Digital health systems should be treated as critical infrastructure

NEWS - eHealthNews.nz editor Rebecca McBeth

Digital health systems should be treated as critical infrastructure as security failures directly impact patient safety, experts say. 

Aged Care Association (ACA) chief executive Tracey Martin says the MediMap incident highlights how dependent modern care delivery has become on digital systems and this means security, redundancy and contingency planning must be treated as core health infrastructure responsibilities. 

Medical IT Advisors chief executive Faustin Roman agrees, saying that that healthcare IT should get similar regulatory treatment to other critical infrastructure sectors, with appropriate assurance and enforcement mechanisms. 

Digital platform MediMap is used widely for prescribing, pharmacy dispensing, and medication administration in aged residential care, disability services, hospices, and community health settings. 

It was taken offline after detecting a security breach on 22 February, creating immediate operational impacts on aged care facilities across New Zealand and forcing providers to shift to manual systems to ensure residents continued receiving medications safely. 

Tracey Martin says digital medication systems bring real benefits by reducing transcription errors, supporting coordination between GPs, pharmacies and facilities, and strengthening clinical oversight.  

“But they are now critical infrastructure," she tells eHealthNews. 

"When they fail, whether through cyber breach or system outage, the pressure shifts immediately onto frontline staff." 

Martin says that manual processes are safe when done well, but are more labour-intensive and increase fatigue and workload risk.  

“That is why cybersecurity and system resilience can't be seen as 'IT issues'. They are patient safety issues,” she says. 

Roman, a certified ethical hacker with more than 10 years' experience in health IT security, does not agree with recent chatter on social media and Health NZ’s position on the MediMap incident, which places sole responsibility for security on platform vendors.  

"I do not agree that any organisation should ever be solely responsible: cybersecurity will always be a shared responsibility" he tells eHealthNews. 

“Providers have primary responsibility of certain controls, however other stakeholders need to play their part, e.g. users must be cyber-aware and protect their credentials, government agencies should enforce minimum standards, healthcare organisations should do regular assessments and third-party assurances,” he says. 

Roman argues that healthcare IT should get similar regulatory treatment to other critical infrastructure sectors, with appropriate assurance and enforcement mechanisms. 

“Regular penetration testing and security assurance should become standard practice, particularly as technology ages and threat levels increase.” 

He believes that New Zealand's approach to healthcare cybersecurity is still immature compared to other jurisdictions with a lack of enforcement mechanisms, assurance, incentives or liabilities. 

New Zealand's Privacy Act maximum fine of $10,000 contrasts sharply with penalties under Australia's privacy legislation or Europe's General Data Protection Regulation. 

Despite recent high-profile incidents, Roman there has been surprisingly low inquiry levels from health IT companies seeking security reviews and advice. 

While there was initial uptick in activity following the Manage My Health breach in late 2025, the MediMap incident has generated far less response than expected. 

"There is a time for talking and planning that maybe was about 10 or 15 years ago, and then there is the time to actually act, which is probably yesterday,” he says. 

Martin says the ACA has maintained regular contact with members since the MediMap incident, providing clear practical guidance and ensuring Health NZ understands the operational impact on facilities. 

"Our members showed resilience and professionalism, as they always do, but this event is a reminder that system-wide digital security matters deeply to aged care and needs to be prioritised accordingly,” Martin says. 

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page