Cyber attack cripples Waikato hospitals – Expert Reaction

All phones and computers across Waikato DHB have been taken down by a cyber security incident, leaving clinical services scrambling.

The DHB has called in external help, and says it refuses to pay any ransom demanded.

The SMC asked experts to comment on the attack and the aging IT infrastructure that may have enabled it. 

Professor Robin Gauld, Director, Centre for Health Systems and Technology, University of Otago, comments:

“For three decades we’ve known in New Zealand that our health information and clinical systems have been vulnerable to attack. So while this attack comes as no surprise, it is alarming and has had an impact on healthcare functions.

“Having disparate IT systems across the country’s 20 DHBs is not helpful, which has been highlighted in many reports and stocktakes over the years, and more recently brought into stark relief by the Covid-19 pandemic. We need to have national IT systems and national security systems to deal with this kind of cyber threat.”

No conflict of interest declared.

Professor Dave Parry, Department of Computer Science, AUT, comments:

“The recent cyber attack on Waikato DHB demonstrates the degree to which the health system depends on IT systems working efficiently. DHBs have some of the most complex collections of systems in the country – there is not just one system but a large collection of different systems, sometimes hundreds – that are used to support different departments and clinical areas. DHBs are much better prepared than they were a few years ago for cyber attacks, there are regular audits and GCSB and CERT are called in very rapidly. DHB systems represent critical infrastructure and of course hold very sensitive personal data.

“It is not yet clear exactly what sort of attack this was, but a few days ago there was an attack on the Irish health system in the form of “ransomware”. In this sort of attack, the attacker manages to get some of their software onto the victim’s network and this encrypts files, making them unreadable. The attacker then offers to give the victim the key to unlock the encryption in return for money – usually in the form of bitcoin or other cryptocurrency.

“If the victim doesn’t pay, then they will normally shut down access to systems, check for the attacker’s software and delete it. After that the victim will then restore the encrypted files from backups and start up the services again. Normally very little data if any is lost. Generally, once the attack software is identified, the DHB can set up its firewall and other security software to identify it and not allow it to run on the network. The complexity of DHB systems and the relatively small IT teams can make the shutdown/clean/startup process very demanding – they will be getting help from the rest of the health system and government. It would be reasonable to expect critical systems to be up and running again in a day or so at most.

“Getting the “malware” onto networks may have involved “phishing” or emails that included links that downloaded the software. The firewall updates should prevent the same software being downloaded again.

“Unfortunately, last week the Colonial oil pipeline in the US was attacked and apparently they paid $5 million to the attackers – this will probably have encouraged attacks by the same gang or similar ones. Government agencies very rarely pay ransoms, but health systems are always tempting targets because they are so high-profile.”

No conflict of interest.