General Practice New Zealand (GPNZ) welcomes the shared conclusions of three reports into the Manage My Health (MMH) privacy breach, saying the findings reinforce the need for a coordinated, system-wide approach to privacy and security across the health sector.

“With these recommendations in place, we expect to see rapid and meaningful system improvements that will ensure the protection of patient information, with clear standards and accountability,” says GPNZ Deputy Chair Justin Butcher. 

As the Ministry of Health report says, the experience ‘should serve as a call to action for the health sector, and New Zealand organisations more broadly, to improve cyber security controls and governance’.

GPNZ endorses the Ministry’s recommendation that ‘Health NZ comprehensively review and uplift its third-party risk management practices’.

“This is a clear theme across the separate reports that needs urgent action. One of the most significant recommendations of the Privacy Commissioner’s report is the call for the Ministry of Health to establish a centralised and ongoing programme to verify that key health sector vendors are meeting appropriate security standards,” says Mr Butcher. 

“A nationally coordinated assurance function will help create greater consistency, clearer accountability and stronger confidence across the system, while reducing duplication and avoiding unrealistic compliance expectations being placed on frontline providers.”

GPNZ had an opportunity to provide feedback to the Office of the Privacy Commissioner during the inquiry process, and it is positive to see the final report acknowledge the practical limitations general practices face when dealing with complex security and contractual arrangements with vendors – issues the sector has raised for some time.

The OPC’s recommendation to consider amendments to the Privacy Act to ensure third-party technology vendors have direct obligations for maintaining appropriate privacy and security safeguards is a sensible and practical step.

“Small businesses such as general practices should not be left relying solely on contractual remedies when IT providers fail to meet appropriate standards,” says Mr Butcher.

General practices already understand the obligations they have around privacy and information security, with PHOs continuing to work alongside practices to support that work.

“Today’s findings reinforce the importance of regularly reviewing security settings, processes and governance arrangements, alongside stronger national assurance and better support for general practice.”

GPNZ has been working alongside Health NZ to develop practical resources for the sector, including a cyber security checklist and guidance for safe information sharing practices.

While the reports acknowledge the efforts of Health NZ and MMH in responding to the breach, GPNZ said there also needed to be stronger recognition of the extensive response led by PHOs and general practices across the country.

“Primary care teams carried a significant operational and relationship burden throughout this incident,” says Mr Butcher.

“Practices and PHOs were heavily relied on to support patients, respond to concerns, provide reassurance, gather information and help resolve issues in real time, at considerable time and cost.”

“That work was critical to maintaining patient trust and supporting the overall system response, and future breach response planning needs to properly recognise and incorporate the role of primary care.”

The safe sharing of health information is a vital element of modern healthcare, which, unfortunately, hackers will continue to try to exploit. The MMH breach was a wake-up call for us all, and these inquiries reinforce the additional elements we need to put in place to ensure the protection of that data.

GPNZ will continue working collaboratively with the Ministry of Health, Health NZ and its members to support ongoing improvements across the sector.

“This is about building a safer, more resilient and more trusted digital health system for patients and practices alike.”

Source: General Practice New Zealand media release

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page

The Privacy Commissioner’s finding that Health NZ and Manage My Health had deficient security safeguards confirms what the PSA warned about in January: the health sector’s IT systems are under-resourced and vulnerable.

"This finding should be a wake-up call. Nearly 100,000 New Zealanders, many of them in Northland, had their most sensitive personal information stolen because security was not up to scratch," said Fleur Fitzsimons, National Secretary for the Public Service Association Te Pukenga Here Tikanga Mahi.

"Tomorrow’s Budget will make scandals like this a feature of public services in New Zealand as the Government moves to dismiss thousands of public servants. We know services are already being damaged, members tell us of the mounting toll cuts have inflicted."

"In January, the PSA called on the Privacy Commissioner to investigate the impact of cuts to Health NZ’s digital workforce. He declined. Since then, we have seen the Waikato payroll failure affecting 4,000 health workers, and OIA documents showing Health NZ’s own internal reports warned that cutting IT staff would increase risks to patient care and hospital resilience.

"The pattern is clear. Health NZ’s digital workforce has been cut by nearly 1,000 roles. The systems these workers maintained and protected are ageing and vulnerable. IT problems are taking longer to resolve. The people who understood those old systems and their weaknesses are gone.

"The Government needs to stop treating health IT as a cost to be cut and start treating it as the critical infrastructure it is. Properly resourcing digital services in the health system is not optional - it is essential to protecting patient safety and privacy.

"New Zealanders whose personal health information was stolen deserve better than this.

"We hope tomorrow’s Budget marks a turning point in health funding, and not more of the same - patient care must be a priority," said Fitzsimons.

Source: PSA media release

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page

Today's Privacy Commissioner findings are important. Not only was the Manage My Health breach preventable, but it found that GP practices were not the source of the breach and could not have prevented it. During the crisis response we advocated strongly for this position.

Nearly 100,000 New Zealanders had their sensitive health information stolen, including many hundreds of affected patients in Otago and Southland. Yet our general practices largely bore the brunt of this crisis.

Everyone in the health sector has a responsibility to safeguard patient information, including general practice. However, practices trusted Manage My Health and Health New Zealand to have adequate protections in place, and that trust was misplaced. The Commissioner's recommendation that patient health portal providers be verified and approved centrally is exactly right. Practice teams should be able to focus on their core role: supporting the health and wellbeing of their patients.

Third-party digital health providers such as Manage My Health need to be held to the same standards as the health agencies they serve, but Health NZ also failed to uphold security obligations under the Health Information Privacy Code.

We therefore welcome the Commissioner's intention to issue formal compliance notices to both organisations. Described in the report as "the strongest tool currently available," these notices will require both parties to demonstrate that the necessary changes have been made and are working.

The systemic lesson here is one the sector needs to take seriously: digital innovation in health is vital, but it cannot outpace the privacy and security frameworks that protect people.

We have been closely watching this inquiry. We note that Health NZ's formal response plan will be published in July, setting out the way forward with regular reporting to the Board and relevant agencies. We will continue to track both the regulatory response and Phase 2 as they unfold.

Damon Campbell, Chief Operating Officer, WellSouth Primary Health Network. 

Source: WellSouth media release

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page

‘A bad system will beat a good person every time’ -Deming -

System safety is about empowering everyone through positive leadership, quality guardrails, appropriate training and clinical governance, underpinned by a culture of excellence and continuous improvement. In a digital era, clinical safety extends to electronic systems that consumers, patients and healthcare workers use every day.

At Health New Zealand | Te Whatu Ora, we have co-developed a Digital Clinical Safety Framework in partnership with consumers, healthcare professionals, technologists and wider health system stakeholders. These concepts are incorporated into our National Clinical Governance Framework.

Digital clinical safety is two-fold. First, it is about ensuring the quality, safety and resilience of digital systems intrinsically. Second, it enables people using these systems to deliver safer, more effective and efficient care extrinsically. Safety-by-design forms a foundational tri-weave alongside privacy and security-by-design.

Our Digital Clinical Safety Principles:

Culture of Safety - We empower our people by weaving a korowai, or cloak of protection, via the fabric of quality and safety systems. Digital solutions are interwoven to enhance safety, clinical safety and digital clinical safety as part of a broader organisational safety culture.

Collaborative Design - Involve healthcare consumers, workforce, technologists and industry throughout the digital solution lifecycle, so that digital health tools are human-centred, fit for purpose, and deliver maximum value and widespread benefits across the ecosystem.

Embedding Equity - Ensure solutions are holistic, inclusive, culturally safe, embrace diversity, and break down barriers through safe use, co-design and evaluation of technology. By embedding equity within our digital health systems, we endeavour to improve equity of access to healthcare services, and ultimately equity of health outcomes for all peoples.

Balanced Decision-Making - Clinical, operational and digital teams play to each other's strengths, amplified via multi-lane cost-benefit assessments, allowing us to make robust and data-informed investment and prioritisation decisions through leadership and clinical governance.

Semantic Interoperability - Promote interoperability among systems. Ensure digital tools and data exchanges are seamless while promoting data sovereignty, data quality, veracity, integrity, security, and privacy.

Continuous Quality Improvement - Build a resilient Safety-II system into our digital health environment by promoting virtuous cycles, striving to make it easier to do the right thing and harder to do the wrong thing. Adapt and improve based on real-world experiences. Review near-misses to bolster resilience, incidents to close gaps, and continuously drive towards “better” by evaluating risks and vulnerabilities.

Embedding into Practice

These principles represent our values and help shape strategy. Frameworks need to be embedded to drive action and influence outcomes. The overarching goal is to bring teams from different backgrounds with different perspectives, skills and expertise closer together. Implementation into practice includes various actions/objectives across strategic, governance and operational levels:

Digital Investment - Digital initiatives, projects and programmes are prioritised using a clinical quality and safety lens.

Clinical Sponsorship - Clinically relevant digital initiatives require sponsorship from relevant clinical leaders at the appropriate level, so that there is senior leadership buy-in, ownership, championing and escalation pathways for clinical governance and risk management.

