Victoria’s Health department has shortlisted 72 cyber security controls for the state’s health services to implement following a malware infection at Melbourne Health last year.

The state’s auditor-general Andrew Greaves today revealed the department had directed all health services “to complete a cyber health check baseline assessment” last May after Melbourne Health fell victim to a malware infection that downed its pathology systems.
It spent weeks grappling with mutations of the Qbot malware, and had to fast-track an operating system upgrade project to recover.
The state-wide cyber health check baseline assessment conducted in the wake of the infection “found that health services are at varying levels of maturity, and all health services need to work to achieve minimum cyber security standards”, Greaves said.
“After the assessment, the department prepared a set of cyber security minimum baseline requirements, comprising 72 cyber security controls,” he said.
“A working group of representatives from the health services and the department has been set up to plan how the health sector will attain the maturity required to protect the quality and safety of clinical care from cyber breaches.”
Greaves said there were a range of risks around cyber security across the state’s health operations, and they were exacerbated by system interdependencies.
He said patients could be put at risk if systems across a range of health disciplines were left unavailable due to a security breach.
However, Greaves said he “commended” the Health department for its actions following the Melbourne Health malware infection, and said his office would consider a future audit to determine the efficacy of implementation of the baseline security controls.