Health executives need access to cyber-criminal profiling - report

eHealthNews.nz: Information Governance

Health executives need access to cyber-criminal profiling - report

Sunday, 30 April 2023

Share |

NEWS - eHealthNews.nz editor Rebecca McBeth

Te Whatu Ora executives should have access to cyber-criminal profiling to get insight into likely behaviour following a successful cyber-attack, a report on the Waikato DHB attack says.

The report also recommends eliminating technical debt as quickly as possible, saying the risks associated with a cyber-attack will grow as the Te Whatu Ora data ecosystem becomes more integrated.

Waikato DHB was hit by a ‘large-scale criminal ransomware attack’ on May 18, 2021 causing a full outage of its Information Services across the region. Surgeries were postponed, and patient and staff details were stolen then later posted online by the cyber criminals.

A report analysing the response says Waikato DHB was targeted using a ransomware-as-a-service (RaaS) product, which allows cyber criminals to buy or lease ransomware on the dark web, and the attacker sent an extortion email on 23 May 2021, but paying it was never an option..

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

It was later discovered that the cyber criminals never breached the medical network, only gaining access to the corporate network. The incident was formally closed 10 November 2021, but most services were back much sooner.

The report says “cyber-criminal profiling needs to become a thing for Te Whatu Ora” to help decision makers calibrate apparent risks against likely attacker conduct.

National chief information security officer (CISO) Sonny Taite says Te Whatu Ora is implementing greater use of threat intelligence, “including proactive threat detection across the entire sector and improving our understanding of the behaviour of threat actors targeting healthcare”.

The report says the recovery process has led to many improvements that reduce both the likelihood of another successful attack and the impact it may have.

However, it concludes that funding and resource constraints will mean continued reliance on legacy systems and technology for some time across the health system and this creates a “system that is, overall, weaker than we would want”.

A lot of legacy systems in use in the health system are important but have low security, operating in ‘high trust’ environments.

“High trust is good for people but not for IT as the trust level has, invariably, not been validated. As Te Whatu Ora integrates and consolidates, it will want to ensure it does not inadvertently create a larger and more attractive target, in particular by making assumptions with respect to trust,” the report says.

The authors suggest a commitment to eliminate technical debt as quickly as possible, combined with compensating security controls.

These include mandated systematic logging and monitoring, controls on the number and the activities permitted of privileged access accounts, and data segmentation.

“The result will be some loss of flexibility and utility for a time. But the alternative is permanent vulnerability. We judge that unacceptable and indefensible to the public,” it says.

The report says planning for future incidents needs to be undertaken at a national level, and building and maintaining a national skills capability for health-related security expertise should be a priority.

The National Cyber Security Uplift (CSU) programme was launched in late 2021, with just over $75 million in funding from Cabinet.

Taite says Te Whatu Ora is consulting with kaimahi on a proposal for a new cyber security operating model.

“The proposed model is designed to centralise security resources across the sector, lift cyber security maturity, and achieve better security outcomes. The proposed structure provides increased leadership, management, delivery, and support for cyber security across the sector,” he says.

A new National Security Operations Centre (SOC) is in its formative stages and will become the single point of call when it comes to threat detection, response, and recovery following a potential incident.

Te Whatu Ora is also working to increase staff understanding and awareness of cyber security, including running a series of incident response simulation exercises and phishing simulations, to help people spot and react to suspicious cyber activity.

It is updating the Health Information Security Framework (HISF) to better suit the new health operating environment in Aotearoa and make the framework easier to understand and adopt and is implementing new security technologies, solutions and services.

Te Whatu Ora is also running a pilot for a new Cyber Academy, which includes exploring a work-based pathway into cyber security for rangatahi.

“Cyber security is an ongoing process of risk management, and we will continue to develop and adapt our work focus as needed in an ever-changing digital landscape,” Taite says.