Clinical Collaboration - Clinically relevant digital initiatives require input from clinicians and consumers at appropriate phases across the delivery lifecycle (especially multidisciplinary, frontline and junior staff).

Hazard Logs - Digital risks can impact clinical care delivery. Hazard logs capture both clinical risks that could arise from digital systems and vice versa. The end of a project is not only the start of business as usual, but also continuous quality improvement. Living hazard logs continue to be co-reviewed at regular intervals by clinical and digital product owners, informing the need for future enhancement via a pragmatic risk-based and cost-benefit approach.

Training - Teams at every level require training according to their needs. Digital specialists with a grounding in health can speak the same language as healthcare workers, and vice versa. Groups cross-pollinate to build a truly integrated clinical-digital team. Likewise, leaders also need to be supported in terms of leadership, governance and evidence-based decision-making.

Standards - Embed relevant clinical safety, quality, data, digital, architecture and interoperability standards into product delivery lifecycles and roadmaps.

Metrics - Clinically relevant digital initiatives should have at least one quality and safety indicator measured as a key success factor, ideally automatically collected as part of monitoring and feedback loops.

Continuous Learning System - Implement an integrated system to capture feedback, incidents, near-misses, risks, mitigations and lessons learnt (and implemented), so that there is whole-of-system visibility, monitoring and assurance via continuous feedback loops. This builds upon Safety II resilience towards Safety III, emphasizing the interconnectedness between people, process and technology across complex adaptive systems, which is further enhanced by incorporating predictive analytics and risk modelling to monitor safety thresholds, especially in the era of AI.

Looking Ahead - Digital clinical safety is a core tenet of clinical governance in digital health. It is a building block for developing sustainable systems and the 10-year Health Digital Investment Plan (HDIP), led by the Centre for Digital Modernisation of Health.

Read more VIEWS

Return to eHealthNews.nz home page

Primary care practices across New Zealand can now access a national, discounted cyber security assessment designed specifically for general practice, helping strengthen protection of patient data and digital systems.

The offer is being rolled out by Health Accelerator, a national primary care led innovation group focused on developing and scaling practical solutions for general practice, in partnership with PenTest NZ (a brand of Altersec).

The initiative comes in response to cyber incidents that affected the health sector earlier this year, highlighting the need for reliable data privacy and for practices to better understand and strengthen their current cyber security settings.

Through the partnership, practices can access a 25% discount on PenTest NZ’s standard cyber security assessment for general practice, an average saving of around $1,000 off the base assessment.

The assessment is carried out independently by PenTest NZ and identifies and documents cyber security risks specific to each practice. Practices receive clear findings, tailored recommendations, and evidence demonstrating steps taken to improve cyber security and manage risk.

Paul Roseman, CEO at Health Accelerator, says cyber security is now a fundamental part of delivering safe, trusted care.

“Cyber security is more important than ever, and Health Accelerator’s role is to support practices to ensure their security is sound and reliable. Partnering with PenTest NZ allows us to offer an independent, real world cyber security assessment at a significantly reduced cost.”

“Taking an assessment isn’t just for the sake of ticking boxes. It’s about giving practices confidence that they understand their risks, have the evidence they need to back their decisions, and can take sensible steps to protect systems and information.”

Faustin Roman, CEO of Altersec and the PenTest NZ brand, says collaboration across the sector is key to improving cyber resilience.

“We’re fully behind the innovation of the Health Accelerator initiative and supporting health providers in primary care and beyond to stay safe and healthy online.

“We’ve worked with PHOs for some time, including Tū Ora, and they share our belief that real progress comes from partners working together toward the same goal. System level leadership at PHO organisations enables companies like ours to support primary care, while clinicians focus on keeping people well.”

“This type of exercise is long overdue for many practices, so we welcome organisations that are interested in getting involved. Let’s spread the word, maximise this Health Accelerator partnership, and get New Zealand health services pen tested.”

The partnership reflects the need for practical cyber risk management aligned with Health NZ expectations, while ensuring solutions remain accessible and cost effective for practices. Health Accelerator is encouraging general practices to take up the offer and proactively support continuity of care.

More information about the PenTest NZ offer is available at: https://www.healthaccelerator.co.nz/pen-test-cyber-offer

Source: ProCare media release

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page

Three high-profile health data breaches within three months have exposed what a cybersecurity expert describes as a "feeding frenzy" pattern, where attackers target sectors with demonstrated weak defences and minimal consequences.

The latest incident at IntraCare, an Auckland-based private healthcare provider, comes after breaches at Manage My Health and MediMap, following what Altersec chief executive Faustin Roman says is a predictable pattern rather than coincidence.

"New Zealand health providers are genuinely under greater attack: one high-profile breach absolutely leads to more," he says.

In the latest case, IntraCare took its patient management system, Picture Archiving and Communication System (PACS), and finance systems offline after detecting unusual activity within its IT environment on 20 March 2026.

“We have confirmed the incident involved unauthorised access to parts of our network,” a spokesperson says. 

“We are working to establish exactly how this occurred and are already implementing additional safeguards and monitoring to further strengthen our systems.”

Roman says healthcare data represents the most valuable commodity on the dark web, with a single health record worth far more than a stolen credit card because it contains identity details, NHI numbers, and clinical history that cannot be cancelled like financial cards.

“In cybersecurity, we see a clear "feeding frenzy" pattern: once an attacker publicly compromises a sector and demonstrates that defences are weak and consequences are minimal, the broader criminal ecosystem takes notice,'" he says.

"The MMH breach effectively put a spotlight on New Zealand's health tech sector and potentially signalled 'this is soft. 

"Threat actors share this intelligence. They target the same vertical, in the same country, because the conditions that allowed the first breach - legacy platforms, voluntary security standards, a $10,000 privacy penalty cap – have not changed overnight."

The interconnected nature of health systems to enable data sharing may also allow attackers to move from one system to another, says Roman.

The timing of these breaches also aligns with known vulnerability windows, particularly the December-January holiday period when organisations operate with skeleton IT crews and reduced monitoring.

The ManageMyHealth breach was detected on 30 December, MediMap in February and IntraCare in March. 

“Attackers who gain access during the holiday period may not be discovered until staff return and systems are properly reviewed," he says.

The National Cyber Security Centre's Q4 2025 Cyber Security Insights report shows the threat landscape was already intensifying before these breaches, with website compromise incidents up 16 per cent, denial of service attacks doubling, and 23 per cent of nationally significant incidents attributed to state-sponsored actors.

Roman says New Zealand's approach to healthcare cybersecurity remains immature compared to other jurisdictions with no mandatory audit regimes and meaningful penalties.

He described the Privacy Act's maximum fine of $10,000 as "laughable" compared to Australia's privacy legislation or Europe's GDPR.

IntraCare, which treats more than 2,000 patients annually, says it activated its incident response plan after detecting the breach and engaged Cyber CX, a leading Australasian cybersecurity organisation, to conduct a forensic investigation.

The provider maintained patient care by reverting to manual processes, but the breach did impact some scheduled procedures with 28 patients temporarily deferred.

“We recommenced procedures on Monday 30 March. Our focus has been on ensuring systems are fully tested and resilient before bringing them back online,” the spokesperson says.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page

As clinicians, we have long accepted that the tools of our trade are changing. Stethoscopes and scalpels are now joined by portals, platforms and AI. These are good things in skilled hands.  

However, as we increasingly rely on digital infrastructure to manage patient care, digital services and safety have been hollowed out by the National Government’s cuts, which favour short-term savings over long-term patient safety.

The cyber-security breach of Manage My Health in January this year was a watershed moment. With over 120,000 New Zealanders' private documents, including discharge summaries and specialist referrals, exposed to malicious actors, the incident was not merely an IT failure; it was a profound breach of the clinician-patient relationship and undermined patient trust in digital platforms. 

As we look at the fallout of that event, we must ask: is our wider health system becoming more resilient or more vulnerable to cyberattack? And how do we rebuild the trust our patients have lost in it?

The high costs of cuts

National’s cuts have made a drastic reduction in the expertise that keeps our health system running and safe. The data and digital workforce at Health NZ has been slashed by nearly 40 percent, moving from a baseline of 2,400 roles to just 1,460.

I have been vocal about the $330 million the government cut from data and digital health initiatives in Budget 2024. That funding was for work on cybersecurity capability, and it is gobsmacking to me that he would consider work in this field irrelevant when IT services needed investment.

By cutting these roles and funding we are not just losing staff; we are going backwards. We are missing the opportunity to get ahead of the curve. When we fail to modernise, we do not just stay still, we fall behind, leaving the doors wide open for external threats.

The Health Digital Investment Plan will never realise its promise unless the initiatives are funded. 

Patient care is at risk

Both in Parliament and the media, I have highlighted the backwards approach to security standards under the National Government and how it leaves patients vulnerable and undermined trust. I believe that cutting IT support is effectively jeopardising patient care.

We saw recently when patient records held in the MediMap medication management system were hacked, replaced with fake names and some patients even recorded as ‘deceased’ that patient care – not just their data - is at risk.

The Government’s refusal to properly fund the Privacy Commissioner and its failure to share cybersecurity capability with private providers has left us exposed to breaches of this nature, and the public distrustful. 

