Scoop Politics

Holes in DHB cyber security – Expert Reaction

Friday, 25 October 2019, 11:16 am
Press Release: Science Media Centre

The Ministry of Health found five health websites with potential vulnerabilities following the data breach of Tū Ora Compass Health.

The Ministry investigated 600 websites run by primary health organisations and district health boards after cyber hacks targeted Tū Ora Compass Health earlier this month.

None of the PHO websites scanned were identified as having any specific vulnerabilities. Five websites operated by three District Health Boards (DHB) were identified as having potential vulnerabilities. One was a false positive, two cases found no subsequent breach, and analysis continues for the remaining two. None of the vulnerable websites contained private patient information.

The next step is to commission independent external reviews of all DHBs and PHOs to test and remedy vulnerabilities in externally facing IT systems.

The SMC asked experts about the results from the cyber testing.

Dr Vimal Kumar, lecturer, head of Cyber Security Lab, University of Waikato, comments:

"The Ministry’s three-step approach seems to be a reasonable one.

"The first step of the National Cyber Security Centre (NCSC) quickly scanning the public-facing websites will identify existing vulnerabilities, which they seem to have in some cases. The second is for PHOs and DHBs to undertake an assessment of appropriate security controls and implementation of security best practices, and the third is offensive penetration testing of the systems which will help in a deeper assessment of the systems.

Advertisement - scroll to continue reading

"This, however, should not be a one-off exercise. It needs to be kept in mind that cybersecurity is a continuous process and the custodians of data, and especially health data, need to undertake such exercises regularly to assure themselves, as well as the public, that their data is safe. It should also be noted that security is not just the responsibility of a particular person or a group of people within an organisation. It is the responsibility of everyone and organisations must take steps to raise cyber-awareness within their staff."

No conflict of interest.

Associate Professor David Parry, Head of Department of Computer Science, AUT, comments:

"It's good to hear that there are no other websites in the PHOs with the same vulnerabilities, but it is very concerning that three DHBs do. In my view, this confirms that the public health sector as a whole is not investing in IT people and technology at an appropriate level for the 21st Century. Essentially there is too much work and not enough support despite very dedicated people working throughout the sector.

"The next step is basically asking health organisations to confirm that they have adequate security in place. This is fine, but the fact that the question needs to be asked indicates that there are not clear lines of responsibility around this as yet. External audits are very important and will reveal other issues I’m sure.

"Overall this is a good response but shows again that this area has been neglected. I think most people would be shocked that this work is not already being done. Unfortunately there are very few incentives for organisations in the health sector to work together either by sharing data and analysis approaches or best practice around security. This is also emphasised by the interim Simpson report.

"Overall the health system is still much better at collecting information than using it to improve care or increase efficiency. Government should consider how it can give clear and consistent support for safe and effective use of information. Privacy models are out-of-date and ineffective if security is not adequate. Patients have the right to expect that their data will be protected and used effectively but in many cases they are not even aware of how it is collected, used, or by whom. Investment in this area is vital along with top-level management awareness and education, and clear guidance about the law in this area."

No conflict of interest.

ends

Science Media Centre NZ

Our aim is to promote accurate, evidence-based reporting on science and technology by helping the media work more closely with the scientific community.

The Science Media Centre is New Zealand's only trusted, independent source of information for the media on all issues related to science. Thousands of news stories providing context from and quoting New Zealand researchers have been published as a direct result of our work.

Contact Science Media Centre NZ

Website - www.sciencemediacentre.co.nz
Email - smc@sciencemediacentre.co.nz
Phone - +64 4 499 5476
Mobile - +64 21 859 365
Facebook
Twitter - @smcnz
YouTube
Postal Address - PO Box 598, Wellington 6140

Parliament Headlines | Politics Headlines | Regional Headlines

NEW ZEALAND POLITICS

Gordon Campbell: On The Public Sector Carnage, And Misogyny As Terrorism

It’s a simple deal. We pay taxes in order to finance the social services we want and need. The carnage now occurring across the public sector though, is breaking that contract. Over 3,000 jobs have been lost so far. Many are in crucial areas like Education where the impact of losing support staff is either going to fall back on teachers, or result in crucial things being done poorly by the overworked survivors at the Ministry. The cuts are being enacted without the coalition government having a clue (or visible concern) about what the impact will be. The prior promise to go through this stuff “ line by line” has gone out the window.

DoC: Canterbury Spotted Skink In Serious Trouble

One of our rarest, seldom-seen skinks is even more threatened than we had thought, with fewer than 1000 mature individuals. An urgent assessment by an expert panel has seen Canterbury spotted skink reclassified from Nationally Vulnerable to Nationally Critical – the last step before extinction.

Te Pāti Māori: Oranga Tamariki Cuts Commit Tamariki To State Abuse

Te Pāti Māori is disgusted at the confirmation that hundreds are set to lose their jobs at Oranga Tamariki, and the disestablishment of the Treaty Response Unit. “This act of absolute carelessness and out of touch decision making is committing tamariki to state abuse.” Said Te Pāti Māori Oranga Tamariki spokesperson, Mariameno Kapa-Kingi.

NZCTU: Inflation Data Shows Need For A Plan On Climate And Population

Data today shows headline CPI inflation at 4%, continuing the fall begun in March 2023. Rises are concentrated in particular sectors – especially services. However, petrol prices rose by 12% from last year. This is worrying as petrol pricing tends to lead inflation data. The faster we can transition to an electric vehicle fleet the better.

Statistics New Zealand: Annual Inflation At 4.0 Percent

New Zealand's consumers price index increased 4.0 percent in the 12 months to the March 2024 quarter, according to figures released by Stats NZ today. The 4.0 percent increase follows a 4.7 percent increase in the 12 months to the December 2023 quarter.

Brendon McMahon - Local Democracy Reporter: West Coast Swim Spot Testing Clear Of E-coli

The latest testing at a popular Westport swimming beach appear to show an all clear for E-coli. Earlier samples over summer had flagged contamination from cattle, according to a report to the West Coast Regional Council.

Green Party: Government Throws Coal On The Climate Crisis Fire

The Government’s policy announced today to ease consenting for coal mining will have a lasting impact across generations. “Today the Government has announced the latest frontier in its relentless assault on our planet, easing the path for more climate-heating coal mining,” says Green Party co-leader Chlöe Swarbrick.

Join Scoop Pro

Submit News

Become a Member