The Victorian government plans to invest a total of AU$30 million to upgrade and modernise the IT infrastructure of 28 of the state’s hospitals and health services in a bid to guard against further cyber attacks.
The AU$30 million will be divided amongst hospitals across Melbourne and regional and rural health services. Melbourne hospitals will receive a majority share of nearly AU$22 million, while the remaining AU$8 million will be split between regional and rural health services.
To be delivered as part of the state government’s Clinical Technology Refresh program, the funding will be used specifically to replace older servers and operating systems with new infrastructure.
The state government touted the new infrastructure will reduce IT outages, improve network speed, support the rollout of Wi-Fi at the bedside of patients, as well as enable the loading and viewing of high resolution medical imaging, telehealth, and access to clinical support and pathology results from other hospitals.
“We are helping hospitals and health services across Victoria upgrade computers and IT infrastructure to strengthen reliability and cybersecurity,” Victorian Minister for Health Martin Foley said. “This is about protecting our health services from cyber attacks.”
Last month, surgeries operated by Eastern Health in Victoria were forced to cancel some patient appointments after experiencing a “cyber incident”.
Eastern Health operates the Angliss, Box Hill, Healesville, and Maroondah hospitals, and has many more facilities under management.
In a statement, Eastern Health said it took many of its systems offline in response to the incident.
“Many Eastern Health IT systems have been taken off-line as a precaution while we seek to understand and rectify the situation,” it said.
“It is important to note, patient safety has not been compromised.”
Back in 2019, a similar incident affecting Victoria’s hospitals occurred, which resulted in them disconnecting themselves from the internet in an attempt to quarantine a ransomware infection.
At the time, the Victorian Department of Premier and Cabinet revealed the impacted hospitals were in the Gippsland Health Alliance and the South West Alliance of Rural Health.
The incident occurred shortly after the Victorian Auditor-General’s Office (VAGO) labelled the state’s public health system as highly vulnerable to cyber attacks, with a report flagging that security weaknesses within the Department of Health and Human Services’ (DHHS) own technology arm are increasing the likelihood of a breach in 61% of the state’s health services.
“There are key weaknesses in health services’ physical security, and in their logical security, which covers password management and other user access controls,” VAGO wrote. “Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located.”
In its audit, VAGO probed three health providers — Barwon Health, the Royal Children’s Hospital, and the Royal Victorian Eye and Ear Hospital — and examined how two different areas of the DHHS — the Digital Health branch and Health Technology Solution — provide health services in the state.
In probing the health services, VAGO said it was also able to access accounts, including admin ones, using “basic hacking tools”. The accounts had weak passwords and no MFA.
“All the audited health services need to do more to protect patient data,” the report said. “We also found that health services do not have appropriate governance and policy frameworks to support data security.”