- Exclusive
- National
- NSW
- Cyber security
Sensitive NSW medical records at risk of falling into hackers’ hands, damning leak reveals
Sensitive medical records and essential healthcare systems are at risk of falling into the hands of hackers because NSW public hospitals are failing to meet basic cybersecurity standards despite measures costing taxpayers $40 million a year, a leaked government audit has revealed.
A draft report by the Audit Office of NSW, seen by this masthead, found the state’s local health districts were not effectively managing cybersecurity risks at their hospitals and were “ill-prepared to respond” if an attack occurred.
“This exposes the risk that a preventable cybersecurity incident could disrupt access to healthcare services and compromise the security of sensitive patient information,” the report concluded.
NSW hospitals are at risk of hacks because of lax cybersecurity standards, a leaked government audit has revealed.Credit: Stephen Kiprillis
None of the four local health districts assessed in the performance audit met the minimum requirements outlined in the NSW government’s cybersecurity policy in 2019, the draft report said, noting there was “systemic non-compliance” with the standards.
None of the audited districts had effective response and disaster recovery plans, which “hampers responses during an incident” because roles and responsibilities are not well understood.
“Actions to address cybersecurity incidents may not be undertaken as quickly as desired, affecting the delivery of services to patients,” the draft report said.
The report also revealed NSW taxpayers spent $39 million in the last financial year on cybersecurity across the health system. This was due to jump to $59 million next year, rising to $64 million by 2030.
The auditors recommended NSW Health should, by the end of this month, gather information on whether each of its organisations is complying with the state government’s cybersecurity policy, and finalise cybersecurity roles within the NSW health system.
By December, eHealth NSW, the body responsible for IT across the state’s public health system, should boost its support to health districts by developing a cybersecurity risk appetite statement, localising centrally developed tools, and ensure monitoring of all highly valuable and operationally vital systems known as “crown jewel assets”, according to the audit’s draft recommendations.
NSW Health chief information officer Richard Taggart said the agency had seen the draft but would wait until the auditor-general had finalised his report, and formally tabled it in parliament, before acting on it.
“Broadly speaking, the recommendations aligned to or reinforce the existing cybersecurity priorities we already had, and the actions we’re already taking,” he said. “We have confidently got plans in place already that mean that we can look at those recommendations sensibly and work inside those recommendations’ timelines to address them.”
To patients concerned about their sensitive information being potentially vulnerable to a cyberattack, Taggart said: “All our leaders take this very, very seriously, and we’ll continue to build systems, tools, controls and improvements to ensure that we continually check the systems that we have where that private information is kept.”
NSW Health Secretary Susan Pearce and Deputy Auditor-General Claudia Migotto wrote to the Herald on Friday afternoon seeking to have publication postponed, citing concerns it could expose hospitals to increased cyberactivity.
Health Minister Ryan Park said the state government was taking the matter “very seriously”.
“Protecting patients’ personal and sensitive data is one of our highest priorities,” he said.
The warning follows a number of high-profile attacks on Australian hospitals, insurance funds, specialist clinics, and third-party healthcare providers.
Megan Lane, health and aged care lead for CyberCX, the country’s largest cybersecurity firm, said healthcare providers had increasingly become targets for cyber criminals because of the sensitivity of their data and “the genuine risk to life in the event that significant health systems are disrupted”.
“Cybercriminals are in the business of harm maximisation,” she said. “They use the tools available to them, either disrupting systems or stealing and weaponising information in an effort to exert pressure on a victim organisation.”
Victoria’s Epworth and Royal Melbourne hospitals, Fertility clinic Genea, and prescription service MediSecure have had patient data exposed in cyberattacks in the past 12 months.
The MediSecure attack was considered one of the largest in Australia’s history, exposing the data of 12.9 million Australians. About 6.5 terabytes of data, including insurance numbers and names and addresses, were later published for sale on a Russian hacking forum, and the company no longer exists.
These followed high-profile cyberattacks on St Vincent’s, Australia’s largest not-for-profit health and aged care provider, in December 2023, and a hack on health fund Medibank in 2022 resulting in the personal details of almost 10 million current and former customers being published on the dark web.
St Vincent’s later confirmed no personal data or health information was stolen. Lane said that, after that scare, the audit-general’s report should be another “wake-up call” for administrators responsible for large and complex systems.
“Healthcare is the only part of the economy where we are having serious conversations with organisations about rolling out AI at the same time as we are working out how to keep the lights on for fax machines,” she said. “The health sector learnt some valuable lessons the hard way about how to respond to a pandemic-type crisis, and I think … it would be unfortunate to have to learn similar hard lessons when a major cyber incident occurred.”
An analysis earlier this year of 70 Australian hospitals by software provider Proofpoint found 23 per cent were lagging on basic cybersecurity measures, including email validation protocols designed to protect domain names from being misused by cybercriminals.
Sydney-based senior director Steve Moros said hospitals were familiar with the principle of preventative healthcare, and that should also apply to cybersecurity.
“These systems are critical, right? I need to stay alive, so if a hospital is hit with a ransomware attack, they’re likely to pay on the threat of downtime,” he said. “We’d rather be preventing cyberattacks than curing them because the cure is actually quite problematic.”
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.