COVID-19 Contact Tracing System – Application Audit

Auditor General’s overview

My August 2021 audit report¹ on the SafeWA application explained that to fully understand the application’s information security risks, I also needed to review WA Health’s Public Health COVID Unified System (PHOCUS). PHOCUS collates highly sensitive personal and medical information of COVID-19 positive individuals, and their close and casual contacts, from multiple sources for contact tracing purposes. This report summarises findings from our audit of PHOCUS.

COVID-19 has presented various challenges for State government entities responsible for planning and responding to the pandemic. The implementation of PHOCUS, WA Health’s technology solution to record positive cases (from PCRs and RATs) and trace people exposed to COVID-19, is one such response. WA Health developed and implemented PHOCUS in tight timeframes and in the face of a shifting landscape. The system continues to play a significant role to support WA Health’s contact tracing efforts.

I expected to find robust access controls for this system given the sensitive nature of information it contains, and the consequences to people’s privacy, freedom of movement and public health measures, if the information is inappropriately accessed or altered. However, our audit found a number of significant weaknesses.

I am concerned that the security and privacy of peoples’ highly sensitive medical and personal information has not been protected to the extent the community has a right to expect. WA Health does not adequately log and monitor who has accessed information to detect inappropriate changes or snooping, and has provided an external vendor with inappropriate access to personal and medical information. In the absence of comprehensive privacy legislation in our State, WA Health must ensure their privacy practices protect the confidentiality of information stored in PHOCUS and are consistent with the Commonwealth Privacy Act 1988. Similar concerns were raised in my SafeWA –Application Audit report².

Also concerning, is that WA Health has told the community little about the types of personal and medical information PHOCUS collects (about positive cases, close and casual contacts, and travellers) to support contact tracing, and that this information is stored indefinitely. This lack of transparency can lead to unintended consequences, including erosion of trust in government institutions. 

It is encouraging that WA Health prioritised and addressed many of the audit’s findings during the audit and has agreed to all recommendations. Our recommendations will help to protect, not only information in PHOCUS, but future information, if the system is used for other diseases. In any emerging crisis, government responses should consider impacts on trust and confidence in government and the importance of upholding the universal human right to information privacy.

Introduction

This audit assessed WA Health’s COVID-19 contact tracing application, the Public Health COVID-19 Unified System (PHOCUS). We reviewed key controls and processes to obtain reasonable assurance that the confidentiality, integrity and availability of information generated by and stored in PHOCUS was appropriate, including controls over access by third party vendors and their staff. We performed our audit testing between September 2021 and March 2022.  

This audit follows our August 2021 report, SafeWA – Application Audit³. In that report we noted that we were not able to review the information security risks associated with SafeWA without looking at PHOCUS and would prepare a separate report to Parliament on PHOCUS.

Background

In response to the COVID-19 pandemic, Health Support Services (HSS), on behalf of WA Health, engaged third party vendors to implement PHOCUS in April 2020. The system was delivered under significant time pressures along with other COVID-related IT solutions, and after an assessment that existing systems were not suitable. WA Health also performed a security assessment of PHOCUS in October 2020 and addressed the identified weaknesses in late 2021.

PHOCUS is a cloud-based application, which collates information from multiple sources for COVID-19 positive individuals and their close and casual contacts for contact tracing. Figure 1 shows some of the information sources.

WA Health surveillance officers use PHOCUS to carry out positive case and contact interviews, daily monitoring of symptoms and to arrange testing. PHOCUS stores all actions associated with COVID-19 positive individuals, including case interviews, phone calls, text messages, emails and legal documents. Appendix 1 shows the minimum personal information collected from case interviews and stored in the system. This includes an individual’s pathology results, exposure history, symptoms and existing medical conditions. It may also include details of medications and other personal information provided by the individual to WA Health or recorded in case notes.  

As at March 2022, PHOCUS held information about 128,600 positive people, 41,400 close and casual contacts, and 50,400 travellers.

By May 2022, WA Health had spent over $2.8 million for PHOCUS development, support and cloud infrastructure (including automation enhancements so WA Health can re-use PHOCUS for other infectious diseases).

Conclusion

PHOCUS continues to play an important role in supporting WA Health’s COVID-19 contact tracing efforts. However, WA Health has provided limited information to the community about what personal information they collect, including from other government and non-government entities, to help with contact tracing. They need to improve controls to effectively protect the confidentiality of peoples’ personal and medical information stored in PHOCUS. In the absence of State privacy legislation, and consistent with the Commonwealth Privacy Act 1988, people have a right to expect that WA Health will protect the privacy of their information. In so protecting, WA Health will build trust and confidence in government and uphold the universal human right to information privacy.

