Cyber testing of 600 health websites reveals vulnerabilities

Return to eHealthNews.nz home page

Picture:  Ministry of Health deputy director-general data and digital Shayne Hunter and director-general Ashley Bloomfield at a media conference about the security scan findings.

eHealthNews.nz editor Rebecca McBeth

Three district health boards had websites with the same potential vulnerabilities as those exploited in the Tū Ora Compass Primary Health Organisation cyber-attack, a national website security scan has revealed.

The Ministry of Health says the affected DHBs have acted to mitigate the risk.

It has chosen not to name the DHBs because none of these websites contained private patient information.

The national review of health services’ website security was ordered this month after an investigation following a breach of  Tū Ora Compass’s website revealed evidence of four attacks by cyber criminals dating back to 2016.

The hacks potentially exposed patient data on more than 900,00 people from the greater Wellington, Wairarapa and Manawatu regions. 

Six hundred websites operated by DHBs and PHOs were scanned by the Government Communications Security Bureau’s National Cyber Security Centre to assess if they had the same vulnerabilities as those that enabled the Tū Ora Compass breach.

The NCSC scanning identified five websites operated by three DHBs as having potential vulnerabilities. One was a “false positive” where subsequent analysis showed the vulnerability had been previously patched and the site to be secure.

All DHBs, DHB shared-service organisations and PHOs have also been asked to assess whether their external facing systems have appropriate security and privacy controls in place and have provided this information to the Ministry.

The Ministry will commission independent external reviews of the externally facing systems at all DHBs and PHOs where external assurance cannot be provided and will work with companies with expertise in this area.

“Where organisations have separately commissioned external audits or reviews themselves, these are to be independently assessed to ensure they satisfy our expectations regarding appropriate security and privacy of information,” a Ministry statement says.

David Parry, head of department of computer science at AUT says it is concerning that three DHBs have the same vulnerabilities in their websites.

"This confirms that the public health sector as a whole is not investing in IT people and technology at an appropriate level for the 21st Century," he says.

Parry says the external audits are important as they will most likely reveal other issues.

He says it is unfortunate that there are very few incentives for health sector organisations to work together by sharing best practice around security.

He believes the government should consider how it can give clear and consistent support for safe and effective use of information as privacy models are out-of-date and ineffective if security is not adequate.

"Patients have the right to expect that their data will be protected and used effectively, but in many cases they are not even aware of how it is collected, used, or by whom," he explains.

"Investment in this area is vital along with top-level management awareness and education, and clear guidance about the law in this area.

If you would like to provide feedback on this news story please contact the editor Rebecca McBeth.

Read more news:

Digital health taken to the extreme

Artificial intelligence to humanise medicine

Return to eHealthNews.nz home page