An audit has concluded that patient data in the Australian state of Victoria’s public health system could easily be breached.
Victoria’s auditor general Andrew Greaves and his office were able to hack into some of the state’s biggest health databases. They used basic hacking tools to access patient data at five different organisations – Barwon Health, the Royal Children’s Hospital, the Royal Victorian Eye and Ear Hospital, as well as the department’s Digital Health and Health Technology Solutions – to demonstrate what Greaves described in a report as a “a significant and present risk” to Australian citizens’ patient data.
The auditors were able to access the restricted administration and corporate offices of all the parties examined. For two of the five they were also able to gain access to areas storing critical technology infrastructure.
Some of the organisations were still using default manufacturer account names and passwords on key devices such as servers, details of which are easily available online.
Overall, they were ruled to not have been proactive enough in taking a whole-of-hospital approach to security.
RSA Security regional director of UK & Ireland Chris Miller said: “Attacks on healthcare organisations are becoming increasingly common, so it’s imperative that organisations take the necessary steps to manage their digital risk very carefully.
“Some of the errors that the auditors have picked up on here are pretty basic, which suggests that security hasn’t become embedded into these organisations – instead being treated as a bolt-on, or worse, a hurdle.”
The auditor general’s offices also investigated the security infrastructure surrounding the Department of Health and Human Services and the Department of Justice and Community Safety. It found that while the infrastructure was adequate, its effectiveness was undermined by a laissez-faire approach to safety culture.
All of the audited health services accepted the auditor general’s recommendations to tighten security around patient hospital data.
Due to their storage of huge amounts of personal data, hospitals are growing targets for hackers, and medical records can sell for thousands of dollars on the dark web.
In 2017 the WannaCry ransomware attack caused global chaos, costing the British NHS £92m and resulting in 19,000 appointments being cancelled.
Miller said: “Many hackers out there are opportunists; if you are not even doing the basics, then you could fall victim to a hacker who is simply rattling doorknobs to see which one is unlocked.”