Bethany Alvaro 
The Cyber security in Local Health Districts (LHDs) report analysed four LHDs: one metropolitan, one outer-metropolitan, and two regional locations. The audit was made public in late December last year, but was delivered to NSW Health in July.
The audit found that three in four LHDs did not have a cyber security plan in place, two in four used desktop computers to test cyber security response plans, and all four LHDs had plans that were “not fit-for-purpose”.
With none of the LHDs implementing the NSW Cyber Security Policy (2019) that requires state bodies to “establish, implement and maintain controls” across the ICT and cyber domain, this puts NSW Health in a sore position in the event of a cyber attack on patient data, the report found.
According to the report, “NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in local health districts”.
“Systemic non-compliance with NSW government cyber security requirements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that local health districts could not demonstrate that they are prepared for, or resilient to, cyber threats,” it said.
“This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information.”
Observations of healthcare workers as a part of the audit found a culture of normalised non-compliance with ICT and cyber security policies that were present.
“Despite known systemic non-compliance by clinical staff, the audited local health districts have not assessed the effectiveness of the controls they have put in place, nor have they identified any alternatives that might balance the need for clinical urgency with effective cyber security practices,” the report said.
A range of recommendations were suggested, including that LHDs should design and implement effective cyber risk management frameworks that address cyber controls, security response plans, balancing cyber security with clinical needs, as well as the causes of the evident widespread non-compliance.