The poor management of cyber risks and a failure to meet minimum requirements is leaving NSW hospitals vulnerable to cyber attacks, according to a secret audit tabled in Parliament mid-last year and released publicly just before Christmas.
The Audit Office of NSW handed a report on cybersecurity in Local Health Districts to the state government in July last year, but did not make it public until 19 December to give NSW Health time to respond to the important recommendations included in it.
The audit found that NSW Health was not properly managing the cybersecurity risks in healthcare, and that hospitals and other healthcare providers were not prepared to respond to a cybersecurity attack.
It found a systemic non-compliance with the state government’s cybersecurity requirements, and regular non-compliance with cybersecurity controls by clinical health staff.
“NSW Health is not effectively managing cybersecurity risks to clinical systems that support healthcare delivery in Local Health Districts,” the audit stated
“Systemic non-compliance with NSW government cybersecurity requirements, including maintaining adequate cybersecurity response plans, business continuity planning and disaster recovery for cybersecurity incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats.
“This exposes the risk that a preventable cybersecurity incident could disrupt access to healthcare services and compromise the security of sensitive patient information.”
NSW Health has been approached for comment. The NSW Health Minister is Ryan Park.
NSW Health Minister Ryan Park. Image: YouTube
No adequate cyber planning
There are 15 Local Health Districts in NSW that administer the state’s hospitals and other health services.
These districts generate, use and maintain huge amounts of highly sensitive personal and health data about patients.
For the audit, the NSW Auditor-General scrutinised the cybersecurity practices of four Local Health Districts.
It found that none had cybersecurity incident response plans that were fit-for-purpose, only one had a cybersecurity plan and only half had conducted desktop exercises to test cybersecurity incident response plans.
No Local Health District had met the minimum requirements for cybersecurity as outlined by the state government since 2019, the audit found, meaning they were “not adequately prepared to respond effectively to cybersecurity incidents”.
“Local Health Districts that do not have effective cybersecurity plans cannot articulate their approach to managing cybersecurity risks and are not adequately prepared to respond to and manage cybersecurity risks and incidents," the audit said.
The audit also found a “normalisation” within the healthcare settings of non-compliance with cybersecurity controls, due to a “perceived tension” between the urgency of delivering health services and the importance of cybersecurity policies.
During the audit, a number of clinical staff were observed being non-compliant, even with multiple cybersecurity controls in place.
“Despite known systemic non-compliance by clinical staff, the audited Local Health Districts have not assessed the effectiveness of the controls they have put in place, nor have they identified any alternatives that might balance the need for clinical urgency with effective cybersecurity practices,” the audit said.
“In addition, they have not considered investing in alternative ICT solutions that better meet the needs of clinical staff while also addressing cybersecurity concerns.”
The inquiry also found that eHealth NSW had not clearly refined or communicated its own role and the expected roles of Local Health Districts when it came to cybersecurity, leading to confusion.
Acting on the recommendations
The Audit Office of NSW recommended that the state Ministry of Health collate and validate information on compliance with the NSW Cyber Security Policy and finalise and communicate cybersecurity roles and responsibilities within the NSW Health system, and that eHealth develop guidance on balancing the need to deliver clinical services while meeting cybersecurity requirements.
It also recommended that all Local Health Districts design and implement a fit-for-purpose cybersecurity risk management framework.
Since receiving the report, NSW Health has established a taskforce and progressed action in response to these recommendations, the Audit Office of NSW said.
There have been a number of high-profile hacks and data breaches involving health services in recent years.
In 2022, major private health insurer Medibank fell victim to a major cyber data breach, with the highly sensitive personal information of 9.7 million individuals compromised and eventually posted on the dark web after a ransom payment was denied.
In late 2023, St Vincent’s Health Australia, the largest not-for-profit hospital in the country, suffered a cyber attack, and said there was evidence that some data had been taken from its network.
And in September last year, nearly 600 medical staff had their private data exposed after the NSW Health department mistakenly left confidential documents available publicly online.
