Credit: Arif Riyanto on Unsplash

Health data hack – Expert Q&A

Cyber hacks targeting a major primary health organisation (PHO) that holds large amounts of patient information have sparked a wider investigation to see if other PHOs or health boards are vulnerable to attack.

A security audit has identified at least three successful attacks on the public website of Tū Ora Compass, the PHO that covers Wellington, Kāpiti and Wairarapa. Five lower North Island based PHOs that have a relationship with Tū Ora are also affected. PHOs hold individual data such as medical centre enrolment information including names, ages, ethnicities, and addresses, as well as some information on mental health counselling, sexual health and lab tests.

Director-General of Health Ashley Bloomfield said the investigation aims to identify where security measures need to be strengthened. PHOs and health boards have been ordered to review their “external facing” cyber security and report back by today. An initial assessment on this investigation can be expected in the next two weeks.

The SMC asked an expert about the current situation and what should happen now. 

Associate Professor David Parry, Head of Department of Computer Science, AUT, comments:

This was a known vulnerability – what should have happened then to prevent further breaches? 

“Any system that can potentially be accessed via the internet is likely to have vulnerabilities. Software manufacturers regularly send out ‘patches’ i.e. software updates that will make the software secure. Most of these vulnerabilities are discovered before they are used maliciously. A normal and expected part of managing any computer system is to apply these patches as they are released – sometimes after testing on a local test system to make sure they don’t break anything else. In some cases the vulnerability might be addressed by changing how a system is set up e.g. getting rid of a certain type of user that has too many rights.”

What would be the likely motivation for a hacker, accessing personal data like this, and what could a hacker do with this information? 

“Motivation is normally general malice or money. Some people just want to destroy things or are annoyed at a particular organisation. Others want to get money. Without going into details, it is possible that a hacker motivated by money could blackmail individuals or the organisation concerned that they will release xx information unless an ransom is paid. Personal information can also be used to set up accounts in false identities, based on the details they have stolen, or other ways. This may not be done by the information stolen directly –  it could be used for ‘social engineering’ attacks on the person who has had their data stolen (like phishing emails). The more details you know about someone, the more convincing the false email (or in some cases the phone call). This could also extend to other parts of the health system – if you know a lot of personal details about someone, it is relatively easy to get more details about them from unsuspecting people in other parts of the system.”

Given the investigation has found attacks dating back to 2016 – has Tū Ora’s health IT infrastructure has been unfit for purpose for some time? 

“Yes. This is not primarily an infrastructure problem though – this is around policy. If a retrospective look finds previously-unknown successful attacks then it means that almost certainly the level of testing and maintenance of the system is inadequate. If you only discover a breach when someone does something very obvious, then it suggests that you have not been looking hard enough at potential problems. Very complex or hard to maintain infrastructure – possibly using software too old to get regular security patches could be an issue, but again at some point there would have been a decision not to upgrade.”

Do you think this breach suggests there are vulnerabilities in other PHOs? 

“I would expect every PHO is looking very closely at their systems now – hopefully there won’t have been any breaches. Each system is different as is each security policy and involvement by senior management. PHOs generally have small IT teams and sometimes have quite a complex history in terms of relationships between systems e.g. as practices join or leave. This makes maintenance and security harder. There would quite possibly be similar problems in other small health organisations. Security needs skilled people and there is a major shortage in New Zealand. This may also not have been seen as a significant issue by management up to now. PHOs should be behaving as though they are at high risk until they are convinced that they are secure.”

How secure are DHB patient records?  

“DHB records are very secure. I’d be a lot less concerned about DHBs generally as they have large IT groups, good security policies and usually have a better awareness of what is inside and what is outside their system.”

Is it possible that this was a Trojan horse attempt to access information from other government agencies?

“Possibly yes – although often health systems are seen as tempting targets because of the sensitivity of the data. Directly using this breach to get into other departments seems unlikely but it is possible that ‘social engineering’ attacks might use the information – basically any case where someone thinks you must be legitimate because you think that only authorised people would have access to the information: e.g. phoning up about Fred Blogs, here is his date of birth, address, NHI/ health ID number – can you tell me xxx? That shouldn’t work, but if people are busy they may not follow the correct protocol. Pharmacies and insurance companies may be other targets.”

What needs to happen now? 

“Ensure all health organisations review their policies and identify who is responsible for patching etc. and that this is up to date. They also need a plan as to how they are going to respond when breaches occur. I’d suggest that the larger organisations at least should run a check to see if breaches have occurred and everyone consider if there have been any suspicious transactions. The Government has an excellent security team that can help with this. People who may be affected by this breach be given clear instructions around how to avoid ‘phishing’ etc. All the organisations that interact with Tū Ora should also be enforcing a high level of  security – e.g. ensuring that they can positively identify requests for information, checking any interconnecting systems. The government needs to look at how they can restore trust in these systems which are vital for healthcare.

“Unfortunately these attacks are not going to stop. Government may need to begin regular audits of health organisations to confirm that they are adequately secured. Certainly this needs to happen within organisations. Management and boards need to have security as a key focus, including plans for reacting to breaches. Privacy law still lags behind the reality of the situation – it may be that NZ needs to go to a system like GDPR in the EU which has very strict rules around notification of breaches and protection of data. Security professionals need to be more available and more involved during the design and modification of systems. Ultimately this will cost money, the health sector spends a very small amount on IT as a percentage of its overall budget compared to other organisations. IT professionals in the health sector are extremely dedicated and skilled but the demands on their time are frequently unreasonable because there simply aren’t enough people.

“Personally, I believe that having a cross-party strategy for health IT so that there are not major changes every time a new government comes in would be extremely helpful, along with a clearer career structure for people working in the area, and make serious efforts to increase trust and cooperation between organisations by sharing best practice and working together more.”

No conflict of interest.

Dr Giovanni Russello, Head of Computer Science, University of Auckland, comments:

Given the investigation has found attacks dating back to 2016 – has Tū Ora’s health IT infrastructure has been unfit for purpose for some time? 

“I have not seen any technical report on this case so I cannot really comment. But given the date of the earlier attack I would not be surprised if their IT infrastructure was not up to scratch. It is actually quite common for SME in NZ to have no proper cyber security hygiene. And why should they if there is not real pressure from the government? In the EU and US, the situation is very different and companies take cyber security more seriously.”Do you think this breach suggests there are vulnerabilities in other PHOs? 

“There is no perfect code and there are always vulnerabilities – this is my approach.”

How secure are DHB patient records?  

“I have not spoken with many but the only one that I have engaged with is still trying to build a proper infrastructure to store and manage all the data. The resources are being spent towards data scientists to help reduce costs. Despite putting all the data in one single basket, they have allocated only one person to look at the security of it.”
Is it possible that this was a Trojan horse attempt to access information from other government agencies?

“Unlikely, but possible.”

What needs to happen now? 

“Starting taking cyber security more seriously? Talking with us (experts) more to try to help them.”

No conflict of interest.