A third party vendor has unnecessary and excessive access to peoples’ personal and medical information that was not encrypted⁴ or masked to reduce the risk of unauthorised access and disclosure. Further, the lack of data access logs and monitoring means WA Health would not know if information had been inappropriately accessed or by whom. This is of significant concern as inappropriate changes to a person’s COVID-19 status in the system could result in incorrect decisions about whether or not they need to isolate, with consequential social and economic impacts.

Contracts with third party vendors lack important security requirements, which present risks to the confidentiality and integrity of personal and medical information in PHOCUS. WA Health’s oversight of their main PHOCUS vendor is not informed by a contract management plan. This may impact decision-making about the extent and nature of ongoing support for the system. 

WA Health has continued to address weaknesses identified during the audit. This includes automation of inefficient manual data handling processes, encryption and masking of personal and medical information, logging and monitoring of user accounts and profiles, and inclusion of security breach disclosure requirements in vendor contracts.

Findings

WA Health uses personal information from various sources but has not clearly communicated this to the community

There is limited information available to the community that WA Health uses personal information from a variety of sources, including information initially collected by other State entities for different purposes, to support contact tracing (Figure 1), and stores it indefinitely. This includes information about positive cases, identified close and casual contacts, and travellers. Lack of transparency about the variety of information accessed (and from which sources, including government entities) to assist in contact tracing efforts could erode public trust in government institutions. 

WA Health decides what information sources to access to help with contact tracing. For example, they used CCTV footage on a case by case basis and obtained Transperth SmartRider data between December 2021 and January 2022 during the ‘backpacker Mess Hall Delta outbreak’.⁵ Information about travellers into WA was consistently recorded in PHOCUS throughout the pandemic so that WA Health could monitor their quarantine status and COVID-19 symptoms.

We previously raised a related transparency issue in our SafeWA – Application Audit report⁶ in August 2021. During that audit we identified that the WA Police Force had accessed venue check-in data for policing purposes, contrary to the publicly stated purpose of the data only being used for contact tracing. Legislation was subsequently amended to prevent this from recurring with SafeWA data. However, the WA Police Force has also acknowledged it accessed G2G Pass data on 22 occasions during serious investigations using their policing access rights.⁷

WA Health needs to improve controls to effectively protect personal and medical information in PHOCUS

We expected to find robust access controls for this system given the sensitive nature of information it contains, and the consequences to people and public health contract tracing efforts if the information is inappropriately accessed or altered. We found a number of significant weaknesses, as outlined below, that must be addressed to protect the information in PHOCUS and for any future use of the system for other diseases.

External vendor has ongoing access to personal and medical information

WA Health granted a third party (non-clinical) software vendor full access to information in the PHOCUS production environment. This includes peoples’ identifiable medical information and conditions such as asthma, liver disease, cardiac disease, pregnancy and medications (Appendix 1), and other information provided during case interviews. While WA Health approves third party access, it is good practice to limit access to sensitive information and only provide software vendors just-in-time⁸ access and, where appropriate, access only to masked data in non-production environments. This reduces the risk of unauthorised use and disclosure of personal and medical information. WA Health advised us they had assessed and balanced the risks of ongoing vendor access to medical information against the need to develop the system quickly.

Data encryption and masking was not used to protect personal and medical information

WA Health only encrypted data in PHOCUS’ test environment. The production database, accessible to PHOCUS contractors and a third party vendor, did not use encryption to protect personal and medical information (for example, names, dates of birth and medical histories). The confidentiality of information may be compromised when appropriate database security controls are not in place. This could result in inappropriate disclosure of information and reputational damage to WA Health. During the audit, and following audit enquiries, WA Health implemented encryption to personal and medical information in the production environment.

Although some information was masked⁹ in the test environment, information captured by the G2G application was not. As a result, users could access travel information, which included personally identifiable information. It is better practice to mask information in test environments to reduce the risk of its unauthorised access and disclosure. Following audit enquiries, WA Health implemented masking to all information in PHOCUS’ test environment.

Access to personal and medical information is not adequately logged

WA Health did not keep logs of user ‘view’ access to information in PHOCUS. Only ‘edits’ (changes or deletions) to information in the system were logged but WA Health did not monitor these logs for inappropriate activity. WA Health will not know if personal or medical information is inappropriately accessed (viewed or edited by WA Health staff or their third party vendors). Malicious activity may go undetected if access to information is not adequately logged and monitored. Following our audit enquiries, WA Health advised us they have now implemented a process to monitor edit access (data changes), but had not implemented a process to log view access (to detect snooping) due to perceived system performance issues, and their staff remained bound by the Acceptable Use of Information and Communications Technology Policy.

