Security of Patients' Hospital Data

Tabled: 29 May 2019

Audit overview

Public hospitals collect, generate, and use a wide range of patient data—from personal details such as names and addresses, to clinical information such as diagnostic notes and test results.

Public hospitals increasingly use information and communications technology (ICT) to deliver healthcare, and to capture and store patient information. Digital records give clinicians easy access to their patients' information at the point of care and allow clinicians to quickly share information and results, with the aim of avoiding duplication and medical errors.

Within DHHS, the Digital Health branch supports health services to implement clinical ICT projects and develops sector-wide standards and guidance.

HTS is a separate business unit in DHHS that provides optional ICT services to health services, including systems for clinical information and patient administration.

While digital records can improve patient care, a cybersecurity breach could alter or delete patients' personal data or permit unauthorised access to this data. A breach could also disable health services' ICT systems and prevent staff from accessing patient information.

Health services' security measures protect their ICT systems and the infrastructure used to store patient data. However, human action—either unintentional or malicious—can undermine even the most sophisticated security controls. To manage the security risk, health services need a culture of security awareness, with their staff trained to identify and respond effectively to data security risks.

In this audit, we assessed whether health services are taking effective steps to protect patient data. We audited Barwon Health (BH), the Royal Children's Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH). We also examined how two different areas of the Department of Health and Human Services (DHHS) are supporting health services: the Digital Health branch and Health Technology Solutions (HTS).

Conclusion

Victoria's public health system is highly vulnerable to the kind of cyberattacks recently experienced by the National Health Service (NHS) in England, in Singapore, and at a Melbourne-based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.

Phishing is a social engineering technique where an attacker tricks people into providing sensitive information— such as usernames, passwords and credit card details—by disguising an email as from a trustworthy entity.

There are key weaknesses in health services' physical security, and in their logical security, which covers password management and other user access controls. Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located.

We exploited these weaknesses in all four audited agencies and accessed patient data to demonstrate the significant and present risk to the security of patient data and hospital services.

The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.

DHHS's Digital Health branch has filled an important gap in the sector by developing common cybersecurity standards and acting as the central point for advice and support. While Digital Health has developed a clear roadmap to improve security across the sector, health services have not fully implemented the security measures necessary to protect patient data.

HTS has not fully implemented Digital Health's cybersecurity controls itself, and shares many of the same security weaknesses as health services. This is a risk to the sector because HTS hosts the clinical and patient administration applications that are used by 52 of the 85 Victorian health services (61 per cent).

Rural Health Alliances are groups of small regional and rural health services that deliver core ICT services to their members, governed by a joint-venture agreement.

While HTS and the audited health services outsource key parts of their ICT operations to third-party vendors or Rural Health Alliances (RHA), they remain accountable for the security of their patient data. HTS has established processes to monitor vendor performance; however, it needs to ensure that its main vendor complies with required security controls within an agreed timeframe. The three audited health services are not fully aware of whether their service providers have the necessary security controls. Due to the sector's reliance on third-party vendors, health services need to actively monitor vendor performance to ensure that patient data is safe.

Findings

Cybersecurity in the Victorian public health sector

Digital Health

DHHS's Digital Health branch supports improved cybersecurity in the sector by developing guidance materials, running awareness and training sessions, and funding ICT infrastructure upgrades. It has also developed a set of 72 baseline cybersecurity controls for health services to improve the maturity of health services' practices. Prior to Digital Health's cybersecurity program, there were significant gaps and little consistency in how health services managed risks to patient data.

Digital Health has proactively supported health services to improve their cybersecurity by leading joint procurement processes for advanced cybersecurity tools. This has led to cost savings for health services and greater consistency in how health services detect and respond to cyber incidents.

Cybersecurity controls

While Digital Health has set a better practice standard for health services to follow, no Victorian public health service has fully implemented all 72 controls. The sector collectively has implemented 62 per cent of the 38 foundational cybersecurity controls. The audited agencies have implemented 57 per cent of the foundational controls. The audited health services advise that key barriers to implementing the controls are a lack of dedicated funding for cybersecurity projects and limited staff availability.

