20 Jul 2018

WannaCry ransomware attack on UK hospitals reveal security gaps in NZ

8:03 am on 20 July 2018

A report released after last year's ransomware attack which crippled the UK's NHS has shown gaps in our hospital devices' protection against cyber attacks.

no caption

The WannaCry ransomware attack led to nearly 20,000 cancelled hospital appointments. Photo: 123rf.com

Ransomware attacks are malware encrypted data which infect devices and then demand a ransom.

A Health Advisory Committee report from Counties Manukau District Health Board has highlighted significant challenges in ensuring its medical devices are protected.

Last year the UK's National Health Service was hit by its biggest cyber-attack to date.

The ransomware, called WannaCry, led to nearly 20,000 cancelled hospital appointments.

But how prepared are we in New Zealand?

Released under the Official Information Act, a Health Advisory Committee report from Counties Manukau DHB highlighted significant challenges and gaps in the way it manages medical device PCs.

The radiology department and lab equipment were specified as areas of concern and an additional 46 devices were earmarked as needing a further review.

The DHB would not specify the devices, but in the NHS attack devices such as MRI scanners and blood test analysis devices were affected.

When asked what has been done in light of the report, the DHB would not go into details.

"However, we can assure health consumers that we take the security and protection of patient information and systems very seriously. There are appropriate systems and processes in place to protect health information systems and data," it said.

But technology and business commentator Paul Spain of Gorilla Technology said Counties Manukau DHB would not be alone.

"It's really challenging for any organisation, let alone our DHBs, to stay on top of technology and cyber security issues in general. It's hard to find the right people and resources.

"There are some big issues here that probably can't be solved overnight," he said.

Mr Spain said paying for a long term solution could be difficult for DHBs.

"I am aware that our DHBs in some cases have some really outdated systems, that they haven't managed to move off.

"It's not uncommon for costs in the tens of millions of dollars to migrate to the new systems," he said.

He said DHBs may need to go back to central government for more funding.

Ministry of Health acting chief technology and digital services officer Michael Dreyer said post-WannaCry the ministry had put additional resources into cyber security.

He said technology was a big part of cybersecurity but security awareness was also critical in preventing and reducing cyber threats like ransomware. Cyber security was now routine work for all DHBs and other health agencies.

Meanwhile, Digital Services Minister Clare Curran said cyber threats were increasing and becoming more sophisticated, so the government was in the middle of refreshing its national cyber security strategy.

This will include issues such as phishing, malware, ransomware and denial of service.