Report on insecure medical information highlights poor security standards in Victoria
October 16, 2014 |
On Melbourne ABC radio today Jon Faine announced receipt of information from a whistleblower highlighting the insecure transmission of highly sensitive medical information through its emergency paging system. It has been picked up by the Age in Private medical information used by emergency services ‘insecure’, claims whistleblower which provides:
Concerns have been raised that personal information, including medical details and home addresses, used to dispatch emergency services to critical incidents is easily accessible and insecure.
The state government is investigating potential privacy breaches of the emergency service paging system, which sends out text alerts to thousands of staff and volunteers of the SES, CFA and Ambulance Victoria.
The text messages contain information that allows emergency personnel to respond quickly to incidents and can include private medical details, such as medications or medical conditions, when broadcast by Ambulance Victoria.
Minister for Police and Emergency Services Kim Wells said he had been made aware of “serious” incidents where unauthorised people has been scanning emergency paging broadcasts. He said this was potentially in contravention of the Telecommunications Interception Act.
“When authorities are alerted, these potential breaches are taken very seriously and people are issued with a cease and desist by the Department of Justice,” he said.
A spokesperson for the Emergency Services Telecommunications Authority, which manages the system on behalf of the emergency services, said unauthorised scanning of the pager information was rare but did occur from time to time.
She said there were protocols covering the scanning of broadcasts and that enthusiasts had been listening to emergency broadcasts “for decades”.
But a whistleblower has reportedly claimed the private information is easily obtainable by people not part of the emergency services through basic internet searches.
“There is information on here about medication, where people keep their keys, about all sorts of stuff and it’s utterly insecure,” said 774 ABC Melbourne presenter Jon Faine, who had spoken with the whistleblower.
He said the personal information was easy to find but did not provide information on how to obtain it to avoid breaking any privacy laws.
Liberty Victoria president Jane Dixon said accessing private medical information broadcast by the pagers without authorisation could be a breach of privacy principles.
“The legislation imposes a lot of requirements, it sounds a bit to easy to get to this health information,” she told ABC Radio.
More than one million text alerts were sent out to approximately 40,000 pagers using the service in 2012/13, including 524,065 emergency messages. The paging service is used by rural emergency services.
Earlier this week an auditor-general report slammed ESTA’s performance over its handling of the state’s triple-zero service, saying it had not met ambulance emergency dispatch standards for three years.
Why information is not properly encrypted is perplexing. How such information can be accessed by non authorised persons via access to the internet is a significant breach of data security principles under the Health Records Act.
Itnews reports in Vic Govt agencies failing to patch, monitor access controls that the Auditor general has been highly critical of Victorian Government agencies in maintaining proper data security. The problems he highlights are familiar to practitioners in the privacy area, failing to apply patches to systems, poor controls on access to data and poor password controls. These are similar problems to those which are commonplace in the private sector.
The article provides:
Victorian agencies are handing over privileged system access to too many staff and are failing to patch critical systems, in some cases for years, according to the state’s Auditor-General.
Nearly every agency in the state has earned at least one black mark against its name in the past 12 months of investigations, Auditor John Doyle’s end of year tally has revealed.
In his office’s first ever whole-of-government survey of Victorian IT controls, Doyle found:
- Some agencies haven’t patched major applications since July 2010
- Agencies are handing out privileged access to system users who don’t need it
- IT provider agency CenITex still hasn’t taken action to shore up its absent disaster recovery plans
The report, tabled to parliament today, said the scale of the problems highlighted “the need for public sector chief information officers (CIO) to focus additional effort on ICT security processes and controls”.
The good news for the state government, which faces a general election next month, is that most of the issues are very easily fixed, and have been able to slip through the gaps because of poor oversight and monitoring.
Patch management ranked as the least mature IT control across the audited agencies, with 56 percent of entities experiencing problems keeping on top of their software updates.
One unnamed agency hadn’t patched one of its major systems since July 2010, missing 21 vendor recommended updates including three classified as critical – the oldest of which was made available in 2008.
“The maturity of patch management practices is variable across government. It can range from patches being omitted as a result of accidental oversight in better managed organisations, to organisations where patching is not actively managed and systems go unpatched for years.”
– Information and Communications Technology Controls Report 2013–14
Lax user access controls accounted for the largest slice of high-risk security concerns.
In one typical case, an unidentified agency had given 113 users, including five staff with super-user privileges, accounts where the passwords had no fixed expiry. As a result, the lifespan of the passwords ranged from 98 to 742 days.
Doyle also repeated his demand for the state’s IT shared services agency CenITex to address the absence of a disaster recovery plan for the services it controls.
While the latest report does not name CenITex directly, it did so back when the Auditor-General originally raised the issue in November 2013, and has now complained that nothing appears to have happened in 12 months since.
“Although the service provider had advised the departments and agencies in its annual attestations that it does not having an ICT disaster recovery plan to address significant failures, there had been no action by the service provider to address the risk.”
The Victorian audit office has already flagged its intention to step up scrutiny of the state’s notorious IT operations over the next three years.
The government has also promised to issue its first sector-wide IT security strategy, which is currently still in development.
The Auditor General’s report is found here and the press release provides:
The Auditor-General is the external auditor of Victoria’s public sector entities, and has a legislated obligation to provide independent assurance to the Parliament about the financial status as well as the efficiency, effectiveness and economy of these entities.
This inaugural report summarises the results of our audits of public sector entities’ ICT general controls as part of the 2013–14 financial audits. This report is the first of its type by VAGO and aims to provide extra insight and visibility of our ICT-related audit findings, and also identify wider trends that may not be covered in the reports we give to an entity’s management.
Notwithstanding some deficiencies in ICT controls, VAGO was able to rely on these controls for financial reporting purposes because other mitigating controls were identified and tested. Most of ICT audit findings were medium risk, with none ranked as an extreme risk. High-risk ICT audit findings are concentrated in a few ICT general controls categories.
The five themes identified through our ICT audits were:
- ICT security controls need improvement
- management of service organisation assurance activities requires attention
- prior-period audit findings are not being addressed in a timely manner
- patch management processes need improvement
- ICT disaster recovery planning is weak.
In future reports, we will perform detailed maturity assessments of selected entities’ ICT environments and examine some selected areas of focus, such as identity and access management, software licensing and wireless network security.
[…] Report on insecure medical information highlights poor security standards in Victoria […]