Shared Digital Health Record rollout delayed as Health NZ tightens cybersecurity requirements

NEWS  - eHealthNews editor Rebecca McBeth

Health NZ has extended the timeline for rolling out the Shared Digital Health Record, citing the need to complete additional security and due diligence checks before patient data can be shared.

The decision follows three major data breaches affecting New Zealand health providers in the space of three months.
Immunisation and medication data, originally expected to be available through the Shared Digital Health Record earlier in 2026, is now expected to be shared later in the year. 

Primary care data has also been pushed back with clinician access now expected from mid-2027, rather than mid-2026.

An update from Health New Zealand links the delay to requirements under the Government Digital Delivery Agency's (GDDA) Information Sharing Standard, which it must comply with before sharing personal information with third parties, including primary care practices and clinics.

Health NZ says that four steps must be completed before data sharing can start; an information sharing and security awareness initiative, due diligence checks, signing of the Health NZ Information Access and Use Agreement, and patient notification about the new data service.

The New Zealand health sector has recently suffered what one expert described as a “feeding frenzy” pattern of cyberattacks. Three breaches; at ManageMyHealth, MediMap, and Auckland-based private healthcare provider IntraCare, occurred within three months of each other in late 2025 and early 2026.

The ManageMyHealth breach was detected on 30 December 2025, MediMap was compromised in February 2026, and IntraCare detected unusual activity within its IT environment on 20 March 2026.

In response, Health NZ is rolling out an information sharing and security awareness initiative running from the end of June to August 2026. The initiative is aimed initially at Primary Health Organisations (PHOs) and their primary care practices, as well as providers of telehealth, urgent care, and after-hours services.

Support available includes webinars, a security checklist, quick reference guides, learning modules, a central online hub, regional workshops with PHOs, and targeted support for practices as requested. 

A Security Checklist for health service providers, developed in collaboration with General Practice New Zealand (GPNZ), is based on the National Cyber Security Centre's Minimum Cyber Security Standards and aligned to the Cyber Security Capability Maturity Model (CS-CMM). Organisations wanting to share information with Health NZ must meet at least CS-CMM Level 2, described as the "Baseline" rating.

The checklist covers ten standards, including risk management, security awareness, asset management, secure configuration, patching, multi-factor authentication, detection of unusual behaviour, least privilege access, data recovery, and response planning.

Once due diligence is complete, Health NZ will sign an Information Access and Use Agreement with health service providers, and a separate agreement with IT vendors.

Health NZ describes the initiative as a collaboration rather than a compliance exercise where the organisation is looking to “partner with providers to build confidence, capability, and consistency across the system”.

If you would like to provide feedback on this news story, please contact the editor Rebecca McBeth.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more National Systems & Strategy news

Return to eHealthNews.nz home page