Sign In | Join HiNZ
eHealthNews.nz: Information Governance

CISO warns of phishing attack on health system

Wednesday, 12 June 2024  

NEWS - eHealthNews.nz editor Rebecca McBeth

A live phishing attack is targeting the New Zealand health system and staff should be cautious of emails that may compromise their organisations, says chief information security officer (CISO) Sonny Taite.

Taite spoke at a Health New Zealand Te Whatu Ora stakeholder hui in June where he said the team had become aware of a phishing campaign targeting the collective health system.

The malicious campaign is impacting up to 13 small and large organisations across the health sector.

“We would like you to be very aware and cautious of emails that are being shared from compromised and impacted health organisations,” he said.

“They are relying on the trust that we have with each other to compromise an email account and then use that email account to share phishing scam emails to you all.” 

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

He said the emails appear legitimate as they look like a file sharing invitation from Microsoft OneDrive or Microsoft SharePoint, but then ask for the person’s username and password to harvest those credentials.

“We are aware of it and the PHOs are working to bring that knowledge and that awareness to you all as well,” he told the hui.

He said the New Zealand health system is “fairly constantly under attack”. Another common target is ‘internet facing technology devices’ and there is also a significant increase in attacks on cloud computing environments.

Taite said Health NZ has refreshed the Health Information Security Framework (HISF) to make it easier for organisations to understand where to go for information and use this security framework to plan ahead.

Guidance is now provided for four different types of organisations; hospitals, micro to small organisations; medium to large organisations; and suppliers.

Health NZ chief executive Margie Apa said cybersecurity is hugely important for protecting against bad actors, and to ensure public trust in the health system holding their personal data.

“We operate on the trust and confidence of our communities and patients and people who gift us the information to help us do our work,” she said.

Apa said the HISF will become core to the way that Health NZ commissions and engages with providers and that providers should set expectations with their IT vendors.

“The Health Information Security Framework should be a really useful guide when you are negotiating with your vendors and providers of ICT services,” she said.

“The onus is on the vendors to demonstrate how they are going to help you ensure that you are able to meet those security, privacy and also cybersecurity resilience issues.

“I would encourage colleagues to see the Health Information Security Framework as another helpful checklist when you are assessing your own vendor’s performance and also selection of vendors.”

On June 25 Taite provided an update saying the cybersecurity team is, "seeing reduced incidences of this particular phishing scam reaching our people, however we are encouraging everyone to remain vigilant.

"This latest scam is a timely reminder that phishing emails are increasingly common and that people should always be cautious when receiving and opening emails, and especially before clicking on links or entering personal information," he tells eHealthNews.

Some good advice to follow is:

  • Check the sender - even if it is someone you have dealt with before, are they sending you email content they typically would?
  • If they are sharing a document, were you expecting them to send you something? Does the document name sound legitimate?
  • Scammers can use legitimate services such as Microsoft which may initially give a feeling of legitimacy, check each page that appears the whole way through.
  • If you are being asked to re-authenticate, check that this is how you would normally do this – check the URL.
  • If you click a link and are asked to enter your username and password, then stop, and look at the steps above.


If you do think you’ve clicked a link or entered some information you shouldn’t have, you should contact your IT team or supplier, and let CERT NZ know.



Picture: CISO Sonny Taite presenting at the June stakeholder hui


To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

Read more Information Governance news

Return to eHealthNews.nz home page

« Back to Index

Contact Us

Health Informatics New Zealand

PO Box 300125,
Albany, Auckland 0752


assistant@hinz.org.nz

Quick Links

Social Media

Search