A leaked NSW Audit Office report has revealed that the state’s public hospitals are failing to meet basic cybersecurity standards, leaving sensitive medical records and essential healthcare systems vulnerable to hackers despite taxpayers spending $40 million annually on cybersecurity measures. The draft performance audit found that none of the four local health districts assessed met minimum requirements outlined in the NSW government’s 2019 cybersecurity policy, with “systemic non-compliance” across the health system. The auditors discovered that districts lacked effective response and disaster recovery plans, potentially hampering incident responses and affecting patient service delivery during cyberattacks.
The audit report highlighted that NSW taxpayers spent $39 million on health system cybersecurity in the last financial year, with costs projected to rise to $59 million next year and $64 million by 2030. Despite this significant investment, the report concluded that local health districts were “ill-prepared to respond” to potential attacks and warned that “a preventable cybersecurity incident could disrupt access to healthcare services and compromise the security of sensitive patient information.” The auditors recommended immediate action, including gathering compliance information by the end of June and developing enhanced cybersecurity risk management protocols by December.
The findings come amid a surge in healthcare cyberattacks across Australia, with the sector remaining the most targeted industry in 2024. Recent high-profile incidents include the MediSecure attack that exposed data from 12.9 million Australians, making it one of the largest breaches in Australian history, and attacks on Victoria’s Epworth and Royal Melbourne hospitals, Genea fertility clinic, and major health insurers like Medibank. Cybersecurity experts warn that healthcare providers have become prime targets due to the sensitivity of their data and the genuine risk to life when health systems are disrupted, with criminals employing “harm maximisation” strategies to pressure victim organizations into paying ransoms.