WA Health: No breaches of unencrypted data COVID means a well-managed and secure system

the city of Perth

Image: Getty Images

The Western Australian Auditor General has once again given government officials to address security vulnerabilities in the state’s IT systems with a report on its unified public health system, COVID (PHOCUS), presented on Wednesday.

PHOCUS is used within the WA to record and track and track positive COVID cases in the state and may contain personal information such as interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions and medication details. The cloud system can also draw information from the SafeWA check-in application – which the chief auditor had previously found that WA cops had access to – as well as flight manifests, transit cards, business and customer files, G2G data transfer border and video surveillance records.

The report found that WA Health only uses encryption in its test environment, is unable to determine if malicious activity is occurring, and lacks a contract management plan with its provider.

“WA Health did not support log files for user access” review “to information in PHOCUS. Only “edits” (changes or deletions) of the information in the system were registered, but “WA Health did not monitor these log files for inappropriate activity,” the report said.

“WA Health will not know whether personal or medical information is improperly accessible (reviewed or edited by WA Health staff or their third-party providers).

Following our audit inquiries, WA Health advised us that they had already implemented a process to monitor access to editing (changes in data), but had not introduced a process to access the journal review (to detect eavesdropping) due to perceived performance issues. of the system. ”

The department also encrypted personal and medical information after the audit, increased the masking of all information in its test environment and implemented a file upload refusal list, and introduced an online malware scanner once the chief auditor found that potentially malicious files could to be uploaded to the system.

“There was no data loss prevention control in place to prevent unauthorized sharing of personal and medical information in PHOCUS and WA Health did not monitor shared documents with external and unauthorized parties. Poor control can lead to unauthorized disclosure of sensitive information and damage to WA Health’s reputation, the report said.

In addition, the report states that the third-party provider WA Health had full access to information in the production environment, which according to WA Health was assessed and balanced against the need to quickly build the system; two administrator accounts left over from a previous provider; and contracts with suppliers lacked “important security requirements”.

In response to the audit, WA Health said that due to the simultaneous deployment of four other COVID-related systems, the issues were properly managed and the speed, quality and resource requirements were balanced.

“There has been no breach of privacy with respect to the system, continuous data cleansing and quality control, no inaccuracies found if the condition affects management and no misuse of the system has been reported,” the department said.

“This demonstrates the stability of PHOCUS and that the data is well managed and protected.”

Connected coverage

WA government allocates A $ 25.5 million to expand cybersecurity services

The Cybersecurity Department of the Digital Government Office will recruit additional staff as part of the funding.

The auditor found that WA police had access to SafeWA data 3 times and the application was defective at startup

WA Health released information on SafeWA registration for purposes other than tracking contacts with COVID-19, with six requests made by police despite government announcements that the information would be used only to assist in tracking contacts.

The WA’s chief auditor is enticing local authorities with horrific cyber risk management

The use of outdated software was subject to special treatment by the Auditor General of Western Australia, and one person was vulnerable to a 15-year vulnerability.

Western Australia presents a digital to-do list in the first edition of the roadmap

The hard-line state is implementing 22 projects in 12 government agencies to bring it one step closer to achieving its overall digital strategy.

328 weaknesses identified by the WA Auditor General in 50 local government systems

The computer systems of 50 local government units in Western Australia were examined and the result was the discovery of 328 control weaknesses, 33 of which were considered significant by the Auditor General.

Exit mobile version