Tuesday, 15 October 2019

 Ms CROZIER (Southern Metropolitan) (12:08): My question is to the Minister for Health. Minister, the Victorian Auditor-General’s Office warned the government in May of the high vulnerability of Victorian hospitals to cyber attacks. A rural hospital board member told ABC Statewide that it was a failure of your government to provide sufficient funding to address cybersecurity upgrades. Barwon Health and surrounding health services are still feeling the enormous impacts, including that staff are having to use their own personal emails and phones to communicate. So I ask: will you give an assurance that no patient has been put at risk as a result of the cyber attacks and the ongoing crisis which the cyber attacks have caused?

 Ms MIKAKOS (Northern Metropolitan—Minister for Health, Minister for Ambulance Services) (12:08): I thank the member for her question. Cyber attacks sadly are a reality in our modern world, and no individual is exempt from the risk. We all need to remain vigilant and constantly update our cyber defences. I would be amazed if there was a single member in this chamber who has not had their cyber defences tested, whether it be through a phishing email or a remote attack on their website.

Cybersecurity is an ever-changing landscape, and the Andrews Labor government has worked very closely with federal agencies to ensure that all our public sector agencies, including our hospitals, are protected. Over the past five years our government has invested in excess of $46 million to strengthen health service IT capability, replacing aged and at-risk technology and health services, the majority of which has been spent in direct cybersecurity investments. This has included $13 million in this year’s state budget for the latest digital infrastructure and cybersecurity, and in fact every health service has benefited from this funding, including Barwon Health service.

What I can advise the house is that on Monday, 30 September, we became aware that a cyber attack impacted a number of regional hospitals and health services in Gippsland and the south-west of Victoria, and what has been confirmed since that time is that the cyber attack began with a phishing email sent to an employee. What happened is a very innocent looking email was sent to an employee who clicked on an attachment and the virus was downloaded to the hospital’s computer network, providing cybercriminals with unauthorised access. But what I can also advise the house is that during that same week we had hospitals in the United States and in Canada, across North America, being subject to the same ransomware incident, resulting in their hospitals closing services aside from emergency cases.

So in this case I want to commend our health services, who have worked incredibly hard to ensure continuity of care for their patients, and I thank them very much for the work that they did in reacting swiftly to manage this attack, which has resulted in a small number of patient disruptions to essential health service delivery. The advice that I have is that there has been no evidence that patient data has been stolen; there has been no evidence that staff data has been stolen. The aim of this sort of cyber attack is to extract payment from organisations rather than to steal data, and I can make it very clear that no ransom has been paid or will ever be paid to cybercriminals.

 Ms CROZIER (Southern Metropolitan) (12:12): Minister, will the systems that have been affected by these cyber attacks be fully operational before Christmas?

 Ms MIKAKOS (Northern Metropolitan—Minister for Health, Minister for Ambulance Services) (12:12): Well, what I can advise the member, if she has been listening, is that there has been outstanding work by the health services staff to react swiftly to manage these attacks, supported by my department and supported also by the cyber team from the Department of Premier and Cabinet as well as by federal agencies. They have managed to put in place a range of measures to ensure that the impact on patients has been minimal. Importantly only 41 elective surgeries have been rescheduled, all at the University Hospital in Geelong, none at any other regional hospital. A number of systems have already been able to come back online. As you would expect, appropriate care has been taken to ensure that systems are properly cleaned before they come back online and to ensure minimal impact on services going forward.