Victoria’s public health system is highly vulnerable to cyber attacks, the Victorian Auditor-General’s Office (VAGO) has found.
In a new audit examining whether health services are protecting patient data effectively, VAGO says there are key weaknesses and present risks within the physical and software security of Victoria’s health services.
VAGO accessed patient data at Barwon Health, the Royal Children’s Hospital, and the Royal Victorian Eye and Ear Hospital to demonstrate the security risks.
Staff awareness of data security is low, health services are not proactive enough, and they do not recognise that protecting patient data is not just a job for IT staff, according to VAGO.
They also found that health services do not have appropriate governance and policy frameworks to support data security.
These conditions increase the risk of data-harvesting techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located, and could result in cyber attacks similar to those experienced by the National Health Service in England and at a Melbourne‐based cardiology provider, VAGO said.
Such attacks could result in a breach of patient privacy, use of patient information for financial or identity fraud, corruption or loss of patient data, unavailability of clinical applications or Electronic Medical Record systems, and damage to biomedical devices.
The audit also examined how the Digital Health branch and Health Technology Solutions are supporting health services.
VAGO says the Department of Health and Human Services’ Digital Health branch has filled an important gap in the sector. However, while Digital Health has developed cyber security standards that could improve security across the sector, health services have not fully implemented the security measures necessary to protect patient data.
Health Technology Solutions, DHHS’s ICT service, has also failed to fully implement Digital Health’s cyber security controls, despite Health Technology Solutions hosting clinical and patient administration applications used by 61% of Victorian health services.
VAGO presented the Department of Health and Human Services with 14 recommendations, including continued support of the Digital Health cyber security program, the implementation of Digital Health’s cyber security controls in Health Technology Solutions, data training for staff, and developments to data security processes and policies.
DHHS Secretary Kym Peake says that the department supports and accepts all the recommendations.
“The department is committed to its role as system manager to the health sector, particularly in the areas of cyber security and general security awareness”, she said.