27 May 2021

How safe are NZ public sector IT systems?

From Checkpoint, 5:14 pm on 27 May 2021

District Health Boards are on notice from the Privacy Commissioner, to lock their virtual front doors or face possible prosecution, following Waikato DHB's ransomware cyber attack.

Waikato District Health Board notice of outage of systems from cyber attack.

Photo: RNZ / Andrew McRae

The DHB confirmed that confidential patient and staff information stolen in the attack is genuine.

Health Minister Andrew Little said he has sought and had reassurances from all DHBs that they have checked their IT systems and their resilience against possible cyber attacks.

But what does that actually mean? How well-prepared are the dozens of government entities and agencies that hold vast amounts of private and critically-important information?

"New Zealand organisations aren't as well protected as they should be, from a cyber perspective," futurist and chief executive of Gorilla Technology Paul Spain told Checkpoint.

"But also they don't want to reveal exactly how they're protecting themselves, in a similar manner to how a military force doesn't want to reveal maybe where their shortcomings are.

"We pour billions of dollars into our traditional defence as a country, into policing, but when it comes to the modern era where everything is digital, everything technology, we invest very little in protecting ourselves from that perspective.

"Absolutely, there's no question we're exposed," he said.

The Government Communications Security Bureau (GCSB) helps protect critical digital infrastructure and advanced threat detection. Its most recent cyber threat report lays out "a range of straightforward, practical steps that organisations can take to bolster their cyber resilience". 

Checkpoint took questions to DHBs and critical government services, based on that GCSB report advice. 

  • Do you have a disaster recovery plan? 
  • Prior to May 18 [when a cyber attack hit Waikato DHB] when did you last test the plan?
  • When was your last cyber security audit? 

Airways New Zealand said the least, with a statement saying: "Airways NZ has policies and mitigations in place to manage cyber security. We will not be making any further comment."

Lakes District Health Board was similar, saying: "All DHBs face cyber attacks in various forms daily. For security reasons we will not be commenting on our response to these attacks at this time."

Responses from DHBs on cyber security.

Responses from DHBs on cyber security. Photo: RNZ

Checkpoint asked Paul Spain if it would compromise those companies' security to disclose whether it has a disaster recovery plan.

"Where it might compromise their security as if they're not really getting this done on the regularity that they should be," he said.

"That's where it reveals that they're not taking cyber security seriously."

Health Alliance manages cyber security for the four Northern DHBs. Capital and Coast is speaking for three. Their responses to the questions were similar.

"We have robust contingency processes and measures in place," Capital & Coast DHB said.

"We don't comment publically [sic] on matters relating to cyber security… However we take the protection of data and systems very seriously," Health Alliance said, stating that it has a range of safeguards in place and is working with the Ministry of Health [MoH] and government to ensure necessary protection.

Responses from DHBs on cyber security.

Responses from DHBs on cyber security. Photo: RNZ

Health Minister Andrew Little has been asking for more details about DHB cyber security. He asked the MoH, who had to ask each DHB to confirm their virtual doors are locked.

"The Ministry advised me as of yesterday afternoon that they now have confirmed responses from all 19 other DHBs, that they have examined their systems for resilience against ransomware attacks, against cyber attacks," he told RNZ's Morning Report.

"There's never any cast iron guarantee, but an assurance has been given that they have checked their systems and they're in the best state."

In response to Checkpoint, Hawke's Bay DHB confirmed it completed a disaster recovery plan in April 2021, and its most recent cyber audit was 2020.

Southern DHB said it has a recovery plan and regularly tests that plan as part of its digital risk management.

It also mentioned a rise in threats just before the Waikato DHB attack.

"We noticed that there had been an increase in the number of attacks over the seven days prior to the Waikato DHB incident.

Responses from DHBs on cyber security.

Responses from DHBs on cyber security. Photo: RNZ

"It is a constant battle and there is a need for ongoing vigilance. Southern DHB has implemented additional security measures and activated appropriate cyber traffic management systems since the attack on the Waikato DHB. The organisation already had protection in place and has further strengthened existing cyber security systems and tools."

The acting chief digital officer for the Canterbury and West Coast DHBs detailed what that cyber battle can look like.

"Our perimeter security systems reject over 1.5 million connection attempts for each DHB in a typical week, any of which could be an attempt at a cyber intrusion."

In the GCSB advice, it recommended that: "Systems and applications should be regularly maintained, and patches or mitigations for newly disclosed vulnerabilities prioritised."

"A patch allows you to basically secure that front door into your organisation's technology systems," Spain said.

"You need to do that on a very, very regular basis. Otherwise your technological front door is effectively wide open to any criminals that would want to walk in."

Taranaki DHB gave Checkpoint a more detailed response on its maintenance of patches.

"We have a very comprehensive patching plan which is applied monthly. Our last monthly patching was conducted on May 17."

Whanganui DHB said: "The vast majority of our workstations and servers, but not all are up to date with the latest operating systems and or patches."

Spain said in theory adding new patches should be easy, but for organisations with older technology, patching becomes very difficult.

"Their systems can break and fall over when they try and update them."

He believes there are systems in government entities that are too old to be protected by new patches.

"There are no patches available for many of the older systems that still operate within New Zealand, so there's nothing that can be done other than modernising those systems and putting other smaller protection mechanisms around them."

Taranaki DHB also told Checkpoint it conducted penetration testing in January 2020, is currently doing a security audit and has another one scheduled for late July.

"We also have complete physical separation of IT systems and biomedical devices such as linear accelerators," it said.

Linear accelerators are machines for radiation treatment for cancer. The separation of its IT system and medical devices is significant, as Waikato DHB's linear accelerators are out of action due to the cyber attack, raising questions about how its system is connected.

It also raises the question as to whether the health postcode lottery extends to IT security too.

"If we look at healthcare, there are huge financial challenges for hospitals. If you ask a doctor to make a decision on buying a new machine that's seen as saving lives or investing in cyber security, they're probably going to go with what they know in terms of where that investment is going to get made. 

"I think that speaks to the challenge that we have in really understanding the criticality of cyber security. 

"We need at a governance level that our boards really take cyber security seriously. We need every single person across the country considering cyber security as critical.

"In the same way we stepped up with Covid-19, we've built that team of five million, we had a country that was united to hold out Covid-19. We need to have that same approach to our security from a digital perspective."