Auditor-General Hacked into Hospitals to Expose Crucial Security Flaws
Victoria’s Auditor-General has managed to successfully hack into the IT and security systems of some of the state’s largest hospitals, according to reports.
Designed to expose any vulnerabilities in the state’s network, the audit managed to expose a number of “poor” cybersecurity protocols in the Victorian healthcare sector, where they were actually able to access highly sensitive patient data.
Auditor-General Andrew Greaves tabled his report in Victoria’s state parliament earlier this week, and stated outright that all four health services he and his team audited were vulnerable to attacks.
“All the audited health services need to do more to protect patient data,” he said.
“Our testing found that once attackers gained access to health services’ systems - either through phishing or by implanting a rogue device within a hospital - they could exploit these weaknesses to access patient data.
The audit identified a number of vulnerabilities in the system, including the fact that accounts of employees that had since either resigned or been terminated remained active, and able to access the system, and the absence of any reviews of this level of access. The Age’s Adam Carey is reporting that “in many cases, hospital cybersecurity systems were undermined by poor staff training. Staff were found to be vulnerable to ‘social engineering’ techniques that cyber criminals use, such as phishing and tailgating into corporate areas where servers are located.”
“This exposes control systems to the risk of a successful cyberattack, particularly by a trusted insider or an intruder breaching physical security and gaining unauthorised access,” Auditor General Greaves reported.
“These deficiencies mean that agencies cannot be sure that only authorised staff access patient records,” Auditor-General Greaves wrote. In his report, the auditor general published 14 recommendations, including a push for more health staff to be trained by a cybersecurity specialist, making it mandatory before they can work in a hospital.
Back in February we reported on a cyber attack that saw hackers break “into the medical files of Melbourne’s Cabrini Hospital and demanded a ransom,” which strengthens the auditor general’s argument that Australian hospitals need to implement more robust security measures to protect their systems.
According to The Age, “The Department of Health and Human Services, which runs the state’s health system, was also exposed in the cybersecurity audit.”
“Health Technology Systems, a part of the department, has a financial management system that is used by 99 per cent of Victoria’s health services but had user accounts that ‘were still vulnerable to basic password cracking techniques,’” the auditor general reported.