Breach spurs security testing of health websites
The result of hundreds of health websites scans has been released following the Tu¯ Ora Compass Health breach.
The breach, in October, meant up to 1 million New Zealanders could have their medical data in criminal hands after cyber attacks dating back years.
Five websites operated by three district health boards (DHB) were identified as having potential vulnerabilities. AUT Associate Professor David Parry, head of the department of computer science, said that while it was positive there were no other PHO websites with the same vulnerabilities, it was ‘‘very concerning’’ that three DHBs did.
‘‘In my view, this confirms that the public health sector as a whole is not investing in IT people and technology at an appropriate level for the 21st century.
‘‘Essentially there is too much work and not enough support despite very dedicated people working throughout the sector.’’
Following the result, independent external reviews will be commissioned.
‘‘Overall this is a good response but shows again that this area has been neglected,’’ Parry said.
The Government should consider how it can give clear and consistent support for safe and effective use of information, he said.
‘‘Privacy models are out-of-date and ineffective if security is not adequate. Patients have the right to expect that their data will be protected and used effectively but in many cases they are not even aware of how it is collected, used, or by whom.’’
The websites were scanned by the Government Communications Security Bureau’s National Cyber Security Centre.
One result was a ‘‘false positive’’, where subsequent analysis showed the vulnerability had been previously patched to be secure. In the other four instances the vulnerabilities were confirmed and immediate action was taken by the affected DHBs to mitigate the risk.
The Ministry of Health has been advised that none of these websites contained, or provided immediate access to, confidential health information relating to patients. Dr Vimal Kumar, head of the Cyber Security Lab at Waikato University, said the ministry’s approach was reasonable. ‘‘This, however, should not be a one-off exercise.’’
Kumar said security was not just the responsibility of a particular person or a group of people within an organisation.
‘‘It is the responsibility of everyone and organisations must take steps to raise cyber-awareness .’’