Can you tell us about Melbourne Health and the place of IT in its operations?
Melbourne Health is a large public healthcare service provider. We have approximately 8,500 staff. Our operating budget is funded primarily by the Victorian government, supplemented by some Federal funding.
The organisation is a secondary, tertiary and quaternary centre and it is also a designated hub for emergency management. It provides state-wide service for mental health as well.
IT is managed across our services through a small centralised workforce. IT is divided on the traditional basis, into server, desktop and application support, telecommunications which has some elements of security support, a helpdesk and the like.
Like every other part of the organisation, IT has to bid for its financial resources and there are constraints. Because the hospital is quite old, some of the infrastructure, in terms of both buildings and IT, requires additional investment.
How does Melbourne Health approach cybersecurity?
Melbourne Health takes security extremely seriously. We had a malicious attack earlier this year. It shook the foundations of the hospital. IT resources were stretched. We had to assist reversion to manual processes, where it was required.
We understood the impact of what happens when you get attacked. We brought in experts. They traced the attack and used predictive analytics to find vulnerabilities, evaluate the impact on operating systems and fix them as quickly as possible.
We also set them the task of checking if there was any silent data leakage. We could get the hospital back on its feet by restoring operations but we cannot secure our reputation, if we lose patient data. We made sure that was not happening.
For Melbourne Health, security is paramount, not just IT security but any security issues, that might impede our core activity of service delivery and care for the patient population. We have to be confident that we can use the data associated with those patients to provide them better care but also secure the data against external or internal threats.
At the moment, we have taken all the standard measures. We have firewall protection, we have policies and procedures in place. We have imposed controls on administrative privileges. We communicate the rules, the dos & don’ts strongly to staff, often on a weekly basis. We have asset protection measures.
Could you tell us about plans for dealing with the aftermath of an adverse incident?
We have resilience and business continuity plans. We have escalation points. When absolutely necessary, we invoke emergency management protocols. We have an emergency management committee, which monitors and directs resource applications when those events occur. That’s happened twice in the last six months, events that we have deemed serious enough that those business continuity procedures have been activated.
We have hybrid systems, partially paper-based, partially electronic. In the event of such incidents, we have to fall back onto manual processes. We conduct practice runs on these protocols and procedures.
Are there any ongoing IT projects?
IT is constantly evolving and pieces being redefined. We have an IM&T (Information Management and Technology) strategy, a cybersecurity strategy, we are always working to better secure our environment.
Melbourne Health is seeking to implement an EMR (Electronic Medical Record), together with partners, the Women’s Hospital and the Peter MacCallum Cancer Centre based in the Victorian Comprehensive Cancer Centre. It is being done through preparing and presenting a business case. The project is supported by the Victorian government.
We are a part of My Health Record but it does not connect community or GP practice with hospitals. The reality is that different hospitals have systems set against slightly different work practices and processes. We hope that the EMR will consolidate the bulk of those processes and practices seamlessly.
But we expect some limitations to persist. For example, most senior clinicians create and manage their own databases and some of them even refer to those as EMRs, which they are not. But they are rich sources of patient information and they are the go-to places for clinicians to check past histories or to assess whether there are any issues associated with drug medication, for example.