Former vendor’s access was not revoked

Privileged access rights to PHOCUS were not revoked in line with WA Health’s requirements. Two system administrator accounts, belonging to a former third party vendor, could be used to gain access to both the production and test environments more than 12 months after the end of the vendor contract. This is because the accounts were still linked to the vendor’s email address and could be used to reset those account passwords. Following audit enquiries, WA Health assessed the impact on PHOCUS availability and removed the vendor’s email address. WA Health also informed us that their internal review did not find any emails sent to these addresses.

There is an increased risk of unauthorised access and changes to PHOCUS system if accounts of former users are not revoked. WA Health’s User Access & Password Standard requires users (privileged and non-privileged) who resign or are terminated to have their account access immediately revoked. During the audit WA Health implemented an access review process to deactivate PHOCUS accounts in line with the standard.

Furthermore, a significant number of users had privileged access rights to PHOCUS. There were 14 users in the production and 57 in the test environment that had system administrator rights. This allowed vendor staff to manage user accounts, view and modify data, customise the application and carry out other high impact operations within PHOCUS.

Controls on file uploads and sharing are inadequate

The file upload function in PHOCUS was not restricted to pathology results and other essential documents. Malicious files, such as executables¹⁰ and JavaScript¹¹ code, could be uploaded to compromise the confidentiality, integrity and availability of PHOCUS and adversely impact WA Health’s contact tracing ability. WA Health had plans to implement a cloud-based scanner to check files uploaded to PHOCUS for malware, but, at the time of our audit, it was only available in the test environment.

There were no data loss prevention controls in place to prevent unauthorised sharing of personal and medical information in PHOCUS, and WA Health did not monitor documents shared with external and unauthenticated parties. Poor controls can result in unauthorised disclosure of sensitive information and reputational damage to WA Health.

During the audit and following our enquiries, WA Health implemented blacklisting to prevent some types of files being uploaded and shared, and introduced malware scanning capability into the production environment.

Key security requirements are missing from contracts with third party vendors

Contracts between HSS and its PHOCUS third party vendors lack important contract requirements. Contracts do not include:

• background screening requirements for vendor staff accessing or maintaining PHOCUS and its infrastructure
• information and cybersecurity incident disclosure requirements
• the right to audit the security profile of vendors.

The absence of these contract requirements increases the risk of unauthorised access to sensitive personal and medical information in PHOCUS. There is also a risk that WA Health may not be notified of security incidents that affect PHOCUS, such as data breaches. During the audit and following our enquiries, HSS amended some vendor contracts to include security breach disclosure requirements and the right to audit the security profile of vendors.

There is also no contract management plan for the main third party vendor contract, which would highlight shortfalls in the scope of support services required. Without the plan, WA Health cannot determine if they receive agreed services to achieve desired outcomes. A contract management plan is a requirement of WA Health’s Procurement Procedures. The current contract will cease on 30 June 2022 and WA Health is yet to decide the extent and nature of any ongoing support that will be required.

There is a risk of inaccurate data due to poor data management

Manual data entry processes increased the risk of errors

Linking COVID-19 pathology results with people and then creating individual patient records in PHOCUS involved a lengthy manual process (Figure 2). Manual data entry processes were inefficient and prone to increased errors, especially as large datasets were involved.

For example, on 29 June 2021, WA Health reported administering (and notifying) over 18,000 pathology results in a single day. A subset of positive cases would have been manually registered in PHOCUS. As positive case numbers grow so will inefficiencies and errors.

WA Health had plans to automate linking of pathology results to individuals, to address scaling and data quality issues. This occurred approximately 20 months after PHOCUS was implemented. While we acknowledge that WA Health have been under considerable pressure to deliver various systems in response to the COVID-19 pandemic, data integrity and confidentiality of information in PHOCUS should remain a priority of the highest order. 

We also found a small number of inconsistencies in data. Three COVID-19 positive individuals were recorded as ‘invalid’ or ‘cancelled’ in the data warehouse but were correctly recorded as positive in PHOCUS as per pathology test results. The data warehouse collects information from different sources for analysis and reporting. Although small in number, WA Health should continue to manage data quality and address the root cause of inconsistencies that influence public health isolation requirements, and the State’s COVID-19 decision making and reporting. Additionally, WA Health is aware that contact records are duplicated when data is imported into PHOCUS and has a process to remove these duplicates.

Recommendations

WA Health should:

1. improve transparency to the community around the sources they collect personal information from and how it is used

Entity response: Agreed

Implementation timeframe: The Public Health Act 2016 section 134c, provides the Department of Health (the Department) with the power to request external data sources; ’information about any circumstances in which the exposed person may have exposed another person to the notifiable infectious disease’. The Department will update the publicly available SafeWA terms and conditions to include notification that other data sources may be used.

