INF20031 Cybersecurity Case Study – S1, 2023. 1
Case study, S1 2023
CASE STUDY: TRUSTED HEALTH CLINIC, 2023
OVERVIEW. Trusted Health Clinic was established in 2002 in Inverloch on the Bass Coast of
Victoria with the innovative goal of becoming Victoria’s first “phone-in medical centre” to
use an expert knowledge base for the preliminary assessment of patients. When someone
calls the centre, a registered nurse uses THC’s “clinical knowledge base” to assess the
caller’s symptoms, rule out possible conditions and recommend suitable options for
treatment, this includes options of, (i) scheduling a telehealth call with a Doctor, (ii)
scheduling a Doctor’s appointment with one of the 6 GPs at the clinic, (iii) attending the
clinic to see allied health professionals (currently includes nurses, a psychologist, a
physiotherapist, a pediatrist, a skin care specialist, a pharmacist, and a phlebotomist) (iv)
making an emergency room trip. The initial decision support is based on checking the
patient’s description of their condition against the knowledge base, a software solution
built on proprietary algorithms matches the symptoms of thousands of illnesses and
conditions to the descriptions callers provide and lists options for the nurse. As the Clinic’s
founders and Managing Directors, Dr Brad Hill, and Dr Angelique Farelli, are fond of saying:
“We are taking available technology and putting it to work to provide new health
information services, while maintaining the highest level of care for regional Victorians
here on the Bass Coast.”
CKB. Drs. Hill and Farelli, first met while studying Medicine at the University of Melbourne,
however a passion for surfing, the environment and a rural coastal life took them to the Bass
region and a country practice. Since that time, Trusted Health’s early journey into the use of
Telehealth for regional healthcare has set them apart. The Clinic is thriving, and the years spent
working with their software developer, health information systems specialist Felix South, has
repaid the Doctors and Felix handsomely. Trusted Health’s tele-services are used, on average,
8,000 times per year or as much as 20 times a day. The volume of use has allowed the Clinic to
charge a low consultation fee for a nurse serviced call that matches patients to allied health care
services in instances where a Doctor’s referral isn’t needed and matches patients to a Doctor in
all other cases. Many rural callers have saved long and expensive trips to a Doctor’s office
because their condition could be addressed over the phone through a telehealth call with an onduty Doctor. Patient safety is the clinics number one priority, and while the knowledge base
allows THC to work efficiently and effectively in prioritising patient visits, patient care is never
compromised. A searchable patient call-record, including a copy of the decision reached, is
recorded, and kept for every phone-in, just in case its ever needed.
The clinical knowledge base, or CKB as it’s called at THC, has given the Clinic a unique
competitive advantage in Victoria and the Clinic is currently in discussion with several of
Australia’s largest Health Information Management system providers who would like to license
the intellectual property and develop CKB further. Hill, Farelli, and South are interested in this,
and are exploring how CKB could be improved and what the big companies might pay them for
their intellectual property. Felix currently keeps the original systems design, including systems
documentation, and the code and data store for the knowledge base, on his personal laptop, with
back up hard drives under lock and key in his filing cabinet at THC. The current version of CKB
is maintained on an internal Server.
For local software developer, 58-year-old Felix South, his work on CKB has been a marriage of
convenience. Felix, who has had a very successful career as a Health Information Systems
specialist working in the Bass region for over 20 years, sold his client list and moved into semiretirement 5 years ago with the intention of spending most of his days at the Leongatha Golf
Club, a hidden gem of the region. The reality has been somewhat different, since retiring Felix
has spent almost 5 days a week at the Clinic where THC have provided him with an office, and
they are now paying him a weekly wage to work as their Systems Administrator. Felix manages
2 INF20031 Cybersecurity Case Study – S1, 2023.
Case study, S1 2023
and maintains the CKB internal database and server alongside of the Clinic’s central medical
information manage system HealthCare One. This makes perfect sense, after all, Felix was the
original developer of HealthCare One and nowadays is the only person in the region qualified to
maintain it.
HealthCare One. has been customised over a period of 20 years and serves as THCs general
medical information system, meeting and supporting the practice’s central requirements for highest
standard of medical care. The system maintains all patient records, including patient personal
details and demographic information, records of individual healthcare and social welfare history,
patient health risk factors, allergies, and medication. In addition, it records, tracks, creates, and
generates:
• patient follow-up reminders, patient scheduling with Doctors and allied health
professionals,
• prescriptions and active prescriptions lists for electronic transfer (between the Clinic and
Pharmacies),
• sending on electronic referrals and receiving electronic reports, including specialist letters
and hospital discharge summaries,
• requests for patient in-hospital care, laboratory diagnostic orders, lab, and radiology
reports,
• the secure direct electronic exchange of clinical and non-clinical information,
• communication of patient information via email as required.
In addition to maintaining patient records the system maintains Doctor and allied health profession
records to support patient matching, this includes:
• Doctor details relevant to practice including their demographic information, qualifications,
areas of specialist care,
• Allied Health professional details relevant to practice, including demographic information,
qualifications, areas of specialist care.