The cuts made in Budget 24 and 25 are false economies that will be wiped out by the cost of a single major data breach or a prolonged system outage. 

New Zealanders deserve confidence that when they use an app like Manage My Health or management of their care is entrusted to a system such as MediMap, their information is safe and that they can have trust in it. 

The Government has a role in ensuring that. Currently, that confidence and trust is at an all-time low.

What must be done?

To prevent further breaches and systemic failures and keep patients and their data safe, we must shift our perspective away from cuts and reinvest where it matters. Digital security is not a ‘nice to have’; it is a clinical necessity.

1. Mandatory security standards: We must enforce the high-level security standards Labour introduced in 2022 across all platforms, both in the public system and private providers that handle patient data.
2. Restore digital expertise: We cannot expect a safe, resilient and secure health system without staff who are experts in their field. We must halt the attrition of our digital workforce and re-invest where it is needed
3. Stronger rules and penalties: The Privacy Commissioner has called for penalties to drive compliance, but the National Government has instead cut funding to the privacy watchdog. All health providers must be properly regulated and held accountable in terms of how they handle personal information.

Where we should be heading

My vision for the health system is one that is truly patient-centred. That means New Zealanders get the care they need where and when they need it. 

Trusted and secure platforms are essential to this; services that are simple and consistent for patients and their clinicians to use, whether they are getting a vaccination in Kaitaia at a community-led provider, or a hip replacement in Dunedin at the hospital.

In New Zealand, we are lucky to have innovative, creative local developers to do this work, that can create jobs and improve patients’ health, trust in and experience of the health system. It is not clear to me that Health New Zealand’s present direction will give these developers the opportunities they need.

Conclusion

You cannot have a modern, safe health system while you are hacking away at its digital foundations. 

National’s cuts have created security and care risks. The Manage My Health breach was a warning shot, swiftly followed by MediMap. If we continue to hollow out our digital services, we are gambling with patient care. 

As health professionals and leaders, we must demand that digital infrastructure be treated with the same clinical rigor as any other medical tool. We cannot allow "efficiency" to become a euphemism for "vulnerability." Patients’ privacy, care and their safety depends on it.

Read more VIEWS

Return to eHealthNews.nz home page

General Practice New Zealand has released a position paper calling for digital primary care systems to be treated as critical national infrastructure, with enforceable minimum security standards and independent certification for all vendors handling patient data.

The position paper also says that sustainable investment in digital primary care is crucial as the funding model was not designed to uplift security and sustain ongoing compliance.

The move follows recent breaches including Manage My Health and MediMap, which GPNZ describes as symptoms of structural weaknesses in standards, governance, assurance and investment settings rather than isolated failures.

Justin Butcher, GPNZ deputy chair and chief executive of Pinnacle Midlands Health Network, says the health system’s reliance on digital tools has grown, but the governance and standards surrounding those systems has not kept pace.

“Digital systems are now embedded in everyday care. Patient portals, shared records and electronic referrals are essential to how primary care operates,” he says.

“Yet the standards and oversight needed to protect those systems remain inconsistent. The health system needs to move from reacting to incidents to deliberately strengthening its digital foundations.”

Butcher says other sectors already treat digital systems as critical infrastructure, operating with clear standards and independent oversight.

“Primary care sits at the frontline of the health system. It is where patients turn for reassurance and care, and that trust must not be undermined by preventable system failures,” he says.

The position statement calls for enforceable minimum digital security standards, independent certification and transparent assurance, oversight stratified by scale and concentration of risk, structured vendor governance with clear accountability, and sustainable investment recognising digital health as core infrastructure.

It says that current frameworks such as the Health Information Security Framework (HISF) operate primarily as guidance rather than auditable requirements and HISF is not currently enforceable and is not always used as the reference framework by vendors.

Because vendors engage individual practices as customers, there is limited aggregation of purchasing power and a lack of ability to influence pricing, standards and contractual terms, it adds.

Digital systems in general practice are funded from operating budgets and treated as overhead, meaning cost often becomes the main determinant of choice rather than security or functionality.

"Expecting small and medium sized providers to absorb increasing digital obligations within existing operating margins is neither realistic nor sustainable," the position paper says.

Butcher says primary care providers are committed to strengthening digital security but need consistent national frameworks to do so effectively.

His comments echo those of Aged Care Association (ACA) chief executive Tracey Martin and Medical IT Advisors chief executive Faustin Roman who told eHealthNews that healthcare IT should get similar regulatory treatment to other critical infrastructure sectors, with appropriate assurance and enforcement mechanisms. 

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page

Last night I logged into my health and wellness app - following a GP consultation earlier in the day. It confirmed that the practice has sent an update, but I noted the absence of a reason for prescribing a new medication; therefore, I sent a response message asking for that data to be added to my record. I also created permissions to enable other members of my care team to see the new data prior to an appointment the following day… 

…and then I woke up and realised that I’d been dreaming. An hallucination based on a related fantasy that interoperability and consumer access to healthcare data can be achieved without regulatory intervention. Instead, the reality is a world where lip-service is paid to various standards unsupported by conformance and compliance requirements; intermittent funding is made to selected software suppliers to exchange their own proprietary data formats; and patient portals with read-only data are tethered to practice management systems. 

The New Zealand context 

The goal of interoperability is cited in virtually every single health information strategy and investment plan produced in New Zealand in the last 2 decades. The latest being the Health Digital Investment Plan published in November 2025. However, this excellent document does provide pointers to a way forward that takes us beyond the madness of continuing to expect this outcome by continuing to do the same things. 

In particular, the highlighted phrases this excerpt from the Data & Interoperability Section on Page 7: 

“We will enable the secure and seamless flow of health data across the system. We will do this by establishing and enforcing common data standards across the sector, creating a national data catalogue, and building a modern, standards-based interoperability platform using international best practices” 

and this ‘horizon’ listed on Page 26: 

“Approved health app developers can use national API resources to create innovative tools for patients that securely connect to the patient's health record” 

Obviously, these entries do not directly call out the need for regulation, but they should encourage us to see if other countries are moving in that direction, and even a cursory glance outside the shores of New Zealand reveals that several countries have established or are actively developing regulations regarding interoperable healthcare data. 

The global context 

Arguably leading the way in 2016, the 21st Century Cures Act in the USA prohibits information blocking and mandates that patients have free, electronic access to their medical records. This has been supported by government regulations stipulating the use of HL7® FHIR® APIs to provide access to consumers and payers. 

This legislative path has been followed in the EU by the European Health Data Space which mandates that Electronic Health Record systems must meet specific, standardized interoperability requirements to allow for seamless exchange.  

In Australia, The Modernising My Health Record (Sharing by Default) Act 2025 establishes requirements for healthcare providers to upload key health information to My Health Record by default. This represents a significant shift from voluntary participation to mandatory upload requirements for certain providers. 

Health interoperability in the UK is now primarily driven by the Data (Use and Access) Act 2025, which mandates technical standards for IT suppliers and providers. This legislation enforces compliance with interoperability standards—such as FHIR—to ensure seamless data sharing across the NHS and social care. 

Following closely behind are Canada and Ireland both with new legislation to support standards-based interoperability and patient access, so is it time for New Zealand to follow suit and adopt similar legal mandates? 

The case for regulation 

While I would answer that question with a firm ‘yes’, it’s with the caveat that regulation of itself is not a silver bullet and, critically, needs to be supported by investment. 

It’s easy to look at our current state and see that most health information data is not fit for purposes beyond that for which it was originally collected. Certainly, that is my experience based on decades of working on national interoperability projects such as GP2GP patient notes transfers and the NZ e-Prescription Service. 

That is not to blame the numerous software suppliers engaged in those and other similar projects. Their products are principally designed for the purposes of managing healthcare facilities and running practices and, consequently, scheduling and reimbursement related to patient encounters takes precedence over the creation of interoperable patient records. 

Naturally, vendors will prioritise new functional features that enhance their clients’ user experience and generate revenue rather than implementing changes that only appear to have downstream benefits. In NZ at least, it’s a low margin business and interoperability does not provide a competitive edge. As many have noted, it’s not a boat race - we are all effectively paddling in the same vessel. 

The need for investment 

Therefore, it’s clear that regulation needs to be supported by investment. Suppliers need financial incentives – preferably carrots rather than sticks - to comply with standards, and build APIs, that benefit us all in the long run but might otherwise have an adverse short-term effect on their profit margins. 

Furthermore, without the development of standards-based APIs, it’s difficult to foresee the emergence of a market for apps that enable engaged consumers to manage their own health and wellness data. It’s also highly likely that any project attempting to facilitate the sharing of patient records can produce significant benefits without structured, standards-conformant, data. 

We all know that dreams are free; in reality, experience should be teaching us that interoperability and consumer access both require regulation backed by investment. The time has come to put that into practice. 

Disclaimer: The opinions expressed in this article are purely personal and do not represent the views of my former clients, HL7 New Zealand, HL7 International or generative AI. 

If you want to contact eHealthNews.nz regarding this View, please email the editor Rebecca McBeth.

Read more VIEWS

Return to eHealthNews.nz home page

Digital health systems should be treated as critical infrastructure as security failures directly impact patient safety, experts say. 

