Holes in DHB cyber security – Expert Reaction

The Ministry of Health found five health websites with potential vulnerabilities following the data breach of Tū Ora Compass Health.

The Ministry investigated 600 websites run by primary health organisations and district health boards after cyber hacks targeted Tū Ora Compass Health earlier this month.

None of the PHO websites scanned were identified as having any specific vulnerabilities. Five websites operated by three District Health Boards (DHB) were identified as having potential vulnerabilities. One was a false positive, two cases found no subsequent breach, and analysis continues for the remaining two. None of the vulnerable websites contained private patient information.

The next step is to commission independent external reviews of all DHBs and PHOs to test and remedy vulnerabilities in externally facing IT systems.

The SMC asked experts about the results from the cyber testing.

Dr Vimal Kumar, lecturer, head of Cyber Security Lab, University of Waikato, comments:

“The Ministry’s three-step approach seems to be a reasonable one.

“The first step of the National Cyber Security Centre (NCSC) quickly scanning the public-facing websites will identify existing vulnerabilities, which they seem to have in some cases. The second is for PHOs and DHBs to undertake an assessment of appropriate security controls and implementation of security best practices, and the third is offensive penetration testing of the systems which will help in a deeper assessment of the systems.

“This, however, should not be a one-off exercise. It needs to be kept in mind that cybersecurity is a continuous process and the custodians of data, and especially health data, need to undertake such exercises regularly to assure themselves, as well as the public, that their data is safe. It should also be noted that security is not just the responsibility of a particular person or a group of people within an organisation. It is the responsibility of everyone and organisations must take steps to raise cyber-awareness within their staff.”

No conflict of interest.

Associate Professor David Parry, Head of Department of Computer Science, AUT, comments:

“It’s good to hear that there are no other websites in the PHOs with the same vulnerabilities, but it is very concerning that three DHBs do. In my view, this confirms that the public health sector as a whole is not investing in IT people and technology at an appropriate level for the 21st Century. Essentially there is too much work and not enough support despite very dedicated people working throughout the sector.

“The next step is basically asking health organisations to confirm that they have adequate security in place. This is fine, but the fact that the question needs to be asked indicates that there are not clear lines of responsibility around this as yet. External audits are very important and will reveal other issues I’m sure.

“Overall this is a good response but shows again that this area has been neglected. I think most people would be shocked that this work is not already being done. Unfortunately, there are very few incentives for organisations in the health sector to work together either by sharing data and analysis approaches or best practice around security. This is also emphasised by the interim Simpson report.

“Overall the health system is still much better at collecting information than using it to improve care or increase efficiency. Government should consider how it can give clear and consistent support for safe and effective use of information. Privacy models are out-of-date and ineffective if security is not adequate. Patients have the right to expect that their data will be protected and used effectively but in many cases they are not even aware of how it is collected, used, or by whom. Investment in this area is vital along with top-level management awareness and education, and clear guidance about the law in this area.”

No conflict of interest.