92 per cent of Western Australian Government agencies have been found to have ICT security issues according to a new audit report by the Auditor General, Colin Murphy.
The report found that flaws in data storage and system controls meant that many information systems were not meeting basic security benchmarks for the second year in a row.
“This result suggests a lack of understanding and implementation of good information security practices,” Murphy states in the report.
In fact the 2013 report found things were worse than in 2012, with 56 per cent of agencies having security issues so severe that they failed to meet the benchmark for effectively managing information security, up from 50 per cent in the previous year.
Of particular concern was the Department of Health whose Emergency Department Information System (EDIS) and Hospital Morbidity Data System (HMDS) revealed no preventative and detective controls to limit unauthorised access and data leakage.
The audit found that the EDIS does not require validation of the identity of each person making clinical data entries and that activity in the system cannot be traced back to specific staff members. The report recommended that there be a review of controls for logging and monitoring access systems.
The HMDS was found to be using insecure methods to transfer patient information from hospitals. Private hospitals were transferring patient information via USB and public hospitals were using insecure file transfer protocol. There were also data mismatches found between the HMDS and the public healthcare system HCARE due to there being no process in place to ensure updates are applied.
The Auditor General recommended that WA hospitals, both private and public, implement encryption or secure web access to ensure the security of data transfer. They also recommended a review of the synchronisation between the HMDS and HCARE systems. All of these findings were accepted by WA Health and action is already underway to address some of the identified issues.
The other system with alarming information security issues, according to the Auditor General, was the Firearms Management System (FMS). Due to poor data management 300 people who had been deemed unfit to hold a firearms license were still listed in the system as having firearms. The audit found some firearms had been seized but not updated within the system. It was recommended that the logging and monitoring of data be reviewed immediately.
The overarching recommendations of the WA audit report were to:
- Establish standard policies and procedures to improve management of IT Operations;
- Identify, address and manage IT risks as a core part of business activity;
- Ensure good information security practices are implemented and maintained;
- Ensure change processes for computer systems are well developed and consistently followed; and
- Develop physical control mechanisms to prevent unauthorised access or accidental damage to ICT infrastructure and systems.
Information security was also marked as an issue in the 2012 NSW annual audit where 24 per cent of all problems were related to an absence of or weak processes surrounding user accounts, meaning that user activity was not being monitored.
Auditor-General Peter Archterstraat noted that there had been a 12 per cent rise in the average number of information systems audit issues since 2011 in his report to parliament earlier this year. A Digital Information Security Policy was introduced within the 2012 NSW ICT Strategy, a policy that the Auditor-General plans to review this year.
WA and NSW join Queensland and Victoria in recently reporting IT security concerns across their information systems.
Queensland addressed the problem of information security in their 2013-16 Strategic Audit Plan stating a key objective as assessing the level of secure protection for information system access and to ensure that all access points are managed using enterprise management tools. The Victorian Audit Office is currently completing a report testing the effectiveness of ICT control and standards within the public sector.
For more information, please contact the Editor (02) 9955 9896.