Victoria’s public health system is “highly vulnerable” to the kind of cyber security incidents that had a devastating impact on the UK’s NHS in 2017, according to the state’s auditor-general.
Scrutiny by Victoria's auditor-general revealed weaknesses in physical security as well as password management and user access controls across a number of the state’s health services.
“Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located,” states the report, which was released today.
Those weaknesses were exploited during penetration testing at all four of the health services examined for the audit: Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH).
“The audited health services are not proactive enough, and do not take a whole-of‐hospital approach to security that recognises that protecting patient data is not just a task for their IT staff,” the report said.
While the Digital Health branch within the Department of Health and Human Services (DHHS) has helped develop common security standards and is acting as a central point of support for health services, those standards have not been fully implemented by health services.
Shared services organisation Health Technology Solutions (HTS) has “not fully implemented Digital Health’s cybersecurity controls itself, and shares many of the same security weaknesses as health services,” the report states.
At all agencies scrutinised as part of the audit there were user accounts with weak passwords, with multi-factor authentication rarely implemented, even for ICT staff and admin accounts.
One health service had optional swipe cards acting as MFA for accessing patient databases. However another service indicated that “MFA for clinical staff would be too onerous and could potentially endanger patients if a clinician did not have their swipe card or access token with them.”
In some cases, devices — including servers — still had default account names and passwords. In one case, auditors were able to access patient data using default credentials on a third-party system.
In three agencies, the audit found devices that hadn’t been patched or didn’t have antivirus protection, and had unsecured network ports. Earlier this year a Melbourne cardiology provider suffered a major ransomware outbreak, the audit report noted. Similarly, in 2017 the UK’s NHS was left grappling with a massive WannaCry outbreak that cost the health service around £92 million. WannaCry successfully exploited systems that hadn't applied available patches or were running versions of Windows that were no longer supported by Microsoft.
“All health services have documented antivirus and patch management in their ICT policies and procedures,” the report states. “This highlights the need for health services to regularly test their controls to ensure their policies and procedures are effective.”
None of the four health services had dedicated data security training for their tech teams.
DHHS backed the 14 recommendations made by the auditor-general and indicated it would work with health services to implement them.
In 2017 the Victorian government said would spend $11.9 million on increasing cyber security for 29 Victorian Health Services networks.
The full audit report is available online.