The Auditor-General of Western Australia has once again given state authorities a whack for security weaknesses in IT systems used in the state, with a report on its Public Health COVID Unified System (PHOCUS) tabled on Wednesday.
PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and can contain personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions, and medication details. The cloud system can also draw information in from the SafeWA app on check-ins — which the Auditor-General previously found WA cops were able to access — as well as from flight manifests, transit cards, business employee and customer records, G2G border-crossing pass data, and CCTV footage.
The report found WA Health only used encryption in its test environment, was not able to tell if malicious activity was occurring, and lacked a contract management plan with its vendor.
“WA Health did not keep logs of user ‘view’ access to information in PHOCUS. Only ‘edits’ (changes or deletions) to information in the system were logged but WA Health did not monitor these logs for inappropriate activity,” the report said.
“WA Health will not know if personal or medical information is inappropriately accessed (viewed or edited by WA Health staff or their third party vendors).
“Following our audit enquiries, WA Health advised us they have now implemented a process to monitor edit access (data changes), but had not implemented a process to log view access (to detect snooping) due to perceived system performance issues.”
The department also encrypted personal and medical information after the audit, increased data masking to all information in its test environment, and implemented a file upload denylist and brought a malware scanner online after the Auditor-General found potentially malicious files could be uploaded to the system.
“There were no data loss prevention controls in place to prevent unauthorised sharing of personal and medical information in PHOCUS, and WA Health did not monitor documents shared with external and unauthenticated parties. Poor controls can result in unauthorised disclosure of sensitive information and reputational damage to WA Health,” the report said.
Further, the report said WA Health’s third-party vendor had full access to the information in the production environment, which WA Health said was assessed and balanced against the need to build the system quickly; two administrator accounts were left over from a previous vendor; and vendor contracts lacked “important security requirements”.
In response to the audit, WA Health said due to implementing four other COVID-related systems at the same time, the issues were appropriately managed and balanced development speed, quality, and resource demands.
“No breach of privacy has occurred in relation to the system, continuous data cleansing and quality checking is undertaken, no inaccuracies in case status impacting management were found and no inappropriate use of the system was recorded,” the department said.
“This demonstrates the robustness of PHOCUS and that the data is well managed and secure.”
The Office of Digital Government’s cybersecurity unit will score additional personnel under the funding.
WA Health released SafeWA check-in information for purposes other than COVID-19 contact tracing, with six requests being made by the police despite government messaging that the information would only be used to support contact tracing.
Usage of out-of-date software came in for special treatment from the Western Australia Auditor-General, with one entity vulnerable to a 15-year vulnerability.
The hard border state is running 22 projects across 12 government agencies to get it a step closer to achieving its whole-of-government digital strategy.
The computer systems of 50 Western Australian local government entities were probed and the result was the finding of 328 control weaknesses, with 33 considered as significant by the Auditor-General.