WA Health: No breaches of unencrypted COVID data means well managed and secure system | ZDNet


perth city

Image: Getty Images

The Auditor General of Western Australia with a report on its Public Health COVID Unified System (PHOCUS) on Wednesday has given state officials a nod to security vulnerabilities in IT systems used in the state.

PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and includes personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history May include, symptoms, existing medical conditions. , and drug description. The cloud system can also retrieve information from the SafeWA app upon check-in—which the auditor-general previously found WA Police was able to access—as well as flight manifests, transit cards, business employee and customer records, G2G border- crossing pass data, and CCTV footage.

The report found that WA Health used only encryption in its test environment, was not able to tell whether malicious activity was occurring, and lacked a contract management plan with its vendor.

“WA Health did not keep logs of user ‘view’ access to information in PHOCUS. Only ‘edits’ (changes or deletions) of information were logged in the system, but WA Health did not monitor these logs for inappropriate activity of,” the report said.

“WA Health will not know whether personal or medical information has been inappropriately accessed (viewed or edited by WA Health staff or their third party vendors).

“Following our audit inquiries, WA Health advised us that they have now implemented a process to monitor edit access (data changes), but due to perceived system performance issues, log view access (to detect snooping) process has not been implemented.”

The department also encrypted personal and medical information after the audit, increased data masking for all information in its test environment, and implemented a file upload declined list and brought a malware scanner online when the auditor-general found that Potentially malicious files can be uploaded to the system. ,

“The focus did not have any data loss prevention controls to prevent unauthorized sharing of personal and medical information, and WA Health did not monitor documents shared with outside and unauthorized parties. The report states that poor controls have been in place. This could result in unauthorized disclosure of sensitive information and reputational damages to WA Health.

In addition, the report noted that WA Health’s third-party vendor had full access to the information in the production environment, which WA Health said was assessed and balanced against the need to build the system quickly; Two administrator accounts were dropped from the previous vendor; And vendor contracts lacked “critical security requirements.”

In response to the audit, WA Health said that due to the implementation of four other COVID related systems at the same time, the issues were managed appropriately and balanced development speed, quality and resource demand. Went.

The department said, “There has been no breach of confidentiality with respect to the system, continuous data cleaning and quality checks are carried out, no inaccuracies were found in management affecting the situation and no improper use of the system was recorded.” ”

“This demonstrates the robustness of PHOCUS and that the data is well managed and secure.”

Related coverage

WA government allocates AU$25.5m to expand cyber security services

The Office of Digital Government’s cyber security unit will score additional personnel under the funding.

Auditor found that WA Police accessed SafeWA data 3 times and the app was erroneous at launch

WA Health released SafeWA check-in information for purposes other than COVID-19 contact tracing following six requests by police that the information be used only to support contact tracing, despite a government message.

WA’s Auditor General slams local governments over terrible cyber risk management

The use of outdated software came under the special treatment of the Auditor General of Western Australia, with an entity vulnerable to a 15-year vulnerability.

Western Australia rolls out digital to-do list in first roadmap release

The hard-fronted state is running 22 projects across 12 government agencies to move one step closer to achieving its full-fledged government digital strategy.

328 vulnerabilities found by the WA Auditor General in 50 local government systems

The computer systems of 50 Western Australian local government entities were examined and the results revealed 328 control vulnerabilities, 33 of which were deemed critical by the Auditor General.

Stay Connected With Us On Social Media Platforms For Instant Updates Click Here To Connect With Us TeaveterAnd Facebook

Source link

Leave a Comment