Published on May 30th, 2019 📆 | 5523 Views ⚑0
Victorian patient health data ‘highly vulnerable’ to attack, Auditor-General’s hack finds
- Staff at three major Melbourne hospitals have low awareness of data security, an investigation found
- The Auditor-General found Victoria was highly vulnerable to a hack attack, leaving patient data at risk
- Another report tabled this week pointed to a "weak security culture" posing a significant risk to security in government buildings
Auditors used "basic hacking tools" to access sensitive patient data at Barwon Health, the Royal Children's Hospital and the Royal Victorian Eye and Ear Hospital to demonstrate "the significant and present risk to the security of patient data and hospital services".
The hackers also examined how two parts of the Department of Health and Human Services (DHHS), the Digital Health Branch and Health Technology Solutions, were supporting health services.
"There are key weaknesses in health services' physical security and in their logical security, which covers password management and other user access controls," a Victorian Auditor-General's Office (VAGO) report said.
The report said "staff awareness of data security is low", which increased the effectiveness of techniques such as phishing — using disguised emails to trick people into providing sensitive information — or tailgating into physical areas where information technology could be stored.
Cybersecurity experts have warned healthcare data is a growing target for hackers.
In February, it was revealed a ransomware attack had targeted a Melbourne cardiology practice.
In 2017, the 'WannaCry' ransomware attack caused chaos around the world — including for the UK's National Health System.
VAGO said Victoria's public health system was "highly vulnerable" to such attacks, which led to stolen or unusable patient data and disrupted hospital services.
"The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff," the report said.
VAGO identified multiple examples where staff had weak passwords or were still using default usernames on key devices and servers.
Millions spent on cybersecurity
The Auditor-General made five recommendations for DHHS and nine recommendations for all Victorian health services, including mandatory data security training and the implementation of cybersecurity controls.
DHHS and the hospitals have accepted the recommendations and the department has provided an action plan for hospitals and health services.
A spokesperson for DHHS said "safeguarding patient and clinical data is a top priority for the Government".
Health Minister Jenny Mikakos said the Government was "serious about safeguarding hospital data", and pointed to $33 million allocated to strengthening cybersecurity capability and an additional $13 million for digital infrastructure in this week's budget.
"This was a very co-operative exercise. The Auditor-General was invited into my department and into our hospitals to test our IT systems … so the weaknesses that have been identified are being addressed."
The Opposition seized on the report.
"The Auditor-General was able to hack in and expose the issues around cybersecurity, around patient details, the information that hospitals keep. This is very concerning for patients right across Victoria if cybersecurity issues are not addressed," Opposition health spokeswoman Georgie Crozier said.
Ms Mikakos said there had been no breaches of patient data to date in Victoria.
'Weak security culture'
A separate VAGO report, also tabled this week, exposed severe deficiencies in security at Victorian Government buildings.
The audit looked at the Department of Treasury and Finance, DHHS and the Department of Justice and Community Safety.
It found security infrastructure was adequate, but there was a "weak security culture" and a credible threat to the physical safety of staff who dealt directly with clients.
"This weak security culture among government staff is a significant and present risk that must be urgently addressed," VAGO reported.
It recommended the agencies promote stronger security culture by improving training and incident reporting and by enforcing "clean desk and clear screen policies".