Aged Care Association (ACA) chief executive Tracey Martin says the MediMap incident highlights how dependent modern care delivery has become on digital systems and this means security, redundancy and contingency planning must be treated as core health infrastructure responsibilities. 

Medical IT Advisors chief executive Faustin Roman agrees, saying that healthcare IT should get similar regulatory treatment to other critical infrastructure sectors, with appropriate assurance and enforcement mechanisms. 

Digital platform MediMap is used widely for prescribing, pharmacy dispensing, and medication administration in aged residential care, disability services, hospices, and community health settings. 

It was taken offline after detecting a security breach on 22 February, creating immediate operational impacts on aged care facilities across New Zealand and forcing providers to shift to manual systems to ensure residents continued receiving medications safely. 

Tracey Martin says digital medication systems bring real benefits by reducing transcription errors, supporting coordination between GPs, pharmacies and facilities, and strengthening clinical oversight.  

“But they are now critical infrastructure," she tells eHealthNews. 

"When they fail, whether through cyber breach or system outage, the pressure shifts immediately onto frontline staff." 

Martin says that manual processes are safe when done well, but are more labour-intensive and increase fatigue and workload risk.  

“That is why cybersecurity and system resilience can't be seen as 'IT issues'. They are patient safety issues,” she says. 

Roman, a certified ethical hacker with more than 10 years' experience in health IT security, does not agree with recent chatter on social media and Health NZ’s position on the MediMap incident, which places sole responsibility for security on platform vendors.  

"I do not agree that any organisation should ever be solely responsible: cybersecurity will always be a shared responsibility" he tells eHealthNews. 

“Providers have primary responsibility of certain controls, however other stakeholders need to play their part, e.g. users must be cyber-aware and protect their credentials, government agencies should enforce minimum standards, healthcare organisations should do regular assessments and third-party assurances,” he says. 

Roman argues that healthcare IT should get similar regulatory treatment to other critical infrastructure sectors, with appropriate assurance and enforcement mechanisms. 

“Regular penetration testing and security assurance should become standard practice, particularly as technology ages and threat levels increase.” 

He believes that New Zealand's approach to healthcare cybersecurity is still immature compared to other jurisdictions with a lack of enforcement mechanisms, assurance, incentives or liabilities. 

New Zealand's Privacy Act maximum fine of $10,000 contrasts sharply with penalties under Australia's privacy legislation or Europe's General Data Protection Regulation. 

Despite recent high-profile incidents, Roman there has been surprisingly low inquiry levels from health IT companies seeking security reviews and advice. 

While there was initial uptick in activity following the Manage My Health breach in late 2025, the MediMap incident has generated far less response than expected. 

"There is a time for talking and planning that maybe was about 10 or 15 years ago, and then there is the time to actually act, which is probably yesterday,” he says. 

Martin says the ACA has maintained regular contact with members since the MediMap incident, providing clear practical guidance and ensuring Health NZ understands the operational impact on facilities. 

"Our members showed resilience and professionalism, as they always do, but this event is a reminder that system-wide digital security matters deeply to aged care and needs to be prioritised accordingly,” Martin says. 

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page

MediMap has started a phased restoration of its digital medication management platform after going offline in New Zealand due to unauthorised activity in its system.

The privately owned platform, used widely across New Zealand for prescribing, pharmacy dispensing, and medication administration in aged residential care, disability services, hospices, and community health settings, was taken offline after detecting the security breach on 22 February.

The breach involved some resident demographic information being changed including residents’ names, dates of birth, assigned prescriber, allergy or intolerance information and discharge or deceased status.

MediMap says restoration began on 2 March 2026 and facilities where current resident information has not been modified will be restored first following internal validation. 

Facilities where resident information may have been impacted will be contacted directly by MediMap to confirm current resident details prior to restoration.

MediMap has secured a court injunction to protect impacted individuals' information, which prohibits any person from accessing, using, copying, sharing or publishing any MediMap data that may have been unlawfully obtained.

“At this stage, we cannot confirm whether any resident data has been accessed beyond viewing, extracted, or exposed externally. The investigation is ongoing,” an FAQ for providers on MediMap’s website says.

The company says it has rebuilt a secure production environment and completed forensic review and validation of its data before beginning the restoration process. 

Independent cyber security specialists have supported the strengthening of authentication controls.

"We acknowledge the patience and professionalism of providers and their staff, who have continued to deliver care for patients and residents with manual processes during this disruption," MediMap says in a system update on 3 March.

"We are confident in the integrity of the restored environment.”

Providers will be required to validate specific demographic information identified during the investigation before accessing the platform and all user passwords will be reset as part of the security measures.

Healthcare providers have had to revert to manual processes while the system has been offline and must clinically review and reconcile any medication changes made during the outage period. 

Electronic prescribing via NZePS will be progressively re-enabled once the core system stabilises.

Following the initial restoration phase, MediMap will enter a stabilisation and hypercare period with expanded support arrangements to transition back to business-as-usual operations. The phased restoration approach has been shared with Health New Zealand to ensure alignment as services are progressively restored.

"Our shared objective is a safe, structured return to digital medication management that balances clinical continuity with strengthened security controls," MediMap says.

Health New Zealand acting chief information technology officer Darren Douglass says the organisation is supporting MediMap's response and has activated its Cyber Incident Management Team to assist.

“People need and deserve confidence that their private and sensitive health information is secure. Protecting patient data is a priority across the health system,” Douglass says.

MediMap has also notified the Office of the Privacy Commissioner and New Zealand Police about the incident. 

"We understand how concerning this situation has been for residents, patients, families and healthcare providers. We sincerely apologise for the disruption and distress caused," the company says in a statement.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page

The true significance of the Manage My Health data breach will not be determined by how thoroughly it is investigated, but by whether the health sector uses this moment to fundamentally improve how digital health data and systems are designed, governed and protected in Aotearoa. 

If we do not get that right, we risk undermining the very tools and digital capability that increasingly support patient care when it is needed most. 

Time to review 

With the Ministry of Health and Privacy Commissioner's reviews now underway, this is an important moment. Reviews, inquiries and reports are familiar tools in the health system, particularly following high-profile incidents. However, experience shows that the value of these processes lies not in the documentation itself, but in whether they lead to clear, practical, and enduring change. 

For digital health, that bar must be set high. Otherwise, we risk regression at a time when trust is already fragile. Even highly digitally capable general practices, including some in our region, are questioning whether the ’system’ can be relied upon to keep data secure. 

Digital systems are no longer peripheral to care delivery. Patient portals, shared care records, analytics platforms and integrations between primary and secondary care are now core infrastructure. They shape how clinicians work, how patients engage with their care, and how information flows across the system. Here in the South, many general practices rely heavily on digital infrastructure to sustain care delivery amid a constrained workforce, particularly in rural areas where on-site daily clinical coverage is not always possible. 

As a result of this reliance, cybersecurity and privacy can no longer be treated as technical considerations or compliance exercises that sit alongside delivery. They are fundamental design principles that must be embedded from the outset and that are essential to rebuilding trust. 

Looking forward 

What the sector now needs from the Manage My Health reviews is not simply a retrospective analysis of what went wrong, but a forward-looking framework that helps us, as a nation, deliver digital health better and more safely. That framework needs to provide clarity on expectations, roles and accountabilities across the ecosystem, including vendors, health organisations, funders and regulators. More than that, it must work and regain the trust of clinicians and patients. 

Without that shared understanding, responsibility remains fragmented, and risks are pushed downstream to the organisations and clinicians closest to patients. 

One of the most pressing challenges exposed by recent cyber incidents is the inconsistency in security maturity across digital health platforms. Some organisations invest heavily in cyber governance, independent assurance and continuous monitoring, while others operate with minimal oversight and legacy approaches that no longer reflect the threat landscape. A system that relies on voluntary uplift or variable standards is inherently fragile. The reviews must therefore help define what “good” looks like in practice, including baseline security expectations that are proportionate to the sensitivity and scale of the data being held. 

Equally important is transparency. In a digital health environment built on trust, patients and clinicians need confidence that when things go wrong, information will be shared early, clearly and honestly. This is not about blame. It is about enabling informed decision-making, managing risk and maintaining confidence in the system as a whole. Clear expectations around communication and disclosure should be a core outcome of the reviews, not an afterthought. 

Opportunities for change 

The reviews also present an opportunity to strengthen cyber governance at a system level. Digital health in Aotearoa has grown rapidly, often through a mix of national initiatives, regional solutions, and vendor-led innovation. While this has delivered real benefits, it has also created complexity and uneven oversight. A more coherent approach to assurance, certification, and ongoing monitoring of digital health platforms would reduce duplication, build confidence and trust, and allow organisations to focus on delivery rather than constantly revalidating the same risks in isolation. 

Importantly, any path forward must recognise the operational realities of the health sector. General practices, community providers, and PHOs are not technology companies, yet they are increasingly expected to manage sophisticated digital risk alongside delivering care. A safer digital health system is one that supports these organisations with clear guidance, shared tools and system-level investment, rather than transferring risk without the means to manage it. 

