Victoria’s Public Health System “Highly Vulnerable”: Report
Victoria’s public health system is “highly vulnerable” to a Singapore-like data breach, according to a recent report.
As per an auditor general report released recently, the public health system in Victoria is vulnerable to an attack like the one that Singapore had experienced last year. The Singapore data breach had led to the exfiltration of almost 1.5 million patient health records.
The report by the auditor general reads, “Victoria’s public health system is highly vulnerable to the kind of cyberattacks recently experienced by the National Health Service (NHS) in England, in Singapore, and at a Melbourne‐based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.”
The report further explains that there are key weaknesses in the “physical security” and “logical security” of the health services. This includes critical aspects like password management and other user access controls. Low data security awareness among the staff, which increases the success of social engineering attacks (like phishing or tailgating into corporate areas where ICT infrastructure and servers may be located), is also highlighted in the report.
The audit covered four health services, namely Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH), plus two different areas of the DHHS (Department of Health and Human Services). The auditor-general’s team managed to exploit security vulnerabilities and access patient data in all the four agencies.
The report notes, “The audited health services are not proactive enough, and do not take a whole‐of‐hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”
It was also noted that health services relied on external services providers, but at the same time, they were not fully aware of the security controls implemented by the platforms that these providers were using.
“The three audited health services are not fully aware of whether their service providers have the necessary security controls. Due to the sector’s reliance on third‐party vendors, health services need to actively monitor vendor performance to ensure that patient data is safe, ” says the report.
Victoria’s public health services, which manage their ICT systems independently, is supported as regards cybersecurity by DHHS’s Digital Health branch, which develops guidance materials, runs awareness and training sessions and funds ICT infrastructure upgrades. A set of 72 baseline cybersecurity controls, which health services need to implement by 2020-21, have also been developed. But none of the public health services in. Victoria has fully implemented these 72 controls to date. They cite different reasons for this.
The audit report explains, “While Digital Health has set a clear roadmap for health services to follow, to date no health service has fully implemented the 72 controls. The audited health services advise that barriers to implementing the controls include a lack of dedicated cybersecurity staff and insufficient resources for ICT projects.”
“While it may be challenging for health services to balance ICT security against clinical projects, implementing all the controls will provide health services with strong baseline protection against cybersecurity risks. Recent, local examples of cyberattacks in health services demonstrate the need for this work to occur, ” the report points out.
That there are no penalties for non-compliance is also perhaps one of the reasons for the slow implementation of the controls,
The audit report has brought to light issues pertaining to access control management. It found unused as well as terminated employee accounts that were still enabled and also found a lack of regular user access reviews. The health services did not keep user access forms, which are needed to authenticate users. The audit also revealed that many passwords, even on administrator accounts, were easily hackable. Some of these were even system default ones. It was also found that health services rarely used multi‐factor authentication, even for ICT staff and administrator accounts.
The report from the Auditor-General’s office also includes a detailed list of recommendations to be followed.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.