--- Begin Message ---
Auditor says:
> " ... "clinical staff ... perceive a tension between the urgency of
clinical service delivery and the importance of cyber security policies"
[ The public very much hopes that clinical decisions are made by people
with suitable expertise, taking adequate care, using relevant
information, and in an appropriate timeframe.
[ Yes, there are unjustifiably loose practices, particularly where a
clinician abuses their access privileges, such as:
> ... patient data ... being saved to clinicians’ own devices, outside
of clinical systems ...
[ But a great deal of what's reported below is a sign of systems that
are of necessity complex and diverse systems, but that are inadequately
designed or adapted to the needs of patients and clinicians.
NSW Health clinicians "normalise" bypass of cyber security controls
In the name of "clinical urgency".
Ry Crozier
itNews
Dec 19 2025 11:56AM
https://www.itnews.com.au/news/nsw-health-clinicians-normalise-bypass-of-cyber-security-controls-622666
Clinicians at local health districts in NSW routinely dodge cyber
security controls, saving data to their own devices and staying logged
in on shared computers to support “clinical urgency”, an audit has found.
NSW Health clinicians "normalise" bypass of cyber security controls
The NSW audit [pdf] offers a concerning glimpse into cyber security
planning and practices in the NSW health system.
The health sector consistently experiences the most data breaches of any
industry vertical in Australia, according to federal statistics.
The NSW audit examined four of the state’s 15 local health districts or
LHDs.
None were found to have “effective cyber security plans” or “cyber
security response plans”, nor did their disaster recovery and business
continuity plans “consider cyber security risks”.
The cyber security plans were found to be “outdated, of poor quality and
not fit-for-purpose.”
Perhaps more concerning, however, is the “normalisation of
non-compliance with cyber security controls”.
“Local health districts operate within a culture of clinical urgency,
where the time critical treatment of patients takes precedence,” the
audit states.
“In all audited local health districts, critical cyber security controls
are not consistently applied by clinical staff who perceive a tension
between the urgency of clinical service delivery and the importance of
cyber security policies.”
The audit found that patient data was being saved to clinicians’ own
devices, outside of clinical systems.
“Despite implementing rules for clinicians not to save and host patient
information on their own devices outside of clinical systems, clinicians
often did so,” the audit found.
“Further, some clinicians uploaded patient information to unsecured
systems and applications.
“Local health district ICT staff advised that it is difficult to raise
this issue directly with the clinical staff engaging in these practices
because of siloed environments and management structures between
clinical and operational staff, and a lack of understanding of the risks
involved.”
Data is also shared via fax or email – often due to a lack of options.
In addition, clinical staff often stay logged into computers that are
then left unattended.
While time pressures play a part in this, the audit found it is a
complex issue exacerbated by reliance on older technology and complex,
distinct passwords.
“For clinical staff, who move between clinical spaces and use multiple
systems while providing services to patients, logging in and out of
computers and devices is a frequent requirement,” the auditor found.
The process of logging in and out of devices and systems could take
place several times over short durations, the auditor said.
"This is cumbersome and disruptive because it interrupts their clinical
processes and forces them to stop and re-start their tasks.
“Additionally, audited local health district staff reported that some
clinical systems can be slow and require long and complicated passwords
that can add even more time to the process of logging in and out of
systems while providing clinical care. As a result, staff regularly do
not log out of systems.”
Running lean
While supported by eHealth NSW, the audit identified “a lack of support,
coordination and oversight … in cyber security matters” from the central
health ICT agency, resulting in confusion at the local health district
level.
Additionally, the auditor said that neither eHealth NSW nor the
districts met “benchmark spending” on cyber security.
This appears in part to be a funding issue, with districts being asked
to “uplift” controls “using existing funds”.
“Most local health districts in NSW reported to the review that they
have one full-time equivalent staff member dedicated to cyber security.
However, some larger districts have more staff in this area and a few
local health districts share cyber security resources,” the auditor wrote.
“Local health districts spent on average $421,000 on cyber security in
2023–24 or about two percent of ICT expenses.”
Protecting the "crown jewels"
Some 41 systems have been identified as “crown jewels” across the NSW
Health, but the auditor found not all of these systems were treated equally.
Logs for some – but not all – systems were fed to a health security
operations centre.
“Some crown jewel systems do not receive the same level of monitoring as
other important health systems,” the auditor wrote.
“This increases the risk of a successful cyber attack that could affect
clinical service delivery.”
Uplift underway
In a letter dated late June of this year, NSW Health secretary Susan
Pearce said that a taskforce had been established to drive cyber
security reforms and “capability uplift”.
Pearce also said that an “uplift program” had been initiated to improve
resilience and compliance with both NSW and federal cyber security
rules, including the Security of Critical Infrastructure (SOCI) laws.
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professorial Fellow UNSW Law & Justice
Visiting Professor in Computer Science Australian National University
--- End Message ---
_______________________________________________
apf-media-archive mailing list
[email protected]
https://lists.privacy.org.au/mailman/listinfo/apf-media-archive
