My View - From review to reset: what the MMH breach must change for digital health in Aotearoa
1 hour ago
VIEW - Damon Campbell, Chief Operating Officer, WellSouth Primary Health Network
 The true significance of the Manage My Health data breach will not be determined by how thoroughly it is investigated, but by whether the health sector uses this moment to fundamentally improve how digital health data and systems are designed, governed and protected in Aotearoa.
If we do not get that right, we risk undermining the very tools and digital capability that increasingly support patient care when it is needed most.
Time to review
With the Ministry of Health and Privacy Commissioner's reviews now underway, this is an important moment. Reviews, inquiries and reports are familiar tools in the health system, particularly following high-profile incidents. However, experience shows that the value of these processes lies not in the documentation itself, but in whether they lead to clear, practical, and enduring change.
For digital health, that bar must be set high. Otherwise, we risk regression at a time when trust is already fragile. Even highly digitally capable general practices, including some in our region, are questioning whether the ’system’ can be relied upon to keep data secure.
Digital systems are no longer peripheral to care delivery. Patient portals, shared care records, analytics platforms and integrations between primary and secondary care are now core infrastructure. They shape how clinicians work, how patients engage with their care, and how information flows across the system. Here in the South, many general practices rely heavily on digital infrastructure to sustain care delivery amid a constrained workforce, particularly in rural areas where on-site daily clinical coverage is not always possible.
As a result of this reliance, cybersecurity and privacy can no longer be treated as technical considerations or compliance exercises that sit alongside delivery. They are fundamental design principles that must be embedded from the outset and that are essential to rebuilding trust.
Looking forward
What the sector now needs from the Manage My Health reviews is not simply a retrospective analysis of what went wrong, but a forward-looking framework that helps us, as a nation, deliver digital health better and more safely. That framework needs to provide clarity on expectations, roles and accountabilities across the ecosystem, including vendors, health organisations, funders and regulators. More than that, it must work and regain the trust of clinicians and patients.
Without that shared understanding, responsibility remains fragmented, and risks are pushed downstream to the organisations and clinicians closest to patients.
One of the most pressing challenges exposed by recent cyber incidents is the inconsistency in security maturity across digital health platforms. Some organisations invest heavily in cyber governance, independent assurance and continuous monitoring, while others operate with minimal oversight and legacy approaches that no longer reflect the threat landscape. A system that relies on voluntary uplift or variable standards is inherently fragile. The reviews must therefore help define what “good” looks like in practice, including baseline security expectations that are proportionate to the sensitivity and scale of the data being held.
Equally important is transparency. In a digital health environment built on trust, patients and clinicians need confidence that when things go wrong, information will be shared early, clearly and honestly. This is not about blame. It is about enabling informed decision-making, managing risk and maintaining confidence in the system as a whole. Clear expectations around communication and disclosure should be a core outcome of the reviews, not an afterthought.
Opportunities for change
The reviews also present an opportunity to strengthen cyber governance at a system level. Digital health in Aotearoa has grown rapidly, often through a mix of national initiatives, regional solutions, and vendor-led innovation. While this has delivered real benefits, it has also created complexity and uneven oversight. A more coherent approach to assurance, certification, and ongoing monitoring of digital health platforms would reduce duplication, build confidence and trust, and allow organisations to focus on delivery rather than constantly revalidating the same risks in isolation.
Importantly, any path forward must recognise the operational realities of the health sector. General practices, community providers, and PHOs are not technology companies, yet they are increasingly expected to manage sophisticated digital risk alongside delivering care. A safer digital health system is one that supports these organisations with clear guidance, shared tools and system-level investment, rather than transferring risk without the means to manage it.
At its core, this is about trust. Health data is among the most sensitive information people hold, and the expectation that it will be protected is both reasonable and non-negotiable. When that trust is undermined, the consequences extend beyond the immediate incident. Confidence in digital services erodes, adoption slows, and the potential benefits of digital health are harder to realise. The Manage My Health reviews are therefore a pivotal moment. They can either reinforce a pattern in which each incident is treated as isolated and exceptional or mark a genuine reset in how we approach digital health safety across the system. The latter requires courage, coordination and a willingness to move beyond minimum compliance towards shared responsibility.
If we get this right, the outcome will not just be stronger cybersecurity. It will be a digital health environment that is more resilient, more transparent and more worthy of the trust that patients and clinicians place in it every day.
If you want to contact eHealthNews.nz regarding this View, please email the editor Rebecca McBeth.
Read more VIEWS
Return to eHealthNews.nz home page
|
Email to a Friend