2. protect the confidentiality, integrity and availability of peoples’ personal and medical information in PHOCUS through:
   1. restricting access to medical records to only those individuals that require it
   2. data encryption and masking
   3. effective user access controls
   4. logging and monitoring of view and edit access
   5. restricting file uploads to only approved types

Entity response: Agreed

Implementation timeframe:

a, c.     Access is already restricted and is granted via user provisioning processes including agreement to the WA Health User Acceptance Policy.

b.   Data encryption in the PHOCUS production environment was complete on 31 October 2021. Data obfuscation was implemented in the user acceptance testing environment on 26 November 2021.

c.   User access controls are in place.

d.   A process to monitor and respond to user activity was strengthened by Health Support Services (HSS) and the Department during the audit period. HSS will assess options to log and monitor view access and prepare an associated plan by July 2022.

e.   File uploads were restricted on 29 November 2021 via a blacklist through the vendor, in accordance with industry best practice.

3. continue to improve data quality processes, including resolution of COVID-19 result inconsistencies across different systems

Entity response: Agreed

Implementation timeframe: The Department will continue to improve data quality processes as per standard continuous improvement. The inconsistences identified were errors from private pathology labs that were not used for operational contract tracing purposes and posed no risk to the public.

4. address existing and emerging risks in vendor contracts and where appropriate develop contract management plans.

Entity response: Agreed

Implementation timeframe: HSS strengthened its agreements with vendors in December 2021 to include security breach notification and right to audit. HSS will continue to monitor and address risks associated with vendor contracts, and ensure all contracts have a contract management plan in place.

Response from WA Health

The Department of Health (the Department) and Health Support Services (HSS) implemented PHOCUS in a short timeframe to support contact tracing for the management of COVID-19 cases. HSS implemented PHOCUS concurrently with four other large scale COVID-19 applications. Since April 2020, PHOCUS has been continually improved and enhanced to meet operational needs and best practice. PHOCUS has been extremely effective in supporting the State Government’s management of COVID-19 through the Test, Trace, Isolate and Quarantine public health strategy.

The Department and HSS accepts all recommendations and note the report highlights many historic items that have largely been previously addressed or were issues where existing controls were strengthened. No breach of privacy has occurred in relation to the system, continuous data cleansing and quality checking is undertaken, no inaccuracies in case status impacting management were found and no inappropriate use of the system was recorded. This demonstrates the robustness of PHOCUS and that the data is well managed and secure.

The Department and HSS also believe the issues raised were appropriately managed given the need to balance speed of development, resource demands for other COVID-19 applications and application quality. For example, the finding related to third party vendor access only pertains to one system administration email account and five external vendor staff (at the time of the audit), all who agreed to comply with the same confidentiality and Acceptable Use Policy as WA Health employees. The Department and HSS is pleased the audit demonstrated the effectiveness of the Department and HSS’ data management processes and our ability to maintain the integrity of PHOCUS data.

Audit focus and scope

Each year we review a selection of important software programs (applications) that public sector entities rely on to facilitate their key business processes. Applications help entities to perform important routine functions (such as finance, human resources, case management, licensing, billing and service delivery) and those functions that are unique and essential to them. If applications and their related processes are not managed appropriately, stakeholders including the public, may be affected.

Our application audits focus on people, process, technology and data. We follow data from input and processing through to storage, handling and outputs.

We review key controls that ensure information is complete, accurately captured, processed and maintained. Failures or weaknesses in these controls can result in loss or inappropriate use or disclosure of information, service delivery delays and disruptions, and increase the risk of fraud and financial loss.

Our tests may highlight weaknesses in control design or implementation that increase the risk that an application’s information may be susceptible to compromise. While our tests are not designed to identify if information has been compromised, we may become aware of instances during an audit.

This was an independent audit, conducted under section 18 of the Auditor General Act 2006, and in accordance with Australian Auditing and Assurance Standards. The approximate cost of undertaking the audit and reporting was $104,000.

Appendix 1: Form showing minimum personal information collected during case interviews and stored in PHOCUS

---

¹ Auditor General for Western Australia, SafeWA – Application Audit, Report 2: 2021-22, August 2021

² ibid.

³ Auditor General for Western Australia, SafeWA – Application Audit, Report 2: 2021-22, August 2021

⁴ Data encryption is where data appears unreadable to an unauthorised person.

⁵ ABC News, WA records one new local case of COVID-19 following Perth Mess Hall rave, 26 December 2021.

⁶ Auditor General for Western Australia, SafeWA – Application Audit, Report 2: 2021-22, August 2021

⁷ Parliamentary Question 197 Legislative Council 22 March 2022.

⁸ Just-in-time access provides privileges for a predetermined period of time, on a needs basis to troubleshoot, upgrade or patch applications and systems.

⁹ Data masking is a technique which copies and conceals sensitive information to protect the privacy in non-production environments. These environments are generally used for testing and development activities.

¹⁰ Executable files are set of instructions to achieve a task or transaction.

¹¹ JavaScript is a popular web programming language.