Propose an IT Governance at Hospital Based on COBIT 2019 Framework
Security of Patients' Hospital Data Recorded Presentation Transcript Slide 1 Security of Patients' Hospital Data Tabled 29 May 2019 This presentation provides an overview of the Victorian Auditor‐General’s report Security of Patients’ Hospital Data. Slide 2 2 Overview Public hospitals use information and communications technology (ICT) to deliver healthcare and to capture and store patient information Health services need to manage the risk of cyber attack, which could steal patient information and disable health services’ ICT systems Public hospitals are increasingly using information and communications technology (ICT) to deliver healthcare and to capture and store patient information. Digital records are valuable in improving patient care, however, health services need to manage the risk of a cybersecurity breach, which could steal patient information and disable health services' ICT systems, preventing staff from accessing patient information. Slide 3 3 What we looked at We assessed whether health services are taking effective steps to protect patient data In this audit, we assessed whether health services are taking effective steps to protect patient data. Slide 4 4 Who we looked at Health services • Barwon Health • Royal Children's Hospital • Royal Victorian Eye and Ear Hospital Departments Department of Health and Human Services (DHHS) areas: • Digital Health • Health Technology Solutions We audited Barwon Health, the Royal Children's Hospital and the Royal Victorian Eye and Ear Hospital. We also examined two different areas of the Department of Health and Human Services (DHHS)—their Digital Health branch and Health Technology Solutions—and how they are supporting health services. Slide 5 5 What we found Health service staff have low security awareness DHHS's Digital Health branch has developed common, health service specific cybersecurity standards Health services have not fully implemented needed security measures DHHS's Digital Health branch has filled an important gap in the sector by developing common, health service specific cybersecurity standards and acting as the central point for advice and support. While Digital Health has developed a clear roadmap to improve security across the sector, health services' have not fully implemented the security measures necessary to protect patient data. Our testing identified key weaknesses in health services' approach to data security, particularly in relation to staff awareness and network monitoring. Slide 6 6 Cybersecurity at DHHS’s Digital Health branch DHHS’s Digital Health branch is supporting health services to improve cybersecurity Health services identify barriers to fully implementing security controls DHHS’s Digital Health branch works to improve cybersecurity in the sector by developing guidance materials, running awareness and training sessions, and funding ICT infrastructure upgrades. We found that DHHS’s Digital Health branch has completed an effective program of work to improve health services’ approach to data security. However, health services identify key barriers to fully implementing the controls, such as lack of cybersecurity staff and insufficient resources for ICT projects. Slide 7 7 Effectiveness of data security in health services Health services are responsible for their cybersecurity All audited health services vulnerable to cyberattacks Most audited health services do not train staff in data security While DHHS has developed a clear roadmap to improve cybersecurity, ultimately it is the responsibility of health services to implement those improvements. We conducted scenario‐based penetration testing at the audited health services and found that all were vulnerable to attacks that could steal or alter patient data. Key weaknesses include inadequate user access controls, weak passwords and limited monitoring to detect suspicious behavior on their ICT network. Additionally, we found that most audited health services do not train staff to recognise suspicious behaviour, or to practice basic security such as locking computers, not clicking on suspicious links, or protecting their security access passes. Slide 8 8 Health Technology Solutions and vendor management Health Technology Solutions has not fully implemented Digital Health's cybersecurity controls Lack of health service oversight of vendor security management creates risks of security breaches Health services typically store their patient data in applications hosted and secured by third party vendors. However, health services remain responsible for protecting patient data and ensuring that vendors fulfil their security responsibilities. Health Technology Solutions is the key provider of outsourced ICT business systems to Victorian health services. Despite being part of DHHS, Health Technology Solutions has made no progress in implementing Digital Health's cybersecurity controls since they were introduced in March 2017 and has similar security weaknesses to Victorian health services. We also found issues with vendor management at two audited health services. At one health service, we gained access to patient data in a system managed by a third‐party vendor. At another, we found confusion around whether the responsibility for data security sat with the third party or the hospital. Slide 9 9 Recommendations 8 Recommendations for DHHS DHHS is committed to working with Victorian health services to acquit these recommendations 9 Recommendations for health services We made eight recommendations for DHHS around continuing support for the Digital Health cybersecurity program and nine recommendations for health services. DHHS has committed to working with Victorian health services to acquit these recommendations. Slide 10 For further information, please view the full report on our website: www.audit.vic.gov.au 10 For further information, please see the full report of this audit on our website, www.audit.vic.gov.au.