NSW Health clinicians "normalise" bypass of cyber security controls

By
Follow google news

In the name of "clinical urgency".

Clinicians at local health districts in NSW routinely dodge cyber security controls, saving data to their own devices and staying logged in on shared computers to support “clinical urgency”, an audit has found.

NSW Health clinicians "normalise" bypass of cyber security controls

The NSW audit [pdf] offers a concerning glimpse into cyber security planning and practices in the NSW health system.

The health sector consistently experiences the most data breaches of any industry vertical in Australia, according to federal statistics.

The NSW audit examined four of the state’s 15 local health districts or LHDs. 

None were found to have “effective cyber security plans” or “cyber security response plans”, nor did their disaster recovery and business continuity plans “consider cyber security risks”.

The cyber security plans were found to be “outdated, of poor quality and not fit-for-purpose.”

Perhaps more concerning, however, is the “normalisation of non-compliance with cyber security controls”.

“Local health districts operate within a culture of clinical urgency, where the time critical treatment of patients takes precedence,” the audit states.

“In all audited local health districts, critical cyber security controls are not consistently applied by clinical staff who perceive a tension between the urgency of clinical service delivery and the importance of cyber security policies.”

The audit found that patient data was being saved to clinicians’ own devices, outside of clinical systems.

“Despite implementing rules for clinicians not to save and host patient information on their own devices outside of clinical systems, clinicians often did so,” the audit found.

“Further, some clinicians uploaded patient information to unsecured systems and applications.

“Local health district ICT staff advised that it is difficult to raise this issue directly with the clinical staff engaging in these practices because of siloed environments and management structures between clinical and operational staff, and a lack of understanding of the risks involved.”

Data is also shared via fax or email – often due to a lack of options.

In addition, clinical staff often stay logged into computers that are then left unattended.

While time pressures play a part in this, the audit found it is a complex issue exacerbated by reliance on older technology and complex, distinct passwords.

“For clinical staff, who move between clinical spaces and use multiple systems while providing services to patients, logging in and out of computers and devices is a frequent requirement,” the auditor found.

The process of logging in and out of devices and systems could take place several times over  short durations, the auditor said.

"This is cumbersome and disruptive because it interrupts their clinical processes and forces them to stop and re-start their tasks. 

“Additionally, audited local health district staff reported that some clinical systems can be slow and require long and complicated passwords that can add even more time to the  process of logging in and out of systems while providing clinical care. As a result, staff regularly do not log out of systems.”

Running lean

While supported by eHealth NSW, the audit identified “a lack of support, coordination and oversight … in cyber security matters” from the central health ICT agency, resulting in confusion at the local health district level.

Additionally, the auditor said that neither eHealth NSW nor the districts met “benchmark spending” on cyber security.

This appears in part to be a funding issue, with districts being asked to “uplift” controls “using existing funds”.

“Most local health districts in NSW reported to the review that they have one full-time equivalent staff member dedicated to cyber security. However, some larger districts have more staff in this area and a few local health districts share cyber security resources,” the auditor wrote.

“Local health districts spent on average $421,000 on cyber security in 2023–24 or about two percent of ICT expenses.”

Protecting the "crown jewels"

Some 41 systems have been identified as “crown jewels” across the NSW Health, but the auditor found not all of these systems were treated equally.

Logs for some – but not all – systems were fed to a health security operations centre.

“Some crown jewel systems do not receive the same level of monitoring as other important health systems,” the auditor wrote.

“This increases the risk of a successful cyber attack that could affect clinical service delivery.”

Uplift underway

In a letter dated late June of this year, NSW Health secretary Susan Pearce said that a taskforce had been established to drive cyber security reforms and “capability uplift”.

Pearce also said that an “uplift program” had been initiated to improve resilience and compliance with both NSW and federal cyber security rules, including the Security of Critical Infrastructure (SOCI) laws.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
controlscybersecuritygovernmenthealthnswsecuritysoci

Sponsored Whitepapers

Fintech compliance made fast and secure
Fintech compliance made fast and secure
How to evaluate SIEM solutions Safeguarding your future Get a demo Download guide
How to evaluate SIEM solutions Safeguarding your future Get a demo Download guide
2025 Security operations insights: Three-quarters of security leaders need something new in SIEM
2025 Security operations insights: Three-quarters of security leaders need something new in SIEM
Sumo Logic named in the 2025 Gartner Critical Capabilities for Security Information and Event Management (SIEM)
Sumo Logic named in the 2025 Gartner Critical Capabilities for Security Information and Event Management (SIEM)
The cloud tipping point
The cloud tipping point

Events

Most Read Articles

ServiceNow nears deal to buy cyber security startup

ServiceNow nears deal to buy cyber security startup
Services Australia may get powers to rein in data breach exposure

Services Australia may get powers to rein in data breach exposure
Services Australia describes fraud, debt-related machine learning use cases

Services Australia describes fraud, debt-related machine learning use cases
Home Affairs to unleash AI on sensitive government data

Home Affairs to unleash AI on sensitive government data
techpartner.news logo
Sydney-based AI-cloud waste startup raises $3m
Sydney-based AI-cloud waste startup raises $3m
Brennan uses NiCE to modernise its contact centre
Brennan uses NiCE to modernise its contact centre
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Interactive introduces private cloud platform
Interactive introduces private cloud platform
Digital61 expands cybersecurity portfolio
Digital61 expands cybersecurity portfolio

Log In

  |  Forgot your password?