Digital Health has assessed the risk profile of each health service, based on the number of controls implemented. Four out of the seven hospitals that DHHS recently assessed as 'high risk' have not improved their compliance with the controls since Digital Health first introduced them in March 2017. Six Victorian health services have not implemented any further controls since those they applied when Digital Health first introduced the controls.

Health services use biomedical devices to treat, monitor and diagnose patients. Increasingly, health services connect biomedical devices—such as infusion pumps and heart monitors—to their ICT systems and the internet, making them vulnerable to cyberattacks.

While DHHS sets targets for individual health services based on their circumstances, there are no penalties for non-compliance. It is vital that health services take a proactive approach and implement the controls, as each health service is responsible for the security of their patient data and ICT systems.

As the digital maturity of health services continues to improve there is scope for Digital Health to extend the 72 controls to include additional measures. Digital Health has advised that it plans to review the controls with a view to expanding them to cover other key risk areas, such as biomedical device security.

Effectiveness of data security in hospitals

All the audited health services need to do more to protect patient data. We identified key weaknesses in data security practices, including inadequate user access controls, weak passwords, and poor system and network monitoring.

We also found that health services do not have appropriate governance and policy frameworks to support data security. While all the audited health services have completed security testing and audits in the past, none have a clear policy that outlines when and how they will test the effectiveness of their security controls.

Computer ports can be both physical and virtual and connect different devices within a computer network. Virtual network ports are vulnerable to internet attackers who search for ports with poor security that they can use to enter a network.

ICT security

ICT security is fundamental to the ability of health services to protect patient data. We identified common weaknesses across all four audited agencies, such as insufficient port security, weak user passwords and limited network segmentation. One audited health service has started work to improve segmentation and network access controls.

These weaknesses limit the ability of audited agencies to effectively identify, detect, prevent and respond to potential data security incidents.

We also found deficiencies in how health services manage user access to digital records, including:

  • unused and terminated employee accounts still enabled
  • failure to keep user access forms as proof that users have had their access approved
  • a lack of any formal, regular user access review to ensure only staff who need access have it.

Network segmentation is the practice of splitting up a computer network into different segments. This can help prevent problems—such as a virus or attack—spreading to the entire network.

These deficiencies mean that agencies cannot be sure that only authorised staff access patient records.

We found staff user accounts at all audited agencies with weak passwords, which were accessible using basic hacking tools. We successfully accessed administrator accounts, which are a key target for attackers because they give ICT staff access to all system files. We also found that health services rarely used multi-factor authentication (MFA), even for ICT staff and administrator accounts.

We identified examples where audited agencies were still using default account names and passwords on key devices, including servers. Default account names and passwords are set by manufacturers when they first produce a device and are easy to find on the internet. In one audited health service, we accessed patient data in the hospital because the third-party system had a default account name and password.

An administrator account is a user account that can make changes that impact other users. ICT staff use administrator accounts to update software, access all files, and make changes to other staff accounts.

Personnel security

Staff behaviour is vital to effective data security because staff action can undermine even the best ICT controls. Health services are vulnerable to social engineering techniques that exploit staff because hospitals are busy, public places dedicated to caring for patients. Health services need to ensure that staff take basic action to protect patient data, such as alerting management to suspicious behaviour, locking computers, not clicking on suspicious links, keeping passwords secret, and protecting their security access passes. At all three audited health services we found digital patient data in unsecured shared files and hardcopy patient records left unattended near printers.

We found that only one audited health service provides mandatory cyber and data security training to all staff. Given that staff actions can undermine ICT and physical controls, it is vital that all staff—including clinical staff—can identify and manage the risks to patient data.

ICT controls are policies, procedures and actions that an organisation can use to protect its ICT systems and data.

Physical security

Strong physical security measures are necessary because attackers can exploit weaknesses in physical security to bypass ICT controls and connect directly to hospital systems. While hospitals need to ensure that clinical staff can move freely to treat patients, in two of the audited agencies we gained access to areas used to store critical ICT infrastructure, such as servers. We also accessed restricted administration and corporate offices at all agencies. While hospitals are public places, all the audited health services need to improve the physical security of sensitive areas.