At its core, this is about trust. Health data is among the most sensitive information people hold, and the expectation that it will be protected is both reasonable and non-negotiable. When that trust is undermined, the consequences extend beyond the immediate incident. Confidence in digital services erodes, adoption slows, and the potential benefits of digital health are harder to realise. 

The Manage My Health reviews are therefore a pivotal moment. They can either reinforce a pattern in which each incident is treated as isolated and exceptional or mark a genuine reset in how we approach digital health safety across the system. The latter requires courage, coordination and a willingness to move beyond minimum compliance towards shared responsibility. 

If we get this right, the outcome will not just be stronger cybersecurity. It will be a digital health environment that is more resilient, more transparent and more worthy of the trust that patients and clinicians place in it every day. 

If you want to contact eHealthNews.nz regarding this View, please email the editor Rebecca McBeth.

Read more VIEWS

Return to eHealthNews.nz home page

Health Minister Simeon Brown defended the government’s funding of health cybersecurity in Parliament today (January 28) as Labour questioned whether Budget 2024 cuts to data and digital services left the health system more vulnerable.

The questions follow a major data breach at private health organisation Manage My Health in December 2025 that compromised the personal information of more than 120,000 New Zealanders.

Labour health spokesperson Ayesha Verrall challenged Brown on whether cuts to Health New Zealand's data and digital funding in Budget 2024 led to the cancellation of cybersecurity projects.

More than $330 million earmarked for data and digital health initiatives at Health NZ was returned as part of budget savings in 2024.

This included $186 million for 'Data and Digital Foundations and Innovation' and $144 million for 'Data and Digital Infrastructure and Capability – Enabling Health System Transformation' through to 2027-28.

Verrall referenced Health New Zealand's annual review statement, saying that "planned future work on the next stage of cybersecurity capability uplift has been cut," and asked whether this related to the defunding of digital initiatives in Budget 2024.

Brown said the government has "continued to invest in strengthening Health New Zealand's cybersecurity capability" with an additional $9 million in Budget 2024 and $10 million in Budget 2025.

"Over the last two years, Health New Zealand has taken a number of important steps including adoption of new data sharing standards, increasing the use of multi factor authentication to access clinical systems and introducing 24/7 monitoring of devices and systems to detect, quarantine and respond to cyber incidents," Brown told Parliament.

Brown said the government takes the security of health data extremely seriously.

“That is why Health New Zealand has responded by running an all of government response, activated incident controllers to support Manage My Health, ensured that independent cyber security experts have been engaged to provide assurances of Manage My Health's response and provided support for the primary care as they respond,” he said.

Public Service Association national secretary Fleur Fitzsimons has also questioned the impact of budget cuts and downsizing of the digital services teams at Health NZ.

"New Zealanders deserve a health system where their private information is protected. That requires proper investment in IT security and the experts who deliver it - not endless cost-cutting that leaves our systems vulnerable," Fitzsimons said.

Manage My Health has 1.8 million registered users in New Zealand and the breach has prompted a number of investigations.

The Ministry of Health will begin a comprehensive review of the incident at the end of January, examining why critical vulnerabilities remained unaddressed before hackers accessed the system.

Privacy Commissioner Michael Webster has also announced an independent inquiry under the Privacy Act to examine compliance and governance arrangements surrounding the breach.

Image: Health Minister Simeon Brown

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page

The Ministry of Health will start a review of the Manage My Health cyber security incident and the response at the end of this month, with a final report expected by 30 April.

Privacy Commissioner Michael Webster has also announced an independent inquiry under the Privacy Act to examine compliance and governance arrangements surrounding the breach.

The Ministry review will look at why critical vulnerabilities remained unaddressed before hackers accessed the personal health information of more than 120,000 New Zealanders on 30 December 2025.

It will also determine whether vulnerabilities found in Manage My Health could be present in other patient portals used across the country.

Health Minister Simeon Brown commissioned the review following the breach involving the patient portal used by which has 1.8 million registered users.

"Patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards," Brown said in his announcement.

The Ministry has now published detailed Terms of Reference, outlining the scope of work developed in partnership with the Government Chief Digital Officer and the National Cyber Security Centre.

The technical assurance assessment will focus on the vulnerability in Manage My Health's Health Documents module and examine why it remained unaddressed despite the platform handling sensitive medical information.

The review will evaluate the portals’ security controls against industry norms and “assess whether the sensitivity of stored information was matched by appropriate protection standards”, the terms of reference say.

It will look at the company's capability and capacity to manage a critical health records platform securely, examining data lifecycle management and retention practices that left historical data on internet-facing infrastructure.

The investigation will also “assess the adequacy, timeliness, coordination, and escalation of response actions by MMH and Health NZ”.

The Privacy Commissioner's inquiry will determine whether appropriate security safeguards were in place and examine steps needed to prevent similar incidents.

"Given the scale of the incident, the sensitivity of the information and some of the systemic issues being identified, it's clear to me we need to investigate the privacy issues involved," Webster says.

His inquiry will establish the circumstances of the cyber security breach, examine impacts on affected people, and assess compliance with relevant standards and the Privacy Act.

This includes reviewing policy, contractual, and governance arrangements between Manage My Health, Health NZ, primary care providers, and other health sector agencies.

All reviews and investigations into the incident will coordinate to minimise duplication while maintaining independence, the documents say.

The Ministry review will produce an interim findings report highlighting key issues requiring urgent attention, followed by a comprehensive final report containing full findings, root cause analysis, and actionable recommendations to prevent similar incidents.

If you would like to provide feedback on this news story, please contact the editor Rebecca McBeth.

Read more Information Governance news

Return to eHealthNews.nz home page

GP2GP is being stabilised and will either be replaced in the next few years or no longer required because health information will be available through shared digital health records, Health New Zealand | Te Whatu Ora says.

GP2GP enables patient records to be electronically transferred from one practice management system (PMS) to another.

Primary care leaders have expressed concerns about ongoing issues with this vital service, saying these cause delays in care and introduce clinical risk. 

The latest GPNZ data and digital update says general practice is spending an increasing amount of time and resource managing and checking GP2GP transfers and fixing errors.

Interim chief information technology officer Darren Douglass says Health NZ is investing in stabilising the service, “with an operating model that ensures these stabilisation efforts last until another solution for transferring health records is in place.

“GP2GP will either be replaced in the next few years or no longer required because health information will be available through shared digital health records,” Douglass says in an update shared with primary care.

The GPNZ update says the Health NZ GP2GP team has been working closely with GPNZ and general practice managers to scope stabilisation requirements, as well as talking with HealthLink and PMS suppliers.

“The main issues identified relate to the patient file transfer size limit of 20MB, inconsistencies in data mapping, and difficulty identifying diagnostic results,” Douglass says.

“By July we are aiming to have updated GP2GP source code to PMS suppliers to deploy in their PMSs to support the safe and efficient transfer of patient records. By then, HealthLink will be supporting the transfer of files up to 50MB in size.

“We will also test the GP2GP patient file transfer process between PMS applications once the consistent version is in place, to ensure transfers are error free.”

The Royal New Zealand College of General Practitioners (RNZCGP) president Luke Bradford says GP2GP is a vital service. 

“The GP record is the most complete health record for a patient in New Zealand and so its complete, secure and error free transfer from one practice to another is essential and does carry risk,” he says. 

“The College has for some time been concerned that HNZ has not grasped the significance of this application and has not prioritised solutions to the problems between PMS or led in driving the industry to address them. 

“As it is, records often arrive corrupted, or with missing or duplicated data. We remain clear that addressing this is important for clinical safety.”

The GPNZ update says a workshop set up in early May will bring together data and digital leads with clinical and practice expertise to scope additional improvements that could be delivered before the end of June.

Douglass says enhancing and stabilising GP2GP will mean reduced clinical risk from missing, incorrect or incomplete patient data, as well as reduced admin time for general practices as staff will no longer have to spend time checking file transfers and correcting errors.

To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month

Read more Information Governance news

Return to eHealthNews.nz home page

A ‘malicious actor’ accessed and downloaded occupational health and safety information of some Health New Zealand | Te Whatu staff during an IT security breach last October, the organisation has confirmed.

The breach affected employees from the Capital, Coast & Hutt Valley and Wairarapa districts over a four-year period and the perpetrator is likely to face criminal charges.

New Zealand’s largest trade union says that proposed cuts to Health NZ’s data and digital directorate will further compromise the security of the sensitive information it holds. 

Health NZ says in a statement that as soon as the breach was detected, immediate action was taken to secure its systems and investigate the extent of the impact. 

“That investigation has since shown the malicious actor accessed and downloaded occupational health and safety information relating to some current and former staff members across two Central region districts – Capital, Coast & Hutt Valley, and Wairarapa - covering the period from 2020 to 2024,” Health NZ said.

The affected information ranges from general occupational health and safety records to more sensitive personal data, including medical assessments and health-related correspondence. 

Health NZ reassured staff that there is currently no evidence the data has been shared publicly. 

“We deeply regret that this has happened and sincerely apologise to anyone affected,” the agency said, adding that it continues to monitor the situation.

