A set of Waikato District Health Board servers were at end-of-life and unpatched when hackers struck in the early hours of 18 May, a source claims.
A sign at Waikato Hospital in May. Photo: RNZ / Andrew McRae
And decisions that led to the poor security and ailing system were financially motivated, claimed the source close to Waikato DHB.
However the DHB said the particular servers were not a contributing factor in the cyber attack.
The information comes as those responsible for the ransomware attack dumped large tranches of the DHB's private patient and employee details on the dark web on Tuesday, six weeks after the hack crippled services across five hospitals including Waikato.
The massive privacy breach shows swathes of files that contain personal and highly sensitive information about patients and employees.
The source claimed servers containing Human Resources Information System (HRIS) data based in Caro St, Hamilton, had not been patched for years.
Server patching refers to the installation of critical software updates in IT security to a server, when a software update is released.
"The Waikato DHB was relatively up-to-date with patching with the exception of Caro St," the insider said.
Compounding the problem was that the Caro St servers were at end-of-life, which meant they were unsupported, the source claimed.
"The underlying infrastructure hosting these servers became 'end-of-life', out of support, and subsequently no security or patches were applied to this equipment."
It's understood the DHB had been migrating its information systems to a cloud host based in Auckland.
Migrating the HRIS servers from Caro St to the cloud was initiated in January this year however due to risk the DHB brought on consultants to manage the project, the source said.
It's understood different departments within the DHB have separate IT budgets, and the source claimed the estimated cost of this project blew out to more than $1 million for the Human Resources department.
The migration did not continue due to budget and the servers remained unpatched, the source said.
"The hackers would have obviously exposed a vulnerability within the system and exploited that. I suspect Caro St was that point of vulnerability."
In 2018 the DHB initiated a tender process for renewal of HRIS, which at that stage was 17 years old, documents show.
The tender asked for a solution that would make the HRIS fully compliant with the New Zealand Information Security Manual and specifically in relation to the management of role-based security, including providing improved adherence to security.
Almost $460,000 was spent for the renewal preparations across the 2018/2019 financial year, an OIA response from last year shows.
National's health spokesperson Dr Shane Reti said by June last year the renewal project had been listed as "red status due to technical and resourcing issues", impacting the time, cost and scope.
He said the DHB's risk and impact register from the past 12 months showed HRIS software as a "highly probable risk with severe impact".
A DHB spokesperson said it had been confirmed HRIS servers were not a contributing factor to the breach of security.
He said the migration of the applications at the Caro St site was largely completed prior to 18 May and they had now all been moved.
Exactly where the vulnerable point was and how the hackers found it is still unclear.
Hackers use a number of techniques including macros (bits of code) in emails, word documents and PDFs to get into a system, as well as port scanners to detect possible access points for infiltration and to identify what kinds of devices are running on the network, such firewalls, proxy servers or VPN servers.
In a statement on Tuesday night the DHB confirmed stolen information had made its way onto the dark web.
"While we had hoped this would not occur, the DHB was aware of the risk and had been preparing and working closely with cyber security experts to identify and manage any potential disclosures.
"Unfortunately, predicting the actions of cyber criminals can be challenging, however, we are monitoring the situation as closely as possible to protect our community."
Minister of Health Andrew Little told Local Democracy Reporting the Ministry of Health had information standards that DHBs were expected to comply with.
"This includes keeping up with basic maintenance. There will be an independent inquiry into the Waikato DHB cyberattack which I expect will commence once services are fully restored."
Many services including critical patient treatments such as radiation therapy have been restored but Local Democracy Reporting understands some Waikato Hospital departments face a backlog in patient care because of the delays caused by the attack.
IT security expert Daniel Ayers said if the DHB had servers that were no longer supported it meant the software would have been very old.
The forensic IT investigator said he couldn't understand why an investigation into the cause of the hack had not already begun.
He said the threat of cyber security incidents within health was widely publicised from 2019 and that the attack at Waikato DHB was preventable.
Under Rule 5 of the Health Information Privacy Code, an agency must ensure health information it holds is protected by reasonable security safeguards against loss, access, use, modification, disclosure or other misuse.
Privacy Commissioner John Edwards said Waikato DHB must notify all individuals whose details were included in the data published on the dark web, and take steps to prevent further distribution of the information.
"If somebody has suffered loss or considerable distress as a result of having their information included in the hack, and it can be shown that the DHB failed in its duty to take reasonable care, then the Waikato DHB could be liable."
Edwards said there was a risk the data dump could result in serious harm through identity theft and people fraudulently obtaining credit.
He encouraged anybody concerned about their personal information to get a credit freeze or suppression of their information, which would stop their credentials being used to open credit contracts.
Local Democracy Reporting is a public interest news service supported by RNZ, the News Publishers' Association and NZ On Air.
