Remote working escalated risk in Waikato’s IT environment - report

eHealthNews.nz: Information Governance

Remote working escalated risk in Waikato’s IT environment - report

Monday, 15 May 2023

Share |

NEWS - eHealthNews.nz editor Rebecca McBeth

The need to rapidly adopt hybrid ways of working and new technologies in response to the Covid-19 pandemic had escalated risks to Waikato DHB’s IT systems when it was hit by a cyber-attack in May 2021, a report says.

The report analysing the attack also notes that the hospital’s IT and clinical teams initially lacked insight into each other’s domains and says it will be important for Te Whatu Ora to “ensure that clinical and IT teams plan for both security and incident response in close and permanent coordination”.

Waikato DHB (WDHB) was hit by a ‘large-scale criminal ransomware attack’ on May 18, 2021 causing a full outage of its Information Services across the region. Surgeries were postponed, and patient and staff details were stolen then later posted online by the cyber criminals.

“WDHB told us that the rapid changes made to support remote working as well as the need to adapt and respond to the pandemic was material to the state of IT systems at the time of the attack,” the report says.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

“They explained that the hospital IT environment went rapidly from having been designed to operate in a risk context largely limited to the physical location of the hospital(s) with fragmented and minimal digital access beyond those physical environments, to one where they were forced to rapidly adopt hybrid ways of working and new technologies, with a consequent escalation of risks arising from greater remote access.”

The Ministry of Health said that it had warned DHBs of the security risks of a large scale move to remote working in an advisory of Covid specific cybersecurity threats, which included ransomware targeting healthcare.

The report says Covid-19 was only one contributing factor to the state of Waikato’s IT environment, and that health systems were more networked and more dependent on data exchanges than had been “consciously realised”.

“The health data ecosystem has evolved, as an emergent network over many years. This process has been largely clinician-driven, in many cases without the knowledge of IT teams,” it says.

The former DHB’s first response to the cyber-attack was to physically disconnect all of its services from the Internet and other health systems, including corporate IT systems, laptops, printers, phones, medical devices, and any cloud services.

This affected healthcare provision across the region as well as other DHBs and primary and community providers who used shared services.

Initially, Waikato took a risk-averse approach to reconnecting systems, and the process focused on server restoration rather than service restoration, but this was of limited use as it was not clear to the IT team how servers connected to services.

“This meant even when the incident response team remediated a significant number of servers, this did not necessarily translate into the effective restoration of services from the viewpoint of the hospitals,” the report says.

The IT team initially lacked a good insight into the way healthcare was delivered, and vice versa, but clinical and technical experts worked together on a ‘wave’ plan to reconnect services.

The incident was formally closed 10 November 2021, but most services were back much sooner.

The authors recommend that Te Whatu Ora commission risk modelling based on actual health IT systems (including legacy systems) to assess exactly how vulnerable they are to cyber intrusion and consequent compromise and degradation.

Waikato DHB was disestablished in July 2022 and is now called Te Whatu Ora – Waikato.