WA Health: No breaches of unencrypted data COVID means a well-managed and secure system

The Western Australian Auditor General has once again given government officials to address security vulnerabilities in the state’s IT systems with a report on its unified public health system, COVID (PHOCUS), presented on Wednesday.

PHOCUS is used within the WA to record and track and track positive COVID cases in the state and may contain personal information such as interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions and medication details. The cloud system can also draw information from the SafeWA check-in application – which the chief auditor had previously found that WA cops had access to – as well as flight manifests, transit cards, business and customer files, G2G data transfer border and video surveillance records.

The report found that WA Health only uses encryption in its test environment, is unable to determine if malicious activity is occurring, and lacks a contract management plan with its provider.

“WA Health did not support log files for user access” review “to information in PHOCUS. Only “edits” (changes or deletions) of the information in the system were registered, but “WA Health did not monitor these log files for inappropriate activity,” the report said.

“WA Health will not know whether personal or medical information is improperly accessible (reviewed or edited by WA Health staff or their third-party providers).

Following our audit inquiries, WA Health advised us that they had already implemented a process to monitor access to editing (changes in data), but had not introduced a process to access the journal review (to detect eavesdropping) due to perceived performance issues. of the system. ”

The department also encrypted personal and medical information after the audit, increased the masking of all information in its test environment and implemented a file upload refusal list, and introduced an online malware scanner once the chief auditor found that potentially malicious files could to be uploaded to the system.

“There was no data loss prevention control in place to prevent unauthorized sharing of personal and medical information in PHOCUS and WA Health did not monitor shared documents with external and unauthorized parties. Poor control can lead to unauthorized disclosure of sensitive information and damage to WA Health’s reputation, the report said.

In addition, the report states that the third-party provider WA Health had full access to information in the production environment, which according to WA Health was assessed and balanced against the need to quickly build the system; two administrator accounts left over from a previous provider; and contracts with suppliers lacked “important security requirements”.

In response to the audit, WA Health said that due to the simultaneous deployment of four other COVID-related systems, the issues were properly managed and the speed, quality and resource requirements were balanced.

“There has been no breach of privacy with respect to the system, continuous data cleansing and quality control, no inaccuracies found if the condition affects management and no misuse of the system has been reported,” the department said.

“This demonstrates the stability of PHOCUS and that the data is well managed and protected.”

Connected coverage

WA government allocates A $ 25.5 million to expand cybersecurity services