1 Deficiencies in basic security measures against cyber attacks
Risk: failure to protect data from external intruders
There are gaps in the regions’ basic security measures against cyber attacks. Rigsrevisionen finds it particularly critical that almost all the approximately 27,000 people employed by the Region of Southern Denmark have local administrator privileges. This practice entails a significant risk that external intruders abuse the privileges of staff to gain access to and compromise IT systems and health data. The operating systems on a large number of computers in the Central Denmark Region and the Capital Region of Denmark are outdated and no longer security updated, which exposes the two regions to increased risk of cyber attacks.
2 Need to monitor the use of privileged user access rights
Risk: abuse of access to IT systems and health data
Generally, the three regions need to improve their management and monitoring of staff with administrator privileges, for instance by reviewing the requirement to hold privileged accounts regularly. The fact that none of the three regions in the study have limited access to the internet when staff login with administrator privileges or restricted download of software to the extent necessary, increases the risk that staff, unintentionally, download malicious software that infects the IT systems and threatens health data.
During the audit, Rigsrevisionen detected passwords for system and service accounts in the Capital Region of Denmark and the Region of Southern Denmark that had not been changed for a very long time; some were six to nine years old and did not meet best-practice requirements for minimum number of characters in passwords. This increases the risk of internal and external abuse of access to IT systems and data. However, the study shows that the three regions are all focusing on limiting the number of system and service accounts with administrator privileges.
3 Inadequate logging
Risk: inability to detect and track cyber attacks and abuse of user privileges
The logging systems implemented in the 3 regions are inadequate. Failure to log online activity makes it difficult or impossible for the regions to detect and track cyber attacks and abuse of user privileges. The Capital Region of Denmark is not reviewing log files systematically, and the Central Denmark Region has not implemented any of the three logging practices examined, despite the fact that the region has developed a logging policy.
The regions are responsible for running the Danish hospitals and thus also responsible for protecting sensitive health data. The regions are required to secure not only the confidentiality of health data, but also their availability and reliability so that the patients can receive timely and appropriate treatment. The regions therefore need to protect health data from falling into the wrong hands.
The threat against the regions’ IT systems and data is growing in pace with the expansion of e-government in the regions and society in general, and so are the requirements for effective cyber-security systems. External intruders represent a threat to the regions, but so do staff in the regions if they intentionally or unintentionally abuse their access to IT systems and data.
The regions should therefore have basic security measures in place as protection against hacking and, at the same time, manage and control staff’s access to IT systems and data. The latter applies, in particular, to staff with user privileges that give them full access to and control of the IT systems, because an intruder may gain the same access and control by taking over their privileges.
This report concerns the measures taken by three of the five Danish regions – Region of Southern Denmark, the Central Denmark Region and the Capital Region of Denmark – to protect access to the citizens’ personal health data. Rigsrevisionen initiated the study based on IT audits conducted during the first six months of 2017.
The objectives of the study is to assess whether the three regions are protecting access to their IT systems and data in a manner that secures the confidentiality, availability and reliability of the citizens’ personal health data.