A report has highlighted significant weaknesses in Western Australia’s public pathology service that risked the confidentiality, integrity and availability of PathWest’s information system and the sensitive medical information it holds.
Auditor General Caroline Spencer released a report on June 30, following a 2024 audit of the service.
She said the public release of the report had been delayed in order to allow PathWest to address critical system vulnerabilities.
PathWest stores test results in its Soft Laboratory Information System (SoftLIS) which are relied on by doctors to aid in medical diagnosis and in some cases by the State Coroner, to inform cause of death decisions.
“The findings highlight critical vulnerabilities in how this sensitive data was secured, accessed and shared,” she said.
RELATED: Are upcoming changes to pathology bulk billing enough?
“In 2023-24, PathWest conducted approximately 13.6 million drug, cancer, infection, virus detection and other tests, reinforcing the need for strong data protection.
“We found encryption was not used to protect the sensitive information stored in SoftLIS or sent across the health network, and weak encryption was used when test results were downloaded by external parties, such as general practitioners.
‘Western Australians should feel confident their sensitive medical information is secure and protected and these findings show PathWest was not meeting that expectation,’ Ms Spencer said.
PathWest did not effectively control staff access to sensitive information in SoftLIS resulting in some former staff retaining access after leaving employment, increasing the likelihood of inappropriate disclosure.
The audit also found SoftLIS was at an elevated risk of compromise as many important components ran on unsupported software and hardware.
The Auditor General said her office had recently reviewed PathWest’s remediation work and its plans to remediate remaining weaknesses and was “comfortable these efforts have reduced a significant amount of risk.”
Further work is expected to be undertaken as part of a broader WA Health system project which is expected to address further shortfalls identified in the report and yet to be addressed, with this work expected to be complete by mid-2027.
Ms Spencer encouraged PathWest and Health Support Services (HSS) to “continue prioritising improvements to SoftLIS, to provide assurance to patients and doctors that the integrity and confidentiality of test results is intact.”
In its response to the Auditor General’s report, Pathwest said it shared an ICT network with the rest of WA Health and was working with the WA Health Cyber Executive Committee and other Health Service Providers to ensure cybersecurity risk was appropriately managed.
RELATED: Reinventing the service model with Saturn Pathology
“PathWest will continue to undertake a data informed and proactive approach to building ICT system capability and security to support the WA Health and Justice systems.”
HSS as the provider of shared ICT services to the WA Health System, including PathWest, said it had “supported PathWest to remediate a number of the audit findings and will continue to do so to ensure the confidentiality, integrity and availability of the LIS system is maintained.”
Want more news, clinicals, features and guest columns delivered straight to you? Subscribe for free to WA’s only independent magazine for medical practitioners.
Want to submit an article? Email editor@mforum.com.au