Significant Investment In Cybersecurity To Improve Resilience Of Health And Disability System

Up to $75.7 million, from Budget allocations, will be invested over 3 years to increase the resilience of data and digital systems in the face of increasing cybersecurity risks.

“The number and sophistication of cyber-attacks is increasing around the world, and healthcare is traditionally one of the most targeted sectors. We’ve seen with the recent incident at Waikato District Health Board that New Zealand is not exempt from this global trend,” says Shayne Hunter, Deputy Director-General, Data and Digital.

“Our health and disability system is critical national infrastructure that will only become more dependent over time on digital technology and information sharing across health networks. This contributes to better patient care and health outcomes but increases the risk presented by cyber threats.

“While it’s not possible to fully eliminate cyber risks altogether, it’s essential we improve the resilience of our health and disability system so we can minimise the risk of disruptions to healthcare services in the event of a cyber-attack and better protect sensitive health information.”

“While all 20 DHBs are continuing to make progress with increasing the resilience of their systems to reduce the risk and impact of events like the Waikato cyber-attack, we know that more needs to be done. That’s why the Ministry of Health has worked with DHBs to assess the current cybersecurity risks across the sector and prioritise areas for improvement through a cybersecurity roadmap.

“The first step in the roadmap is to build a set of core cybersecurity capabilities for our hospitals, primary care and community services. This will reduce the likelihood of another successful cyber-attack while laying solid foundations for further cybersecurity improvements and the secure implementation of new digital health technologies.”

Work will include increasing security leadership and capability both regionally and nationally, upgrading existing software and systems, establishing national security standards and guidelines, strengthening assurance and testing capability, and increasing the use of cloud security services as well as improving identity and access management systems.

“A focus of our strategy is on sharing resources and capability. A key responsibility of the regional cybersecurity teams will be to help primary care and community providers develop incident response plans so they can continue to provide essential services in the event of a cyber-attack.”

Delivery of the roadmap will be governed by a Cybersecurity National Steering Committee, which will include national and regional Chief Information Security Officers (CISOs) along with representatives from the Ministry, the heath sector, the National Cybersecurity Centre and the Government Chief Digital Officer.

Media contact:

Blair Cunningham

021 195 3978

Background

How will the funding be invested?

Historically, cybersecurity investment across the health and disability sector has been in specific technology solutions to address a specific problem rather than taking a holistic view that includes people, processes and governance.

Key focus areas within the cybersecurity roadmap include the following:

Dedicated and experienced security leadership

Cyber security leadership and experience is vital to the management of cyber risks. Roadmap funding will enable the recruitment of a National CISO; a Primary Care CISO and 10 further cybersecurity FTEs. Three regions have now appointed a regional CISO.

Security standards, assurance and education 
Improvement of a National Health Information Security Framework including leveraging automated security compliance solutions across the sector. Cybersecurity education activities will be supported by online security learning tools.

Cyber security detection and response capability
Investment in the refinement of the national cyber incident response capability including the creation of a national security operations function.

Improved external and internal network security
Improved network security including improving network segmentation and deployment of advanced security features to bolster the health sector’s ability to stop advanced security threats.

Advanced endpoint security

The deployment of a unified advanced endpoint security tool to provide up to date protection against modern security threats.

When will we start to see improved cybersecurity?

The security enhancements within the cybersecurity roadmap will be delivered over a period of about three years. The most serious cyber risks will be addressed first before further system wide cybersecurity improvements are implemented.

The timeframe for delivering the roadmap reflects the complexity of the current environment and the need to take an iterative approach to improve workforce, process and technology capability at national, regional and organisational levels.

How does this fit in with the health and disability system reforms?

The Ministry of Health has worked closely with the Transition Unit on the data and digital changes needed to enable the reforms. The investment to improve cybersecurity capability is a key part of these changes. The Ministry will continue to work closely with the Transition Unit to inform implementation of the cybersecurity roadmap.

What new roles will be established?

Almost 10 new roles will be established including regional security leadership roles as well as a mix of security assurance consultants and analysts working in the national security operations function.

What is the current status at Waikato DHB?

Waikato DHB has restored all clinical services and the majority of its ICT systems are operational. Work is underway to review any cases where a patient’s treatment had to be deferred.

Following the Waikato cyber incident, all 20 DHBs have completed work to increase their resilience including completing a full independent assurance review of their cyber security maturity.

© Scoop Media