It is in Australia.
An audit by the Australian government on information security on government agencies in Australia cited weak security controls and practices in the healthcare sector in Australia putting patients data at high risk for cyber attacks.
Australia has a hybrid national public and private healthcare system in which a government program, Medicare, pays for some medical expenses - such as care provided in a public hospital - with optional private insurance policies available to help pay for costs not covered by Medicare.
Many of the security weaknesses identified - including in access and ID management practices and user awareness - are similar to the findings of U.S. government watchdog agencies in their security audits of the U.S. Department of Health and Human Services as well as U.S. Medicare and Medicaid healthcare providers and contractors.
The report hinted that the healthcare sector across the world faces the same challenges.
Keeping staff aware of all of the things that they need to know that could potential hurt them or the organization is a challenge, growing third-party risks, the exponential spread of devices, implementation of the electronic medical records allowing sharing of information and access to a wider network of people - all these make healthcare a very attractive target surface for cybercriminals who understand how hard it is to secure everything.
The audit found that the network for the public health system in Australia:-
is highly vulnerable to the kind of cyber attacks recently experienced by the health services in England and in Singapore, which resulted in stolen or unusable patient data and disrupted hospital services;
the audited health services are not proactive enough and do not take a whole hospital approach to security that recognizes that protecting patient data is not just a task for their IT staff;
health services agencies 'rarely used' multi factor authentication (MFA) for healthcare staff, information communication and technology worker and administrator accounts as they viewed it as something that interferes with workflow or convenience;
many of these agencies were still using default account names and passwords on key devices including servers.
We honestly believe our public health sector faces the same issues as highlighted by the audit on the Australian health system. It is time some honesty prevailed and serious consideration should be given to evaluate the cyber resiliency of our public health sector.