Health NZ is consulting on plans to slash 1120 net roles from the data and digital directorate’s current workforce of 2405 FTE as part of an effort to save $100 million a year from its budget.

Public Service Association (PSA) national secretary Fleur Fitzsimons says data and digital staff warned Health NZ last year about the rising risks if the cuts went ahead.

“This is just more proof that the damaging cuts to data and digital must be reversed, or more sensitive patient and staff information will be put at risk,” Fitzsimons says. 

“Enough is enough. The latest breach should be ringing alarm bells in the Beehive. We urge the Minister to stop the cuts and reassure New Zealanders their information will be safe and secure.”

eHealthNews reported this month that the Minister of Health has asked Health NZ to assure him that proposed changes to its data and digital team will not impact frontline service delivery.

Health NZ says it reported the breach to the Office of the Privacy Commissioner and New Zealand Police, with criminal charges expected against the malicious actor. Meanwhile, it has advised people to remain vigilant against scams.

The national health organisation also pledged to strengthen its cybersecurity measures and learn from the incident. 

“We are committed to continually strengthening our protections and will learn from this incident to make improvements to help prevent something similar from happening again,” a statement says.

To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month

Read more Information Governance news

Return to eHealthNews.nz home page

We are introducing a new format for the National Health Index (NHI) starting 1 July 2026. If you are a health IT service provider or medical device supplier, you will need to update your systems, devices, and processes for both the current and new format before 1 July 2026.

An NHI is a unique identifier given to every person in New Zealand from birth or their first interaction with health services. It links patient health information and supports the coordination of patient care.

Read the media release: https://lnkd.in/gYxkAgQB

Review the HISO Standard Compliance information: https://lnkd.in/gdnP_Ach

Read the NHI Overview: https://lnkd.in/g2H2k_dW

Read the NHI Format Change FAQs: https://lnkd.in/gevMXykm

Ensure your systems are ready by completing the self-assessment on Health NZ’s Jira Service Management platform to update compliance, request support, and provide feedback: https://lnkd.in/gfbTVzH6

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page

A programme to improve national cybersecurity capability following the Waikato cyberattack has slashed response times to high severity events and meant the system was not significantly impacted by the CrowdStrike outage. 

The national Cybersecurity Uplift Programme was launched to address critical security gaps identified in the aftermath of the 2021 Waikato DHB ransomware attack. 

The three-year programme finished at the end of June 2024, and a further two years of funding has been provided to maintain the maturity achieved so far. 

"At the end of that incident, the lessons learned were worked through, and we found we had a number of gaps in our security posture and our ability to protect ourselves at the district level," says Health New Zealand - Te Whatu Ora chief information security officer (CISO) Sonny Taite. 

One of the key milestones of this program was the establishment of the National Security Operations Centre (SOC), which became fully operational by the end of 2023. This brings together cybersecurity experts from across the country's 20 former districts.  

Speaking on the latest episode of eHealthTalk NZ, Taite says this centralisation of expertise and resources has enabled Health New Zealand to monitor and respond to cyber threats more effectively.  

“Our SOC receives thousands of security events every month," Taite says. 

"We categorise those events into high severity and those events to be noted. Our team targets a 15-minute response time for high-severity alerts and serves as one of our first lines of defence against cybercriminals. 

“The speed of attackers nowadays is so fast that we always need to be getting better and better, using all of the tools at our disposal and continuing to innovate.” 

Health NZ moved to a standardised security product and platform through 2023, reducing the coverage and impact of the CrowdStrike outage in July which crashed millions of Windows systems worldwide.

“If we had not done that work we would have had quite significant impact and disruption on the health system,” Taite explains.

The cybersecurity team also delivers an ongoing education and awareness programs aimed at the 90,000-strong workforce in the healthcare sector. 

"We have been spending a lot of time building awareness across our workforce because of the constant load of phishing and scam emails that attempt to trick our staff into clicking on malicious links," Taite says. 

“We have made a lot of progress since the Waikato incident where we did not have those capabilities: there was no national SOC or many of the services we now have in place.” 

Hear more from Sonny Taite in the latest episode of eHealth Talk NZ.

Return to eHealthNews.nz home page

Health New Zealand Te Whatu Ora is modernising and consolidating its digital identity solutions to create a faster, more consistent process for up to 125,000 staff logging into its systems every day.

SailPoint has been piloted for corporate users within Health NZ since April, with plans to extend it to clinical systems in the coming months.

Garry Johnston, data and digital programme lead, national programmes, says the legacy systems that supported the 28 entities that became Health NZ still exist and the organisation needs to integrate these disparate systems into a unified framework.

This fragmentation means users, who often work across former DHB boundaries, experience inconsistent onboarding and access processes.

Health NZ has around 125,000 users logging into its systems on a daily basis, including employees, contractors, and external partners.

"Our users still experience the echo of the former organisations that those systems supported," Johnston said.

“We are looking at ways of consolidating and standardising the experience for our users.”

SailPoint is a cloud-based SaaS application and Johnston says the platform is expected to save considerable time and resources.

Previously, provisioning access could sometimes take several days or longer, but the aim is to reduce this to less than 2 hours. This frees up administrative time, allowing staff to focus on more critical tasks, he says.

The cloud-based platform has connectors deployed in each legacy environment. This means it can manage user access and entitlements across legacy systems, ensuring that users have the necessary entitlements based on their roles and locations.

“It makes our users’ experience faster, simpler, and more consistent no matter what legacy environment they connect into. When they start, when they change roles, or when they leave the organisation,” he tells eHealthNews.

Johnston explains that SailPoint is particularly helpful for new employees and those transitioning between roles, as traditionally staff often retained access to systems from previous roles, creating potential security risks.

The new platform ensures access is granted based solely on current needs and system owners can regularly certify and review user access.

“One of the core drivers for this programme of work is freeing staff from the drudgery of provisioning things manually: one of the key challenges for the health system is how we can drive efficiency and reduce the fragmentation that we have today,” he says.

To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

Read more Information Governance news

Return to  eHealthNews.nz home page

A live phishing attack is targeting the New Zealand health system and staff should be cautious of emails that may compromise their organisations, says chief information security officer (CISO) Sonny Taite.

Taite spoke at a Health New Zealand Te Whatu Ora stakeholder hui in June where he said the team had become aware of a phishing campaign targeting the collective health system.

The malicious campaign is impacting up to 13 small and large organisations across the health sector.

“We would like you to be very aware and cautious of emails that are being shared from compromised and impacted health organisations,” he said.

“They are relying on the trust that we have with each other to compromise an email account and then use that email account to share phishing scam emails to you all.” 

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

He said the emails appear legitimate as they look like a file sharing invitation from Microsoft OneDrive or Microsoft SharePoint, but then ask for the person’s username and password to harvest those credentials.

“We are aware of it and the PHOs are working to bring that knowledge and that awareness to you all as well,” he told the hui.

He said the New Zealand health system is “fairly constantly under attack”. Another common target is ‘internet facing technology devices’ and there is also a significant increase in attacks on cloud computing environments.

Taite said Health NZ has refreshed the Health Information Security Framework (HISF) to make it easier for organisations to understand where to go for information and use this security framework to plan ahead.

Guidance is now provided for four different types of organisations; hospitals, micro to small organisations; medium to large organisations; and suppliers.

Health NZ chief executive Margie Apa said cybersecurity is hugely important for protecting against bad actors, and to ensure public trust in the health system holding their personal data.

“We operate on the trust and confidence of our communities and patients and people who gift us the information to help us do our work,” she said.

Apa said the HISF will become core to the way that Health NZ commissions and engages with providers and that providers should set expectations with their IT vendors.

“The Health Information Security Framework should be a really useful guide when you are negotiating with your vendors and providers of ICT services,” she said.

“The onus is on the vendors to demonstrate how they are going to help you ensure that you are able to meet those security, privacy and also cybersecurity resilience issues.

“I would encourage colleagues to see the Health Information Security Framework as another helpful checklist when you are assessing your own vendor’s performance and also selection of vendors.”

On June 25 Taite provided an update saying the cybersecurity team is, "seeing reduced incidences of this particular phishing scam reaching our people, however we are encouraging everyone to remain vigilant.

"This latest scam is a timely reminder that phishing emails are increasingly common and that people should always be cautious when receiving and opening emails, and especially before clicking on links or entering personal information," he tells eHealthNews.

Some good advice to follow is:

• Check the sender - even if it is someone you have dealt with before, are they sending you email content they typically would?
  
• If they are sharing a document, were you expecting them to send you something? Does the document name sound legitimate?
  
• Scammers can use legitimate services such as Microsoft which may initially give a feeling of legitimacy, check each page that appears the whole way through.
  
• If you are being asked to re-authenticate, check that this is how you would normally do this – check the URL.
  
• If you click a link and are asked to enter your username and password, then stop, and look at the steps above.

If you do think you’ve clicked a link or entered some information you shouldn’t have, you should contact your IT team or supplier, and let CERT NZ know.



Picture: CISO Sonny Taite presenting at the June stakeholder hui

To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

Read more Information Governance news

Return to eHealthNews.nz home page

Over the last few years, Australian hospitals and healthcare providers have been battered by cyber attacks.