The system interacts with CBK to provide decision support in various forms, e.g., patient history
and records of previous treatment decisions from phone-ins, drug–interaction checking, drug–
disease interaction checking, checking for appropriate care-directions for people with chronic
diseases.
HealthCare One supports full patient administration including maintaining information about
patient record of calls, patient record of visits, patient health insurance details including
information for the automatic payment and/or rebate for services, via the HICAPS system for
private health insurance and the Medicare system for public patients.
The availability of accurate confidential information is essential for facilitating good clinical
practice, the continuity of patient care, support for point-of- care decision making, monitoring of
critical events, and for limiting preventing clinical incidents and errors. Practice manager, Susan
Brown, overseas all patient records. She is a little concerned that all employees have access to all
patient data at any time, but feels the convenience outweighs the risks.
Standards. CBK and HealthCare One are built to diligently comply with Australian standards for
healthcare information and records management. THC’s recordkeeping is compliant with the
medical record–keeping requirements of the Medical Board of Australia and Victoria’s healthcare
record documentation and data capture procedures. The confidentiality and privacy of most of the
health information collected by THC is protected under statutory and common law requirements
and THC aims for full compliance with the Australian Commonwealth Governments national
privacy principles. THC is aware that it needs to explicitly recognise the sensitivity of patient
clinical information, the importance of patient consent for any access and use of information, and
INF20031 Cybersecurity Case Study – S1, 2023. 3
Case study, S1 2023
the importance of protecting patient confidentiality and privacy and it would like to express this as
part of its published mission, but it hasn’t yet had the opportunity to develop a mission statement.
The simple fact is, even though THC thinks its systems are compliant its last audit was pre-COVID,
and it hasn’t been keeping up with its obligation to audit its information systems and to keep
additional records documenting its compliance, at least nobody can find those records.
This is not Felix South’s fault, as the previous health systems contractor, CBK business partner
and now employee with THC, Felix is excluded from the role of independent auditor. While Felix
can take responsibility for maintaining CBK and HealthCare One software and keeping records
about the system and its use, ultimately its THC’s executive management team who are responsible
for its records, including records for information systems governance and compliance.
IS/IT Infrastructure. Felix is a diligent Systems Administrator; his career was based on
developing Health Information Management systems of the highest calibre, but the business
demands of medical practice have changed significantly over 20 years and THC has been
maintaining the same system right across this time. Nowadays HealthCare One is running on
“patches, extensions and workarounds”. Rapid development means detailed documentation about
how the system operates the Clinical practice have been put to one side, the people responsible for
different information in the Clinic are taught how to use the System for their work and then justdo-it, this includes the front of office staff (clinical care officers who register and maintain records
of all incoming patients), the practice manager, the managing accountant who oversees all financial
records and general business practice, the human resources and payroll manager. Then there is the
allied health professionals (the pharmacist, radiologist, phlebotomist, physiotherapist and
podiatrist, skin care specialist), practice nurses and nursing assistants, general practitioners, and the
managing GPs (Brad Hill and Angelique Farelli). In February 2022, THC appointed a second IT
Systems Administrator, Jock Jordan, to focus on Cybersecurity following a DDOS attack on THC’s
customer facing web server over Christmas 2021 that resulted in a 4.5-hour outage and heightened
security concerns around THC’s weakest points; however, Jock is not a security expert and his
brief, covering new Clinic data analytics with CBK, gives him very little time for legacy systems.
Adding to his woes is that there is no significant line of reporting at THC, he has little direct
authority. Jock reports to Felix, who in turn seems to talk informally with the practice manager,
Susan Brown, but the pair have known each other for over 15 years and planning is usually done
over coffee at the café next door to the Clinic.
At the business level HealthCare One is starting to become a problem too, the Accounts
reconciliation officer, Sally Brent, who is responsible for reconciling a complex list of supplies
(e.g. blood glucose monitoring equipment, disposable syringes and needles, equipment for
ventilation, intravenous access emergency medicines, eye examination equipment, sterile glove,
measurement device, oxygen, specimen collection equipment, stethoscopes, surgical masks
thermometers torches urine testing strips, blood testing kits) and depositing all banking, has
developed the habit of exporting and converting daily accounts data, to CSV format, so that she
can create the Excel spreadsheets she uses to reconcile accounts and complete banking from ledgers
on her own laptop. The laptop is bran new because Sally recently lost her previous laptop at the
café next door. While Jock has asked her not to work from home on her laptop, her busy schedule
sometimes demands ignoring the ‘IT guy’. The accounts manager, Colleen Hayes, is aware of the
practice but understand just how busy Sally gets.
Complicating matters, it is not possible to share patient records between HealthCare One and the
CBK in real-time, instead this patient information is processed nightly as batch process. Problems
like this have been flagged with the Managing Directors, but they are somewhat blissfully ignorant
about batch processing and see the problem principally as an “IT issue.” Recently, their attention
has been focussed on THC’s opportunity to on sell their interest in the CBK knowledge base.