< ascii85encodepages="" false="" allowtransparency="" false="" autopositionepsfiles="" true="" autorotatepages="" none="" binding="" left="" calgrayprofile="" (dot="" gain="" 20%)="" calrgbprofile="" (srgb="" iec61966-2.1)="" calcmykprofile="" (u.s.="" web="" coated="" \050swop\051="" v2)="" srgbprofile="" (srgb="" iec61966-2.1)="" cannotembedfontpolicy="" error="" compatibilitylevel="" 1.4="" compressobjects="" tags="" compresspages="" true="" convertimagestoindexed="" true="" passthroughjpegimages="" true="" createjobticket="" false="" defaultrenderingintent="" default="" detectblends="" true="" detectcurves="" 0.0000="" colorconversionstrategy="" cmyk="" dothumbnails="" false="" embedallfonts="" true="" embedopentype="" false="" parseiccprofilesincomments="" true="" embedjoboptions="" true="" dscreportinglevel="" 0="" emitdscwarnings="" false="" endpage="" -1="" imagememory="" 1048576="" lockdistillerparams="" false="" maxsubsetpct="" 100="" optimize="" true="" opm="" 1="" parsedsccomments="" true="" parsedsccommentsfordocinfo="" true="" preservecopypage="" true="" preservedicmykvalues="" true="" preserveepsinfo="" true="" preserveflatness="" true="" preservehalftoneinfo="" false="" preserveopicomments="" true="" preserveoverprintsettings="" true="" startpage="" 1="" subsetfonts="" true="" transferfunctioninfo="" apply="" ucrandbginfo="" preserve="" useprologue="" false="" colorsettingsfile="" ()="" alwaysembed="" [="" true="" ]="" neverembed="" [="" true="" ]="" antialiascolorimages="" false="" cropcolorimages="" true="" colorimageminresolution="" 300="" colorimageminresolutionpolicy="" ok="" downsamplecolorimages="" true="" colorimagedownsampletype="" bicubic="" colorimageresolution="" 300="" colorimagedepth="" -1="" colorimagemindownsampledepth="" 1="" colorimagedownsamplethreshold="" 1.50000="" encodecolorimages="" true="" colorimagefilter="" dctencode="" autofiltercolorimages="" true="" colorimageautofilterstrategy="" jpeg="" coloracsimagedict="">< qfactor="" 0.15="" hsamples="" [1="" 1="" 1="" 1]="" vsamples="" [1="" 1="" 1="" 1]="">> /ColorImageDict < qfactor="" 0.15="" hsamples="" [1="" 1="" 1="" 1]="" vsamples="" [1="" 1="" 1="" 1]="">> /JPEG2000ColorACSImageDict < tilewidth="" 256="" tileheight="" 256="" quality="" 30="">> /JPEG2000ColorImageDict < tilewidth="" 256="" tileheight="" 256="" quality="" 30="">> /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict < qfactor="" 0.15="" hsamples="" [1="" 1="" 1="" 1]="" vsamples="" [1="" 1="" 1="" 1]="">> /GrayImageDict < qfactor="" 0.15="" hsamples="" [1="" 1="" 1="" 1]="" vsamples="" [1="" 1="" 1="" 1]="">> /JPEG2000GrayACSImageDict < tilewidth="" 256="" tileheight="" 256="" quality="" 30="">> /JPEG2000GrayImageDict < tilewidth="" 256="" tileheight="" 256="" quality="" 30="">> /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict < k="" -1="">> /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False /CreateJDFFile false /Description < ara="">
/BGR /CHS /CHT /CZE /DAN /DEU /ESP /ETI /FRA /GRE /HEB /HRV (Za stvaranje Adobe PDF dokumenata najpogodnijih za visokokvalitetni ispis prije tiskanja koristite ove postavke. Stvoreni PDF dokumenti mogu se otvoriti Acrobat i Adobe Reader 5.0 i kasnijim verzijama.) /HUN /ITA /JPN /KOR /LTH /LVI /NLD (Gebruik deze instellingen om Adobe PDF-documenten te maken die zijn geoptimaliseerd voor prepress-afdrukken van hoge kwaliteit. De gemaakte PDF-documenten kunnen worden geopend met Acrobat en Adobe Reader 5.0 en hoger.) /NOR /POL /PTB /RUM /RUS /SKY /SLV /SUO /SVE /TUR /UKR /ENU (Use these settings to create Adobe PDF documents best suited for high-quality prepress printing. Created PDF documents can be opened with Acrobat and Adobe Reader 5.0 and later.) >> /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ < asreaderspreads="" false="" cropimagestoframes="" true="" errorcontrol="" warnandcontinue="" flattenerignorespreadoverrides="" false="" includeguidesgrids="" false="" includenonprinting="" false="" includeslug="" false="" namespace="" [="" (adobe)="" (indesign)="" (4.0)="" ]="" omitplacedbitmaps="" false="" omitplacedeps="" false="" omitplacedpdf="" false="" simulateoverprint="" legacy="">>< addbleedmarks="" false="" addcolorbars="" false="" addcropmarks="" false="" addpageinfo="" false="" addregmarks="" false="" convertcolors="" converttocmyk="" destinationprofilename="" ()="" destinationprofileselector="" documentcmyk="" downsample16bitimages="" true="" flattenerpreset="">< presetselector="" mediumresolution="">> /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ] >> setdistillerparams < hwresolution="" [2400="" 2400]="" pagesize="" [612.000="" 792.000]="">> setpagedevice