In 2021, a Victorian hospital network suffered a huge ransomware attack which left it unable to access patient files for over 2 weeks and delayed many surgeries. The same year, a Queensland hospital network was hit by a ransomware attack which forced them to turn to paper-based operations for over a month, significantly impacting workflows and the delivery of patient care.

In 2023, a major cancer treatment centre in Sydney was caught up in a cyber attack, with hackers threatening to release stolen data unless hospital administrators paid a ransom. Meanwhile, the personal details of patients at a major Melbourne hospital were compromised after cybercriminals hacked a staff member’s private email. These are just some of the many stories gracing the front pages of Australian newspapers.

The facts call for greater action by Australia’s healthcare industry
The healthcare sector recorded more data breaches than any other Australian industry in 2023, and more than twice the number reported by the financial services sector, according to the most recent Notifiable Data Breaches Report.

There are several important explanations for this. Firstly, the healthcare sector represents a highly attractive target for adversaries because of the high value of stolen patient records. Secondly, hospitals simply cannot afford to have their operations go down, meaning they are far more likely to pay the ransom to get critical patient systems back online.

Another contributing factor is that cybersecurity standards are weaker in healthcare than in other industries. The Australian Cyber Security Centre notes that the Australian healthcare industry in particular suffers from a lack of cybersecurity training, lax security practices and chronic underinvestment in technology and digital infrastructure.

An indication of just how vulnerable healthcare systems are can be gained from recent global research by Claroty, which looked at the cybersecurity levels of critical medical devices, ranging from imaging systems to infusion pumps and more.

The research found some alarming trends and statistics: One in four (23%) of medical devices—including imaging devices, clinical IoT devices and surgery devices—have at least one known security vulnerability, which has been previously exploited by adversaries.

Furthermore, 14 percent of connected medical devices were found to be running an unsupported or end-of-life operating system, along with seven percent of surgical devices whose failure might endanger patient safety.

The Australian Digital Health Agency (ADHA)—which is responsible for My Health Records data held by state or territory bodies—said in its 2022-2023 annual report it was strengthening its cybersecurity with a new, mandatory suite of security requirements that would harden clinical information systems against cybersecurity attacks, uplift information security and give better protection for consumer information. Every vendor with software products connected to the My Health Record system will need to supply extensive evidence to show conformance.

The ADHA has “a clear plan to meaningfully support Australian healthcare providers and health technology partners to protect themselves and the critical health information they hold.” To this end, its website provides comprehensive advice on cybersecurity covering how to set up a secure environment, how health service providers can protect information, and what can users do to secure information.

How we can improve the security levels of medical devices
In the meantime, much can be done to beef up the security of health IT systems and devices with some fairly basic cyber-hygiene measures. Below are some of the best ways to achieve this:

1. Avoid connecting any equipment to the internet unless such a connection is strictly essential.
2. Isolate your connected medical devices—patient and surgical—from your corporate networks.
3. Where remote access is needed by employees, ensure that this is secured with strong credential management and multifactor authentication.
4. Furthermore, where remote access to healthcare systems must be extended to third parties such as vendors and contractors, healthcare providers should ensure this is even further controlled. Specifically, healthcare providers should segment these networks and operate under a principle of ‘least privilege’ i.e. only giving users the minimum access level required to fulfill their assigned roles.
5. Maintain a comprehensive and up-to-date inventory of all assets throughout your facility and identify those that are internet-connected and most likely to be targeted by attackers.
6. Patch internet-connected devices and systems as soon as software updates become available, especially those systems that bridge enterprise and medical networks.
7. Prioritise risk management efforts based on the role of the equipment and its vulnerability as measured by the Exploit Prediction Scoring System (EPSS) a data-driven, machine-learning model that estimates the likelihood a software vulnerability will be exploited.
   

The takeaway:
In summary, implementing and maintaining strong cybersecurity for healthcare systems is not rocket science: it is largely good housekeeping. However, the challenge is one of scale: a healthcare environment is a house with many rooms, all full of tempting targets for the bad guys. The good news is there are automated security solutions that can take the legwork out of this process, freeing up your time to focus on what matters most: patient care.

Source: Claroty media release

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page

A national cyber threat detection system will cover all Te Whatu Ora districts by the end of the year, with the highest severity threats investigated within 15 minutes, the national chief information security officer (CISO) says.

Sonny Taite presented at the closing of Digital Health Week 2023 and said the national cybersecurity team is focused on three strategic priorities; defence, resilience and capability.

The team now has greater visibility of what is happening across the motu using an Intelligent Threat Informed Defence system, which is on target to cover all Te Whatu Ora districts by the end of December, including some of the shared services agencies and major programmes.

In November, this detected 87 billion security signals of which around 28,000 were threat intelligence signals and 5000 determined to be security events of interest.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Those are rated in severity, and the highest are investigated by the national security operations team within 15 minutes.

Taite told attendees the use of AI is promising in terms of cybersecurity response.

“Generative AI is going to help us look at the 87 billion signals and start to investigate whether there are any other things inside that data set that we need to know about and take notice of in terms of security,” he told the audience.

A new Cybersecurity Coordinated Incident Management Team within Te Whatu Ora has been developed to respond to security incidents and its first test was during Cyclone Gabrielle.

“We were not quite ready at that point to provide a really centralised and coordinated response, but we started learning immediately,” Taite said.

From that experience, 50 groups of actions were picked up and 70 percent have been implemented, with 100 percent completed by the end of this year.

Some of those learnings have been incorporated into a new booklet and poster to help primary care providers with cyber incident response advice, which was launched at Digital Health Week in Hamilton.

Taite spoke about the need for ‘security by design’ to enable the relatively small security team to manage the scope and scale of major digital programmes.

He said security is often seen as a “gate to go through”, but they are working to build it into the entire process, starting at the proposal stage.

He said a survey of Te Whatu Ora employees revealed that 82 percent believe caring for patient data is as important as caring for the patient and 89 percent said protecting patient data is top of mind when they work.

More than 109,000 people across the organisation have now been onboarded to a new security awareness platform, which provides phishing simulations and education on other security threats.

By the end of 2023 more than 200 people will have been trained in the Coordinated Incident Management System (CIMS), of which 60 were from the Primary Health Organisation space.

A Cyber Academy, in collaboration with Te Pūkenga, Microsoft, Tokona Te Raki and TupuToa, has also been developed to boost diversity in the security workforce.

This year, seven of the Māori Pacific cohort spent three months at Te Pukenga and three months training as apprentices at Te Whatu Ora. They all graduated in November are now working in the national cybersecurity teams.

“We are looking to expand this in the next phase to have a more data and digital focus. Cybersecurity will become one module and we need to work out what other modules should be put inside the programme,” Taite said.

Picture: Te Whatu ora CISO Sonny Taite speaking at Digital Health Week 2023

To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

Read more Information Governance news

Return to eHealthNews.nz home page

The rise of cybersecurity threats targeted at New Zealand’s healthcare sector has only exacerbated with the sector’s digital shift and rise of telehealth services. Recent cyberattacks have underscored the industry’s vulnerabilities, prompting a $75 million government initiative to enhance cybersecurity. Despite existing measures, a SailPoint report revealed that 97% of healthcare entities see room for improvement in data access management. There is a pressing need for a comprehensive identity security strategy which incorporates both AI capabilities and a Zero Trust and least-privilege access framework. Transitioning from legacy systems to a Software-as-a-Service approach can offer better security and operational efficiency, ensuring data protection and an enhanced patient care experience.

The healthcare industry in New Zealand stands as one of the most frequently targeted critical infrastructure sectors by state actors and criminal hackers. The ongoing digital shift, driven by technology innovation and the rise of telehealth culture, has only exacerbated cyber threats due to the increased sharing of sensitive data.

Recent events are an important reminder of the tangible risks cyberattacks pose to the healthcare sector. In October 2022, sensitive patient files and high-level data were stolen in a cyberattack on Pinnacle Midlands Health Network – a major primary health provider in New Zealand – with an estimated 450,000 people’s information accessed. The major Waikato DHB ransomware attack in May 2022 was also a wake-up call, as it caused a full outage of its information services across the region, with patient and staff details stolen and later posted online.

What followed was a call to action with the Government-led National Cyber Security Uplift Programme setting out to significantly increase the security level of New Zealand’s health system, committing up to $75 million over three years to improve the healthcare industry’s cybersecurity posture.

The plan revealed a long-term lack of investment in IT systems and software was one of the key issues making the industry most vulnerable to cyberattacks.

In fact, SailPoint’s “The State of Identity Security 2023: A Spotlight on Healthcare” report, shows nearly all respondents (97%) agreed their organisation’s ability to manage access to sensitive data needs improvement, despite having specific measures in place already, such as data encryption.

Paired with continuing challenges with chronic staff shortages and the growing number of data privacy and information security regulations impacting the industry, the shift to online health services has required healthcare providers to upscale their digital backend systems and prioritise identity security strategies - with a heightened focus on compliance and cybersecurity requirements.

What’s promising is that according to the SailPoint report, the healthcare industry almost universally recognises the importance of identity security, with 95% indicating that identity security is either a relatively important, critical, or number one investment priority for the organisation.