4 INF20031 Cybersecurity Case Study – S1, 2023.
Case study, S1 2023
CBK EXPANSION PLAN (CBK-X). At the beginning of this year Brad, Angelique and Felix decided
to ramp up “Felix’s baby” and have Jock working to redesign the database into a much larger Data
Warehouse. Jock is busy exploring opportunities for applying artificial intelligence and machine
learning that will support new types of decision making and hopefully see CBK deliver new types
of services. THC is currently collaborating with a Melbourne based University to see if they can
expand preliminary health evaluation based on the analysis of medical images, including X-Rays.
However much of this will depend on the Clinics capacity to interact securely with patient
information in multiple formats coming in over Wi-Fi and mobile networks from affiliated allied
health services, e.g., radiology. To support this the Clinic has recently upgraded to a commercial
Wi-Fi network and implemented a continuous uninterruptible power supply and backup facility,
however it has not yet appointed a network administrator and who just who is responsible for CBK
-X is becoming a little confused.
HR Cloud. for Rebecca Adams, THCs HR, and payroll manager, it is all becoming too much!
Exploring new innovations while facing the shortcomings of a legacy Health Information
Management system reminds her of the tale about the “cobblers’ children having no shoes” – and
she reminds everyone about this. As the company’s Human Resource manager, she is responsible
for making sure everyone gets paid on time and she is no longer satisfied with HealthCare One,
HR extensions, she has commenced looking at cloud technology and Software as a Service (SaaS)
to support the HR function. She has initiated discussions with Workday, a US based SaaS provider
that has been recommended to her by a colleague in the HR profession. Ultimately, her intention
is to seek funding from the CFO for the purchase of a SaaS based Human Resource management
solution. While her initial planning has raised concerns about where Workday’s Cloud services are
located, either within or outside Australian jurisdiction, e.g. offshore in the USA, she considers
the functionality the service will provide a more important concerns then worrying about offshoring
HR data. She really can’t see that it matters where employee data is stored so long as the patients’
records are under control.
Rebecca has found an ally in the accounts manager Colleen Hayes. When Colleen became aware
of the HR manager’s intention to adopt SaaS for HR, she too started to think about getting approval
from the Managing Directors to adopt Salesforce.com’s SasS solutions as a way of integrating
several core finance and business functions (e.g., HR and Supplier accounts management). Colleen
has been frustrated by the focus on the new CBK Data Warehouse which has proceeded without
any policy established to define the relationship between its operations and business as usual at the
Clinic. She is planning to put forward her proposal directly to the Managing Directors without
consulting Felix or Jock, whom she regards as a pair of “IT control freaks” with no real power at
THC. When it comes to the strategic direction of IT at THC, Felix is concerned that the IT function
is being disregarded, but …., he will be retiring soon, and on a pretty good wicket.
Business continuity. Despite some of the internal issues between business functions at THC,
everyone shares the same vision when it comes to the importance of patient information, and the
Clinic has recently adopted a failover data backup strategy that ensures a secondary computer and
network facility is available always should something go wrong with primary systems. All Clinic
data, including patient records, Doctor’s records, allied health professional records, suppliers’ data,
and all internal HR, finance, and Clinic operations records, are now backed up once per month with
a small specialist company, located in Wonthaggi (a town near Inverloch) who is providing the
failover network and data backup service. The company is owned by a close and trusted friend of
Felix South’s and although it is a relatively new company, so far it has made good on its promise
to provide an “excellent and reliable service to secure all your business data and information” and
“providing cost effective solutions to business data backup and restoration”. The company has
immaculate offices and presents an impressive looking backup facility as per the information
provided on their web page, and (according to its website) it has a significant bandwidth leased
from an ISP that ensures all backup processes can be performed offsite.
INF20031 Cybersecurity Case Study – S1, 2023. 5
Case study, S1 2023
Of imminent concern. Prospects seem healthy at THC, yet it is easy to see that the management
culture at this thriving coastal Clinic is not what its two founders first imagined. A few incidents
in the past few months are compounding the already existing tensions and operational issues that
surround the overburdened and aging HealthCare One system. Recently, employees who have been
with the company for its first 10 years, including Sally Brent have left and a lot of Clinic knowhow has departed with them. Nobody is sure why Sally chose some of the suppliers that she did,
but a recent review suggests that it may not have been based solely on a competitive tender process.
Other departing employees seem jaded following the pressures of the past few years. Between
2019-2022, there has been a substantial rise in the number COVID related scams and viruses
detected in email attachments scanned by the IT team. Jock recently identified a targeted phishing
campaign designed to convince the practice manager to release patient information to an unknown
party. After careful examination of the emails, it’s clear that this was the result of a scam designed
intercept Susan’s log-in credentials and that would provide access to all patient records, but by
whom and for what purpose? Felix is concerned about the possibility of it being an internal
motivated corporate espionage designed to learn about advances in CBKs algorithms, but the
alternative possibility that it is a genuinely malicious attack organised by criminal hackers outside
of the company could be even worse. Even the weather is affecting the mood. Constant rain over
the past 2 months has been interminable and there are concerns that the flood and storm prone area
may see a disastrous weather event soon, with gale force winds battering Inverloch and surrounds.
THC has requested your Cybersecurity report.
—-END CASE STUDY—