OPINION: With 73 cancer patients deployed to other hospitals, 60 surgeries cancelled in one week and the public no closer to knowing how cyberattackers accessed sensitive patient data or what they have done with it, the issues faced by the Waikato District Health Board recently show just how devastating a ransomware attack can be.
From July 2022, in just over one year, New Zealand’s 20 district health boards will be replaced by Health New Zealand, a single national health body that will be responsible for the running the country’s hospitals.
Having one centralised service is likely to bring a range of benefits – from greater cost efficiency for the government, to better treatment options for patients. But it also increases the risk that a cyberattack like the one seen on the Waikato DHB could impact the whole country’s health system.
When Health New Zealand was announced on April 21, Minister of Health Andrew Little stressed that the reforms would not mean funding to hospitals would be cut.
Little said: “It will monitor threats to our health and ensure we are ready to deal with them.” In other words, there will be a shift in the Government’s health priorities towards prevention.
* DHBs refuse to release information on cybersecurity systems
* Ransomware attack: Waikato DHB supporting patients after documents dumped online
* Cyber attack: Waikato DHB hopes to have computers running at its hospitals in the next two days
* Ministry of Health abandoned cybersecurity system for Waikato and other DHBs due to budget issues
* Canterbury health board gets 1.5 million attempted hacks every week
* ‘No ransom will be paid’ – Waikato hospitals reeling after cyber attack
He said there would be a greater focus on technology to deliver more care digitally where appropriate (as was the case during our various Covid-19 lockdowns), and to ensure that information was better shared through services – in an integrated way.
Given our ageing and underfunded health IT infrastructure, it’s great that the need for a greater tech focus has been acknowledged, but there was something obviously missing from this announcement and it should be at the forefront of the conversation: the digital security of this new single health body.
What is the point in having better digital services for patients if the whole system can be brought to its knees again because of a lack of investment in cybersecurity?
The Australian Government has put forward $1.6 billion in its budget over 10 years to combat threats relating to cybersecurity. The Biden administration has asked for $9.8 billion in federal civilian cybersecurity spending, up 14 per cent. Meanwhile, in New Zealand’s 2021 Budget, the Government has decided to cut the Department of Internal Affairs’ digital safety budget from $55 million to $44 million.
These threats aren’t going away, so if we want our new health system to be world-class, then we need to invest in world-class digital protection. We need to have confidence that serious, disruptive and expensive cybersecurity breaches won’t happen. And according to researchers at Unit 42 (the Palo Alto Networks threat intelligence team), the scale of these attacks will only get worse, with the report noting that healthcare was the most targeted sector of ransomware attacks in 2020.
The Detail: One of the biggest District Health Boards in the country has been brought to its knees by a ransomware attack – but Waikato is not alone in suffering from cyber criminality.
In health, prevention is always better than a cure. Likewise, cybersecurity needs to be a proactive investment, not a reactive cost.
Funding is one part of the solution. The other? Collaboration and knowledge sharing. Information around the Waikato DHB attack is relevant for every business, so we need publicly available information gleaned from this attack to be shared widely – and quickly.
We need to know what techniques were used, where the systems fell down, and what was compromised. All of those things can be disseminated without giving up information about the gaps or issues the Waikato DHB had.
Of particular interest and value is describing the TTPs (Techniques Tactics and Procedures) associated with the attack. This move to TTPs is happening industry-wide, and the awareness of this approach is being driven by organisations like Mitre, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The observations act as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
We aren’t trying to blame the victim here. We are trying to find solutions through collaboration and transparency to help ensure that every New Zealand business or organisation is as safe as they can be and to prevent this from happening again.
When our centralised health system is launched next year, the stakes will be even higher.
Mark Shaw is a pre-sales consultant at Palo Alto Networks.