An audit report has found that the patient's data at Victoria's public health system is highly vulnerable to cyber attacks due to the security weaknesses within the Department of Health and Human Services' (DHHS) own technology arm.

The reports, which was published on Wednesday, May 29, stated that the weak technology is the reason behind the likelihood of a breach in 61% of the state's health services. Auditor general, Andrew Greaves said that the issues include physical security, password management and other access controls.

In Security of Patients' Hospital Data [PDF], Victorian Auditor-General's Office (VAGO) has revealed that Victoria's public health system is highly vulnerable to the kind of cyber attacks recently experienced by the National Health Service (NHS) in the UK, in Singapore and at a Melbourne‐based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.

VAGO said: "Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located."

In this audit report, VAGO examined whether health services are taking effective steps to protect patient data or not and it included Barwon Health (BH), the Royal Children's Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH).

"We also examined how two different areas of the Department of Health and Human Services (DHHS) are supporting health services: the Digital Health branch and Health Technology Solutions (HTS)," the report stated and mentioned that "the audited health services are not proactive enough and do not take a whole‐of‐hospital approach to security that recognises that protecting patient data is not just a task for their IT staff."

Even though DHHS' Digital Health branch is currently acting as the central point for advice and developing common cybersecurity standards, the security measures have not yet been completely implemented by the Digital Health branch.

After an examination of Victoria's water providers revealed that cybersecurity risks were lacking in exposing control systems to cyber-attack. The water boards accepted that they needed to improve the cybersecurity controls to make it safe and secure.

However, it should be noted that all of the examined health services and the department accepted the VAGO's recommendations on patient hospital data.