Why an Identity Security strategy is the answer
As the growth of employee, non-employee and non-human identities continue to proliferate, it is no longer viable to give users broad access to internal healthcare systems as human error and insider threats are the cause of most data breaches, and threat actors are increasingly able to obtain sensitive patient data from both IT databases and medical devices.

In New Zealand, according to an Insights Report by the New Zealand Privacy Commission, 54% of large organisations recorded breaches that were from ‘intentional or malicious activity’.

The healthcare sector cannot therefore afford to ignore identity security. In order to keep up with evolving security risks and prevent financial and reputational losses, healthcare organisations must implement a comprehensive identity program.

The healthcare sector is uniquely challenged with securing identities with one-to-many roles, multiple authoritative sources as well as several non-employees such as contractors, affiliate doctors and temporary healthcare professionals like nurses, imaging technologists and therapists.

Having an identity security strategy in place enforced by a Zero Trust and least-privileged access which harnesses Artificial Intelligence (AI), provides healthcare firms with complete visibility over all the direct and related access each user has – including all permissions, entitlements, and roles.

Identity management is key to ensuring a secure, compliant, and efficient infrastructure as it enables organisations to understand and manage who has access to which resources, and how exactly that access is being used to reduce, adjust or remove privileges as needed. By providing all internal and external users the minimum amount of access to resources required to perform their job, healthcare organisations can mitigate the risk of compromised credentials.

From legacy to a SaaS-first approach
Healthcare organisations are typically built on legacy systems which are more vulnerable to cyberattack exposure. Their infrastructure not only poses a risk to their security due to their human and manual centred processes, but also affects their operational efficiency due to inflexibility in integrating with innovative solutions to automate all identity decisions.

Implementing a true native Software-as-a-Service (SaaS) approach with identity security which is interoperable with a mix of on-premise and cloud environments, can provide IT teams with continuous and accurate visibility into their entire SaaS environment. This visibility reduces the strain on IT teams by allowing controls to be set up to govern all SaaS access, control software spend, and secure identities to combat cyber threats, whilst delivering enhanced data security, telehealth, and improved patient engagement.

In the recent report by SailPoint, 38% of healthcare firms said that managing access is time-consuming, with a typical healthcare IT professional spending more than a third of their week managing access and permission for identities. An automated identity approach can easily define user roles and create policies for access, giving healthcare workers fast, simple and error-free access to the data and critical resources they require to care for patients. With an AI-driven process to review, refine and evaluate roles, healthcare organisations can improve compliance, meet regulatory requirements, and deliver successful audit outcomes.

With an integrated, intelligent and automated identity security strategy that provides visibility and insights to extend access at the right time by monitoring behaviour patterns and allowing IT managers to spot risky access faster, healthcare firms will not only benefit from enhanced security to protect patient data but also improve operational efficiency to deliver a seamless patient experience.

By Raymond Dickinson, Business Leader, New Zealand, SailPoint

Picture: Raymond Dickinson, Business Leader, New Zealand, SailPoint

Source:  Sailpoint media release

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page

The need to rapidly adopt hybrid ways of working and new technologies in response to the Covid-19 pandemic had escalated risks to Waikato DHB’s IT systems when it was hit by a cyber-attack in May 2021, a report says.

The report analysing the attack also notes that the hospital’s IT and clinical teams initially lacked insight into each other’s domains and says it will be important for Te Whatu Ora to “ensure that clinical and IT teams plan for both security and incident response in close and permanent coordination”.

Waikato DHB (WDHB) was hit by a ‘large-scale criminal ransomware attack’ on May 18, 2021 causing a full outage of its Information Services across the region. Surgeries were postponed, and patient and staff details were stolen then later posted online by the cyber criminals.

“WDHB told us that the rapid changes made to support remote working as well as the need to adapt and respond to the pandemic was material to the state of IT systems at the time of the attack,” the report says.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

“They explained that the hospital IT environment went rapidly from having been designed to operate in a risk context largely limited to the physical location of the hospital(s) with fragmented and minimal digital access beyond those physical environments, to one where they were forced to rapidly adopt hybrid ways of working and new technologies, with a consequent escalation of risks arising from greater remote access.”

The Ministry of Health said that it had warned DHBs of the security risks of a large scale move to remote working in an advisory of Covid specific cybersecurity threats, which included ransomware targeting healthcare.

The report says Covid-19 was only one contributing factor to the state of Waikato’s IT environment, and that health systems were more networked and more dependent on data exchanges than had been “consciously realised”.

“The health data ecosystem has evolved, as an emergent network over many years. This process has been largely clinician-driven, in many cases without the knowledge of IT teams,” it says.

The former DHB’s first response to the cyber-attack was to physically disconnect all of its services from the Internet and other health systems, including corporate IT systems, laptops, printers, phones, medical devices, and any cloud services.

This affected healthcare provision across the region as well as other DHBs and primary and community providers who used shared services.

Initially, Waikato took a risk-averse approach to reconnecting systems, and the process focused on server restoration rather than service restoration, but this was of limited use as it was not clear to the IT team how servers connected to services.

“This meant even when the incident response team remediated a significant number of servers, this did not necessarily translate into the effective restoration of services from the viewpoint of the hospitals,” the report says.

The IT team initially lacked a good insight into the way healthcare was delivered, and vice versa, but clinical and technical experts worked together on a ‘wave’ plan to reconnect services.

The incident was formally closed 10 November 2021, but most services were back much sooner.

The authors recommend that Te Whatu Ora commission risk modelling based on actual health IT systems (including legacy systems) to assess exactly how vulnerable they are to cyber intrusion and consequent compromise and degradation.

Waikato DHB was disestablished in July 2022 and is now called Te Whatu Ora – Waikato.

To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

Read more Information Governance news

Return to eHealthNews.nz home page

What is the role of CISO for Primary Health Sector?
It’s my job as Chief Information Security Officer – Primary Health Sector, to oversee and advise on cyber security for everyone in the sector, from general practices to community pharmacists, allied health professionals, community aged care, Māori health organisations, and primary health organisations.

It’s a big job because the primary health sector is in every community across the motu, and there are different needs, expertise, and resources required. Because of this, relationship management and sector engagement are as important in the role, as specific technical advice.

Why is it important to have a primary care CISO?
Health systems all around the world are being targeted by cyber criminals and it’s not surprising when you consider the size of these systems and the sensitivity of the information they deal with.

In New Zealand, the primary health sector is made up of around 170,000 people, working at roughly 2,500 small to medium sized businesses – all of whom deal with massive amounts of sensitive health information every week. Just one wrong click on an unprotected system, and you can very quickly have a major security incident.

That’s where my team and I come in – we’re trying to demystify cybersecurity and point the sector in the right direction in terms of building up cybersecurity capability.

What does your role involve?
I think there’s growing awareness in the sector about what cybersecurity is and why it’s important. The problem is there’s still a lack of understanding about what organisations can practically and affordably do to protect themselves.

There is a common perception that cybersecurity is something for IT departments to worry about. What I’m trying to do is to get people thinking about cybersecurity as shared mahi. Yes, you might need specialist skills to install specific software and patches and all that sort of thing. But there’s a lot we can all do as a matter of course to make it harder for cybercriminals. Don’t click on suspicious links. Lock your computer when you move away from it. Use strong, secure passwords and multi-factor authentication. Don’t send sensitive work information to your personal email accounts. Understand why backups are important and how to be prepared for a cyber incident. Those sorts of practical precautions make a huge difference to the security of our systems.

What’s your background in this space?
I have been in the primary and community health sector for seven years, working with PHOs, general practices, pharmacies and so on in the central North Island where I'm based. As you might expect, I also have a lot of experience in technology and security, building technology and security services for organisations from the ground up.

Have you always had an interest in IT or cybersecurity?
I confess I am a true geek: I love technology in all shapes, forms and sizes! But I’ve got a longstanding connection with the health sector as well, since I come from a family with generations of doctors and pharmacists. So, really, working on cybersecurity within the health sector is the perfect job for me.

What are five key pieces of advice for improving cybersecurity?
As I said before, there are some basic things you can do right now, that will make a big difference:

• Set-up strong multifactor authentication on all accounts (especially administrative accounts). This means that as well as requiring a strong password, you’ll need to enter a secondary form of identification, for example a passcode that is sent to your mobile phone.
  
• Make sure all your servers and devices are kept up-to-date with security upgrades and patches.
• Install reputed antivirus/anti-malware protection on all user devices and servers.
• Make sure you backup your servers and devices on a regular basis, so that if the worst happens and your system is compromised or information is compromised for whatever reason, you can get it back.
• Talk about cybersecurity on a regular basis with your staff, and check that everyone understands what they need to do to keep your organisation and your community safe.
  

What do you do in your free time?
I confess my job keeps me pretty busy, but when I get the chance, I enjoy playing golf, reading non-fiction and hanging out with my family.

Picture: Te Whatu Ora chief information security officer - primary health sector, Nancy Taneja

If you want to contact eHealthNews.nz regarding this View, please contact the editor Rebecca McBeth.

Read more VIEWS

Return to eHealthNews.nz home page