Victoria’s health services are highly vulnerable to cyber attacks that could steal or alter patient data, according to report which compares the risk to the catastrophic attack that crippled hospital computers across the UK last year.
The Victorian Auditor general says in the report released last month that while the Department of Health and Human Services (DHHS) has developed effective data security controls, these have not been implemented by health services.
“Victoria’s public health system is highly vulnerable to the kind of cyberattacks recently experienced by the National Health Service (NHS) in England, in Singapore, and at a Melbourne-based cardiology provider,” the report says.
The audit focused on Barwon Health, the Royal Children’s Hospital and the Royal Victorian Eye and Ear Hospital.
It found all of the services were vulnerable to attacks that could steal or alter patient data.
While the DHHS Digital Health branch had developed a clear road map to improve security across the sector, “health services have not fully implemented the security measures necessary to protect patient data,” it concluded.
“The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”
Increasing use of ICT to store patient data
The report says Victorian health services are increasingly using ICT technology to capture and store patient data.
While this can improve patient care, a cybersecurity breach could have “severe consequences” including stolen patient information and disabled hospital systems.
The auditor said testing had identified “key weaknesses in health services’ approach to data security”, particularly in relationship to staff awareness and network monitoring.
These included limited monitoring for suspicious behaviour on the network, inadequate user access controls and weak passwords.
Staff were also not trained on basic security like locking their computers.
But the health services said there were barriers to implementing DHHS safety measures, including lack of trained staff and resources for ICT infrastructure upgrades.
Concern about third party vendors
The government’s key digital health provider, Health Technology Solutions, which hosts the clinical and patient administration applications that are used by 52 of Victoria’s 85 health services, had also failed to make any progress in implementing the controls since their introduction in 2017.
“Despite being part of DHHS, HTS has not fully implemented Digital Health’s cybersecurity controls and has similar security weaknesses to Victorian health services,” the report says.
“Given the volume of patient data stored on HTS’s systems, it is vital that HTS improves its security practices.
It also notes that HTS and the audited services outsource key parts of their ICT operations to third party-vendors, and that better monitoring of third-party vendors is needed.
“HTS has established processes to monitor vendor performance, however, it needs to ensure that its main third-party vendor complies with required security controls.
“The three audited health services are not fully aware of whether their service providers have the necessary security controls. Due to the sector’s reliance on third-party vendors, health services need to actively monitor vendor performance to ensure that patient data is safe.”
The report made eight recommendations for DHHS and nine for health services. All had accepted the recommendations, the report said.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter.