Background

The Drug and Alcohol Office[1] (DAO) plays an important role in the prevention, treatment, education and training and research into drug and alcohol consumption across Western Australia.

DAO’s treatment and counselling services means that it collects confidential information regarding medical diagnosis, treatment and prescriptions. Staff use paper based client records, and later transfer this information to an application that manages and records this sensitive information.

In 2010, DAO released a new version of the application, known as Services Information Management System 2 (SIMS2). DAO developed the application in house, closely modelling it on DAO’s existing processes and work practices. Key stakeholders have reported that the application suits their needs. The application holds records of approximately 240 000 clients across the state who are dealing with drug and alcohol issues.

DAO’s role in managing its clients requires some staff to have access to the SIMS2 application. This includes doctors, nurses, psychologists and pharmacists. Securing this information is an important obligation on DAO.

DAO are also required to submit data to the Australian Institute of Health and Welfare (AIHW) as part of the Alcohol and Other Drug Treatment Services National Minimum Data Set (AODTS NMDS). SIMS2 allows DAO to ensure that the mandatory reporting data is collected and accurate. The AIHW use this data to report annually on Alcohol and other drug treatment services in Australia. Information from these reports helps to inform national strategies on drug and alcohol abuse.

Audit conclusion

SIMS2 assists DAO to record client information and perform its core business efficiently. The ability to access client information readily and store records electronically helps staff to manage client’s needs.

However, inadequate access and other security controls over confidential client information leaves the system vulnerable to improper disclosure.

DAO could also improve its server room environment and disaster recovery testing to minimise the risk of system outages and ensure ongoing operations.

Key findings

Security of electronic client records

There is inadequate protection of sensitive client information in the SIMS2 database and DAO lacks the controls needed to recognise when unauthorised access has occurred. The database includes medical information for clients including their full name, date of birth, address, contact numbers, full treatment history and medication details. Without appropriate database controls and system security, there is an increased risk of unauthorised disclosure or misuse of client information.

Some of the weaknesses we noted were:

• Access and logging of reports – DAO does not have policies or procedures that determine which system reports can be generated and by whom. All staff, regardless of their role have access to confidential client information through the SIMS2 reporting functions. DAO does not log who runs reports or their SIMS2 download activity. This means DAO cannot detect improper access to the information. For example, a staff member could export client records and save or store these to external devices without DAO’s knowledge.
• IT team access is unrestricted – Information in SIMS2 is copied between the test, production and live environments of the application. This means that the IT team members had broader access to the information than is needed. IT staff were able to read, delete or alter the client history and information undetected across all environments.
• System security – Essential security controls are not in place. For example, we found weak passwords for accessing the database and multiple temporary accounts. DAO does not install the recommended security updates to the SIMS2 database to help protect its confidential information from cyber-threats and malware.

Controls to ensure ongoing operations

DAO has identified SIMS2 as critical to their day-to-day functions. If SIMS2 is unavailable for longer than 24 hours, client treatment may be impacted. DAO has developed IT Disaster Recovery Plans to restore service operations in the event of a serious incident. However, DAO has not tested these plans since 2010 to ensure they are still suitable.

We also found some opportunities to reduce the risk of a SIMS2 outage when we reviewed the maintenance of server rooms and supporting equipment:

• DAO uses its server rooms for other activities such as CCTV monitoring and building of computers. Undertaking these activities near critical servers and equipment together with untidy network cabling enhances the risk of disruptions.
• The server rooms did not have monitors to alert IT staff during or after business hours of changes in the environment that may affect a server, such as an air conditioner malfunction.

Recommendations

1. By June 2016 the Drug and Alcohol Office should:

a) ensure it has the appropriate controls in place to limit the risk of information loss from their network

b) identify vulnerabilities and apply updates within a timely manner within the SIMS2 and supporting IT infrastructure

c) improve the computer room environment to minimise the risk of system outages and conduct IT Disaster Recovery Plan testing as required.

Agency response

The Mental Health Commission (MHC) acknowledges the findings of the applications controls review. The audit process has highlighted a number of issues and work is ongoing by the MHC to improve the infrastructure, process and controls in place.

A number of items identified in the audit have already been addressed and the remainder will be finalised, as per your recommendation, by June 2016.

^[1] The Drug and Alcohol Office and the Mental Health Commission amalgamated on 1 July, 2015. The joined organisation is called the Mental Health Commission.