Hackers have reportedly threatened to release the health information of over 120,000 Kiwis unless a ransom is paid by 5 am tomorrow.
Manage My Health, which holds health information on over 1.8 million New Zealanders, was hacked early last week and began notifying affected patients today. A government review has been commissioned to investigate the incident.
The SMC asked experts to comment on the security breach and its implications.
Dr Vimal Kumar, Senior Lecturer, Head of Cyber Security Lab, The University of Waikato, comments:
“It is obvious that once people affected by a data breach come to know of it, they will be worried about their safety and their data. The best-practice, therefore, after a data breach is to communicate quickly and clearly to affected users. It has taken MMH 9 days to reach out to affected users, which is unacceptable.
“I think something that isn’t getting much attention is the close integration of MMH with the MedTech Practice Management Software. This is because both these software were once part of the same company led by the current MMH CEO. This tight integration makes it hard and costly for GP practices to discard MMH and use a different patient portal, even when armed with the knowledge of MMH’s poor cybersecurity practices. It is also anti-competition and gives MMH an unfair advantage.
“In terms of the company storing historical data of users no longer using MMH, parallels can be drawn with the Latitude Financial hack of 2023, where Latitude was also hoarding data that was decades old. It seems nothing was learnt in this case. MMH CEO has offloaded the responsibility of deleting their old accounts onto the patients but in reality many people get signed up to such portals by their GPs switching to the platform. It should not be the patients’ responsibility to delete such old accounts, if they did not individually get into a contract with the platform.
“Security can be strengthened and security lapses minimised but it can never be guaranteed that breaches will not happen. In addition to standard security practices, organisations should be very mindful of keeping data that is no longer needed. We definitely need stricter regulation and penalties for failure to comply.”
Conflict of interest statement: “No conflict of interest to declare.”
Dr Ulrich Speidel, Senior Lecturer in Computer Science, University of Auckland, comments:
“Essentially, hacking of this sort has been a business for many years. Hackers try many targets but concentrate on those with the weakest security and those for whom the disruption caused by an attack is most likely to yield a ransom payment. Manage My Health is attractive because of the scale of damage that the attack could have caused, and the – at least perceived – wealth of the company, which translates into an ability to pay. They wouldn’t have tried this on your fish ‘n’ chips shop around the corner.
“How do hackers ‘get in’? Usually, there are one of three choices:
“1) Weak administrator passwords.
“2) Human gullibility: phishing attacks, where a hacker tricks an administrator into handing over a password, usually by sending them an authentic-looking e-mail with a link to a site that poses as the real site but is actually a fake run by the attacker, who then obtains the password as it is being entered there. This is not a likely scenario here.
“3) Security holes in the technical implementation of the system. In this case, the driving force is often the complex nature of such systems, which consist of a large number of different pieces of software. Traditionally, software developers are trained to make computers do what they are meant to do. But ensuring that the software then also doesn’t do things it is are not meant to do often takes a back seat – and this is where developers create vulnerabilities which attackers can exploit.
“These come in many varieties, and most larger software projects end up inadvertently producing such vulnerabilities. The number of vulnerabilities and attack techniques discovered and published on a weekly basis is in the hundreds, and not all become public. These could affect the operating systems involved, but also the web server and database platforms, or – and these usually don’t become public – the site-specific applications built for a system such as Manage My Health.
“Operating systems and platforms are an attractive attack target because so many organisations use them. At a very minimum, running a sensitive system requires regular scanning for such vulnerabilities and fixing them before hackers exploit them. But this is personnel-intensive and therefore expensive, and doesn’t add to the day-to-day functionality of a site – so it’s often not where management focus is. They’d rather invest in adding an AI bot because that’s what’s currently fashionable.
“The ‘Why would they come for us?’ attitude is unfortunately still very widespread in management circles – the simple answer is ‘Because you run platform XYZ like a million other organisations do, and the hackers probe systematically who runs that platform and who hasn’t updated it or who has weak passwords. And when they find that you do run XYZ, they assess your value as a target (see above) and then they strike.’
“IT staff who try to focus on operational security are often labelled obstacles on the road to glory and get ignored. But just because you are managing an IT company and you understand the benefits of the product you are offering does not mean that you understand the risks that are buried in your IT. This is almost universally true for large organisations, and it’s why we keep seeing such high profile incidents.
“There are industries that are doing vastly better – aviation and the electrical industry come to mind. It’s easy to build a plane that flies, but building one that does so safely is much, much harder – and so taking a leaf out of their book might help.”
Conflict of interest statement: “Not aware of any conflicts of interest beyond being affected by hacks of organisations that I use just like everyone else.”