An analysis report concerning last year's cyberattack on the former Waikato District Health Board has given several recommendations to beef up cybersecurity across New Zealand's health system.

The Ministry of Health had engaged managed cybersecurity service provider InPhySec Security to review the 18 May incident and provide advice on what can be learned from it. 

RECOMMENDATIONS

One of the report's major recommendations is a cybersecurity design which involves data segmentation, identification of high-risk data assets, the use of encryption for data, access controls, and systematic logging and monitoring across the health system's data estate, including legacy systems. 

"The design phase can limit damage in the event of an intrusion and make the system more resilient," it said.

The report also forwarded some typical post-incident recovery recommendations such as patching, regular exercise of incident response plans, and having the "closest possible" controls on the number and activities permitted of privileged access accounts. 

InPhySec Security also wanted the government to "systematically" make investments to eliminate unsafe legacy systems, fully utilise well-managed cloud systems, and accommodate the increasing use of internet-connected medical devices in a safe manner. It also wished the government to invest in upskilling IT skills and providing clear frameworks – for example, a code of connection that sets minimum cybersecurity requirements for all IT users.

Moreover, the report suggested updating the health system's Coordinated Incident Management System framework and requiring healthcare staff to comply with the rules on connecting systems, using new devices, and accessing data. "This will be a big cultural shift for many, including hard-pressed clinicians. There is no real alternative, but it should not be underestimated," it stressed.

In the event of cyber incidents, it is recommended that the response and transition to recovery be "intelligence-led" with incident managers thinking like hackers. "[I]ncident managers need to be able to use technical and behavioural information to draw defensible, testable assessments, and inferences about the likely behaviour of the attackers," the report explained.

Finally, the report recommended conducting a simulation of cyber incidents to practice disruption in a virtual environment.

THE LARGER TREND

In response to the report, Sonny Taite, Te Whatu Ora's National CISO, said they have accepted the recommendations in principle. 

To date, the organisation has made steps to further secure its IT systems, including the launch of the NZ$75 million ($47 million) National Cyber Security Uplift Programme late last year. The programme, Taite said, is already addressing some of InPhySec Security's recommendations, such as planning a series of incident response simulation exercises, updating the Health Information Security Framework, hiring additional security colleagues to join the uplift programme, and implementing new security technologies to protect legacy systems. A Cyber Academy is also being planned to explore a work-based pathway into cyber security. 

"Cybersecurity is an ongoing process of risk management, and we will continue to develop and adapt our work programme in an ever-changing digital landscape," Taite said in a separate statement.

Meanwhile, the Health Ministry has also come up with a strategy and two-year action plan to enhance health data collection, management, use and sharing across the health system. The Data and Information Strategy for Health and Disability seeks to engage healthcare consumers about the collection and use of their personal health data, ensuring quality, accessible data, supporting a more cohesive system and developing accessible digital health services.

Also late last year, the ministry negotiated a single digital services contract with Microsoft to get more cybersecurity tools for the country's health and disability system.

Following the Waikato DHB hack last year, the Pinnacle Midlands Health Network became the subject of a cyberattack in late September. It was reported that its hackers had accessed health information between 2016-2022 and some of Pinnacle's corporate information from its third-party server. Two weeks following the hack, the compromised data was confirmed to have been leaked on the dark web. As of late, Pinnacle is still trying to identify whose information got exposed in the said leak.

ON THE RECORD

"Implicit in all of this is our view that cybersecurity is a continuous process in an environment of permanent challenge. It will never be ‘solved’; rather, the criminal threat to our data must be managed down, designed out, and then ultimately accepted at a genuinely residual level. This is a task that will never be finished. That means changes in attitude and behaviour across the whole system by everyone. It means more resources – money and skilled people – if it is to be effective. Above all, it can’t just be left to the IT folk," the InPhySec Security report noted.