What's Happening?
An audit of the New South Wales (NSW) health system has revealed that clinicians in local health districts are routinely bypassing cyber security controls. This practice is reportedly driven by a culture of 'clinical urgency,' where the immediate treatment
of patients is prioritized over adherence to cyber security protocols. The audit found that clinicians often save patient data to personal devices and remain logged into shared computers, actions that compromise data security. The audit examined four of the state's 15 local health districts and found none had effective cyber security or response plans. The report highlights a normalization of non-compliance with cyber security measures, exacerbated by outdated technology and complex password requirements. Additionally, the audit noted a lack of support and coordination from the central health ICT agency, eHealth NSW, and insufficient funding for cyber security measures.
Why It's Important?
The findings of the audit underscore significant vulnerabilities in the NSW health system's cyber security infrastructure, which could have serious implications for patient privacy and data protection. The health sector is already the most affected by data breaches in Australia, and the normalization of bypassing security controls could exacerbate this issue. The lack of effective cyber security measures not only risks patient data but also the integrity of clinical service delivery. This situation highlights the need for urgent reforms and increased investment in cyber security to protect sensitive health information and ensure compliance with both state and federal regulations. The potential for cyber attacks on critical health systems could disrupt clinical services, posing risks to patient care and safety.
What's Next?
In response to the audit, NSW Health has established a taskforce to drive cyber security reforms and improve compliance with security regulations. An 'uplift program' has been initiated to enhance resilience and adherence to both NSW and federal cyber security laws, including the Security of Critical Infrastructure (SOCI) laws. This program aims to address the identified gaps in cyber security planning and practices, ensuring that critical health systems are adequately protected. The success of these initiatives will depend on effective coordination between local health districts and the central health ICT agency, as well as sufficient funding to support necessary improvements.
