Victorian Auditor General’s Office in Australia has found that patient data in Victoria’s public health system resides on a system riddled with weaknesses and is easily hackable.
The report found that the public health sector in Victoria is highly vulnerable to cyber-attacks and staff awareness of data security is low, with major issues detected around physical security, password management and other access controls. In two of the five health agencies examined, the auditors gained access to systems storing critical technology infrastructure, and they managed to get into restricted administration and corporate offices of all the agencies.
Chris Miller, Regional Director, UK & Ireland for Digital Risk Management Experts at RSA Security:
“Healthcare organisations hold huge amounts of extremely personal data, so they are very attractive targets for hackers – in fact, it’s reported that medical records can sell for thousands of dollars on the dark net, far more than other details like social security numbers or credit card information. Sadly, attacks on healthcare organisations are becoming increasingly common, so it’s imperative that organisations take the necessary steps to manage their digital risk very carefully. As more and more services go online, with the widespread use of electronic health records and IoT medical devices, managing digital risks in healthcare is becoming increasingly complex. But complexity is not an excuse for burying your head in the sand. Some of the errors that the auditors have picked up on here are pretty basic, which suggests that security hasn’t become embedded into these organisations – instead being treated as a bolt on, or worse, a hurdle.
Security and IT can no longer work in isolation, particularly in healthcare where the consequences can be extreme and even put lives at risk – just look at the WannaCry ransomware attack, which reportedly cost the NHS £92m and resulted in 19,000 appointments being cancelled. In order to manage digital risk effectively, healthcare organisations need to ensure that everyone in the organisation understands what digital risks they face, how these can best be mitigated, and what the consequences are of not doing so. Then it is important to mitigate these digital risks as much as possible, to make it as difficult as possible for hackers – many hackers out there are opportunists, if you are not even doing the basics, then you could fall victim to a hacker who is simply rattling doorknobs to see which one is unlocked.”