Audit Identifies Australian Health Sector Security WeaknessesMany of the Problems Are Also Common in the U.S.
Weak security controls and practices are putting Australian patients' data at high risk for cyberattacks, according to a new government audit in Victoria, Australia's second most populous state.
The report issued on May 29 assessed whether the Victoria public health sector is taking effective steps to protect patient data.
Similar to Canada's healthcare system, Australia has a hybrid national public and private healthcare system in which a government program, Medicare, pays for some medical expenses - such as care provided in a public hospital - with optional private insurance policies available to help pay for costs not covered by Medicare.
The Victorian Audit-General's Office scrutinized several entities - including security of three public hospitals as well as two areas of the state's Department of Health and Human Services.
Many of the security weaknesses VAGO identified - including in access and ID management practices and user awareness - are similar to the findings of U.S. government watchdog agencies in their security audits of the U.S. Department of Health and Human Services as well as U.S. Medicare and Medicaid healthcare providers and contractors (see: Audit: HHS Info Security Program Not Effective). That's because overall, thehealthcare sector faces many of the same challenges across the globe.
"The nature of healthcare today from an information and data perspective is so complex," says Mac McMillan, CEO of security consultancy CynergisTek. "Keeping staff aware of all of the things that they need to know that could potential hurt them or the organization is a definite challenge. Add to that the third-party risks that continue to grow, the exponential spread of devices and new pressures to share more information and access, and you have a very attractive target surface for cybercriminals who understand how hard it is to secure everything."
A Breach Target
Healthcare had more data breaches than any other business sector in Australia in the first quarter of this year, according to the Office of the Australian Information Commissioner.
VAGO in its audits found that Victoria's public health system is "highly vulnerable to the kind of cyberattacks recently experienced by the National Health Services in England, in Singapore and at the a Melbourne-based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services," the report notes.
"There are key weaknesses in health services' physical security, and in their logical security, which covers password management and other user access controls," the report says. "Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing and tailgating into corporate areas where information communication and technology infrastructure and servers maybe located."
VAGO notes it exploited those weaknesses in all the audited agencies and accessed patient data to demonstrate the significant and present risk to the security of patient data and hospital services.
"The audited health services are not proactive enough and do not take a whole hospital approach to security that recognizes that protecting patient data is not just a task for their IT staff."
The report notes that DHHS' Digital Health branch supports improved cybersecurity in the sector by developing guidance materials, running awareness and training sessions and funding information communication and technology infrastructure upgrades.
"It has also developed a set of 72 baseline cybersecurity controls for health services to improve the maturity of health services' practices," VAGO writes.
Not Fully Implemented
The report points out, however, that no Victoria health service examined has fully implemented all 72 controls
"The audited agencies implemented 57 percent of the foundational controls. The audited health services advise that key barriers to implementing the controls are a lack of dedicated funding for cybersecurity projects and limited staff availability," the report states. "It is vital that health services take a proactive approach and implement the controls, as each health service is responsible for the security of their patient data and ICT systems."
ID and Access Management
The report also notes that the Victoria health services agencies "rarely used" multifactor authentication for healthcare staff, information communication and technology worker and administrator accounts.
"The hard-to-believe but simple truth is that multifactor authentication is still viewed as something that interferes with convenience or workflows."
—Mac McMillan, CynergisTek
"We identified examples where audited agencies were still using default account names and passwords on key devices, including servers," the report notes. "Default account names and passwords are set by manufacturers when they first produce a device and are easy to find on the internet. In one audited health service, we accessed patient data in the hospital because the third-party system had a default account name and password."
VAGO notes that it's common for healthcare service providers to outsource key components of their IT operations to third parties, including the Health Technology Solutions arm of DHHS.
"Despite this, organizations remain accountable for protecting the security of patient data and need to assure themselves that vendors act appropriately," the report notes. This, too, creates risk.
"HTS has not fully implemented DHHS's cybersecurity controls and has many of the same security weaknesses as health services. There is a particular need to improve staff awareness of common social engineering techniques," the report notes.
The lack of multifactor authentication implementation is a common problem across the healthcare sector worldwide, McMillan says.
"The hard-to-believe but simple truth is that multifactor authentication is still viewed as something that interferes with convenience or workflows," McMillan says. "However those same individuals that complain about the few seconds delay that multifactor authentication causes almost certainly engage in on-line banking or purchasing where they use it routinely. Convenience is still the number one enemy of security."
VAGO made more than a dozen recommendations to Victoria's DHHS to address the problems identified and bolster security. Among the recommendations:
- The DHHS Digital Health unit should review and expand its 72 cybersecurity controls where appropriate;
- The DHHS Health Technology Solutions unit and all Victorian health services providers should implement all cybersecurity controls of the Digital Health unit;
- All Victorian health services providers should implement multifactor authentication for all information and communication technology staff and administrator accounts.
The VAGO report notes that the audited DHHS units and hospitals concurred with its recommendations.