service has fully implemented all 72 controls.
Although part of the same department, HTS has also not fully implemented Digital Health’s cybersecurity controls, with the report saying it shares many of the same security weaknesses as health services.
“This is a risk to the sector because HTS hosts the clinical and patient administration applications that are used by 52 of the 85 Victorian health services (61%),” the report said.
The audited agencies have implemented 57% of the foundational controls and told VAGO key barriers to implementing the controls are a lack of dedicated funding for cybersecurity projects and limited staff availability.
VAGO said health services are still accountable for the security of the information they posses, despite any outsourcing arrangements that may be in place. It said the three audited health services are not fully aware of whether their service providers have the necessary security controls.
“HTS has established processes to monitor vendor performance; however, it needs to ensure that its main vendor complies with required security controls within an agreed timeframe,” VAGO wrote.
“Due to the sector’s reliance on third‐party vendors, health services need to actively monitor vendor performance to ensure that patient data is safe.”
In probing the health services, VAGO said it was able to access accounts, including admin ones, using “basic hacking tools”. The accounts had weak passwords and no MFA.
In one audited health service, VAGO was able to access patient data in the hospital because the third‐party system had a default account name and password.
“All the audited health services need to do more to protect patient data,” the report said, flagging key weaknesses in data security practices such as inadequate user access controls, weak passwords, and poor system, and network monitoring.
“We also found that health services do not have appropriate governance and policy frameworks to support data security.”
In making a total of 14 recommendations, VAGO asked that all Victorian health services expedite the implementation of Digital Health’s 72 cybersecurity controls, deliver mandatory training in data security to all staff, align password policies with Australian Signals Directorate guidelines, and conduct annual user access reviews to ensure that only relevant staff have access to digital patient data.
It has also asked DHHS to strengthen cooperation between Digital Health and HTS to ensure that both business units provide better practice support to the sector.