Health Technology Solutions and third-party vendors

It is common for health services to outsource key components of their ICT operations, such as the hosting of their patient data applications, either to HTS, an RHA, or a third-party vendor. Despite this, organisations remain accountable for protecting the security of patient data and need to assure themselves that vendors act appropriately.

Data security

HTS, a part of DHHS, has not fully implemented DHHS's cybersecurity controls, and has many of the same security weaknesses as health services. There is a particular need to improve staff awareness of common social engineering techniques. We found that although HTS's password policy aligns to better practice guidelines from the National Institute of Standards and Technology (NIST), its user accounts were still vulnerable to basic password cracking techniques. We also found that while HTS has conducted security testing of its systems in the past, it has not effectively remediated some issues identified by its testers.

Ninety-nine per cent of Victorian health services use one or more of HTS's applications. Although it is optional, 61 per cent of Victorian health services use at least one of the clinical and patient data applications that HTS hosts, while 32 other health services use the HTS-hosted financial management system. As the custodian of most of the sector's patient information, it is vital that DHHS takes steps to ensure that HTS implements the 72 controls.

Supporting health services

HTS operates a service desk to respond to issues that health services have with their patient and clinical data applications. We found that HTS meets its overall service restoration targets, and resolves 76 per cent of major incidents within three hours.

Vendor management

HTS monitors vendor performance and is taking steps to ensure that its main vendor understands its security responsibilities. However, none of the audited health services assure themselves that vendors are complying with security controls. At one of the audited health services—which is part of an RHA—we found confusion around which entity is responsible for different parts of data security.

Digital Health has recognised the security risks associated with third-party vendors and is in the process of conducting a risk-assessment of vendor security practices on behalf of the sector. However, both the audited health services and HTS need to actively manage their contracts with vendors to ensure they comply with required security measures.

Recommendations

We recommend that the Department of Health and Human Services:

1. continue to support the Digital Health cybersecurity program, and through Digital Health:

  • review and expand the 72 cybersecurity controls where appropriate
  • develop and deliver specialist cybersecurity training for health sector staff
  • assist the sector to jointly procure better practice cybersecurity tools (see Sections 2.2 and 2.3)

2. implement Digital Health's cybersecurity controls in Heath Technology Solutions (see Section 4.2)

3. ensure that Health Technology Solutions regularly tests its incident management process, including the capability of its third-party vendors, so it is prepared to respond to future cybersecurity incidents (see Section 4.3)

4. strengthen cooperation between Digital Health and Health Technology Solutions to ensure that both business units provide better practice support to the sector (see Section 4.2)

5. ensure that any new joint-venture agreements for Rural Health Alliances detail clear service level expectations and the security responsibilities of Rural Health Alliances and member health services (see Section 4.3).

We recommend that all Victorian health services:

6. expedite implementation of Digital Health's 72 cybersecurity controls (see Section 2.3)

7. develop and give effect to a policy that outlines when and how often they will test their information and communications technology, personnel, and physical security controls to ensure they are operating effectively to protect patient data (see Section 3.3)

8. deliver mandatory training in data security to all staff (see Section 3.5)

9. ensure that information and communications technology staff receive regular cybersecurity training (see Section 3.5)

10. align their information and communications technology password policies with Australian Signals Directorate guidelines (see Section 3.4)

11. ensure they identify and risk assess all information and communications technology assets (see Section 3.4)

12. implement multi-factor authentication for information and communications technology staff and administrator accounts (see Section 3.4)

13. conduct annual user access reviews to ensure that only relevant staff have access to digital patient data (see Section 3.4)

14. develop processes to monitor whether all third-party vendors are complying with data security requirements (see Section 4.3).

Responses to recommendations

We have consulted with DHHS, BH, RCH and RVEEH and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions or comments. We also provided a copy of the report to the Department of Premier and Cabinet.

The following is a summary of those responses. The full responses are included in Appendix A.

The audited health services and DHHS have accepted the recommendations from this audit. DHHS has provided an action plan that addresses each recommendation, and has advised it will work with health services to acquit recommendations six to 14.

Back to Top