JOIN HINZ   |   Print Page   |   Contact Us   |   Report Abuse   |   Sign In News Articles

Cyberattack prompts national review of health systems security

Sunday, 6 October 2019  
Share |


Return to home page editor Rebecca McBeth


The Ministry of Health is working with primary health organisations and district health boards to check the security of their systems following revelations that health data on more than 900,000 patients may have been illegally accessed by hackers.    


PHO Tū Ora Compass Health had its website defaced in August 2019 during a widespread global cyber incident, prompting the organisation to take its server offline and strengthen IT security.


Tū Ora immediately informed the Ministry and an investigation has since revealed evidence of four attacks by cyber criminals dating back to 2016.


Tū Ora says data may have been accessed on more than 900,00 people from the greater Wellington, Wairarapa and Manawatu regions and could include data going back to 2002.  


The attack also most likely exposed information held by other PHOs, as Tū Ora provides data services to THINK Hauora and patient services to Cosine, Te Awakairangi Health Network and Ora Toa.


The PHO has referred the illegal access to the Police, who are investigating.


Director-general of health Ashley Bloomfield says the Ministry is working with other PHOs and DHBs to check the security of their systems and, if necessary, ensure this is strengthened.


Additional monitoring and cyber 'stress testing' of DHB and PHO computer security is underway. 


The Ministry has been working with the Government Communications and Security Bureau’s National Cyber Security Centre to investigate the intrusion and check if other PHOs and DHBs might be at risk.


“This work is ongoing and we expect to have an initial assessment in the next two weeks,” he says.


The MoH is also commissioning further independent reviews of the security of PHO and DHB information systems.


“The Ministry of Health and the GCSB believe the testing now underway will identify areas where further action can be taken to strengthen information security measures at PHOs and DHBs,” says Bloomfield.


The Ministry will be publicly reporting on progress with this work for the remainder of this year.


Three DHBs have already identified potential vulnerabilities in their websites, exploited by the Tū Ora hackers.


A statement from Tū Ora says that, “despite careful investigation, we cannot say for certain whether or not the cyber-attacks resulted in any individual patient information being accessed.”


The PHO cannot tell whether patient data was accessed because it does not have audit logs dating back to 2016.


While it does not hold any GP notes, the PHO does hold data on who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address.


Also, some medical information related to immunisations, diabetes, vaccinations and screening.


The PHO’s FAQ page says patients consented to this data being collected when they enrolled with their GP and signed a consent form for data collection and use of health information.


“At the moment is not possible to opt out of this arrangement due to system limitations. But we are working with the Ministry of Health and other agencies to consider this for the future,”  the statement says.


The August attack prompted Tū Ora to strengthen IT security by moving its public websites to a new platform, enhancing anti-virus and email scanning software, implementing a security incident and event management system, implementing a web application firewall and establishing a security operations centre for real-time monitoring and resolution of cyberthreats.


The PHO is also part way through a planned move to the fully secure cloud environment on Microsoft Azure, which is expected to be complete by April 2020.


“Tū Ora will be using the advanced threat protection features available from our investment in the Microsoft 365 suite of products, including device and application protection, data loss protection and full data encryption,” a PHO statement says.


Bloomfield says that “before making details of the cyber intrusion public, we wanted to ensure the Tū Ora Compass information systems were secure and that there were appropriate supports in place for people who may be concerned at potential disclosure.


“We also needed to ensure publicity wouldn’t increase the risk of further online harm.”


Additional support, such as counselling, health advice or other services, has been arranged for people distressed or anxious about the unauthorised access.


If you would like to provide feedback on this news story please contact the editor Rebecca McBeth.


Read more news:

Boot camp to develop CHIA for New Zealand

NSS to cost $15.9 million

Return to home page

HiNZ, PO Box 300125, Albany, Auckland 0752, New Zealand.

Membership Management Software Powered by YourMembership  ::  Legal