A billion-dollar project to streamline the online medical records of NSW patients has received a fail mark on its cybersecurity measures just months before it is due to be rolled out.
The NSW government is spending a minimum $969 million on consolidating the state’s fragmented and outdated IT platforms into one secure and universal system called the Single Digital Patient Record.
But a leaked review, seen by this masthead, found the authority charged with its implementation was lagging other government agencies in its readiness to prevent and respond to cyber threats.
The authority scored 1.66 out of a possible 3 on its cyber risk management, well below the score of 2 considered the minimum benchmark for all NSW government agencies.
The agency was marked on the “essential eight” cyber management strategies developed by the Australian Signals Directorate, which oversees the nation’s efforts to improve cybersecurity.
The review noted the authority had improved its security management systems in the areas of governance, training, incident response, and business continuity. But it found “relatively low adoption” of protection capabilities, software management, secure configuration, account monitoring, and recovery practices.
The system is set to go live in the Hunter New England Local Health District and Justice Health in March – the first of five stages in a three-year roll-out.
Northern Sydney, Central Coast, Mid North Coast and Northern NSW health districts will be the next to transition to the software in late 2026. All other health districts, including the Sydney Children’s Hospital Network, will use the system by mid-2028.
A NSW Health spokesman said the system would undergo a series of rigorous cybersecurity assessments before it goes live.
“We are continuously strengthening these measures to ensure a proactive, resilient approach to emerging risks in this quickly evolving landscape,” he said.
The review raises more questions about cybersecurity efforts at NSW Health after another leaked report, revealed by this masthead in June, found the state’s public hospitals were failing to meet basic cybersecurity standards.
The initiative – already one of the most expensive technology overhauls in the state’s history – also faces the likelihood of cost overruns. The Audit Office of NSW has found the business case for the platform “did not adequately consider all project costs”.
Auditor-General Bola Oyetunji found the initial business case was not supported by accurate documentation and that estimated running costs “lacked sufficient or reliable evidence”.
The NSW Health spokesman said global supply chain disruption and rising operational expenses had increased the cost of delivering the program since the business case was developed during the COVID-19 pandemic.
The state’s patchwork of health data systems has long been slated for an overhaul, including in recommendations from coronial inquests.
In 2021, Deputy State Coroner Derek Lee recommended NSW Ambulance, NSW Health and GP bodies work on a new synchronised medical record system, after finding the inaccurate transfer of information from an ambulance to an emergency department contributed to the 2016 death of three-year-old Caitlin Cruz from influenza.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
