DHBs warned they were 'vulnerable' to cyber attacks last year

By Phil Pennington for RNZ

The Government and district health boards (DHBs) were warned last year the country's health IT systems are vulnerable to "significant" cyber threats.

An IT stocktake for the Ministry of Health (MOH) found the IT systems lacked "tools to detect security attacks".

It noted a "lack of technical support for data security".

The DHBs also lacked skilled IT staff to focus on security.

Use of insecure and non-integrated systems was widespread, and IT infrastructure, networks and security were not up to it, the stocktake said.

"These are outdated and not adequate to support the introduction of new systems and to manage the increased cyber security issues," it said.

"While digital health has become critical to the delivery of services, there are significant risks to services from a lack of system capacity, resilience and business continuity arrangements."

There was lack of money, and a large number of "obsolete" systems - but virtually no end to the multiplicity and duplication of them:

  • DHBs had up to 6000 devices in use, many old and not supported.
  • Northern Region's four DHBs had 1200 apps in use by exasperated staff.
  • Security policies and training were lacking.
  • Large numbers of users repeatedly joined and left agencies as they did training, without being removed from systems.

In the Northern Region - where the four DHBs were those most widely surveyed - 60 percent of core systems at data centres had no disaster recovery arrangement in place.

The five data centres were in "average to poor condition".

Half of all DHB operating systems nationwide needed upgrading by 2020 to avoid being out of support from vendors. It is unclear where that got to.

It also remains unclear if the MOH followed through, after Director-General of Health Dr Ashley Bloomfield asked after the stocktake for DHBs to look at what spending could be reprioritised into IT upgrades.

The MOH is responsible for the security of the shared health systems.

A more detailed IT stocktake was ordered last year and is meant to be done by next year.

The first stocktake said $2.3 billion was needed to address the "ageing", "slow" and "not fit for purpose" IT.

But 90 percent of current IT funding was just going into keeping old systems limping along.

The MOH said from mid-2020 it was working on revised principles to guide IT upgrades that are meant to be put in place this year.

The aim was for more consistency, and to accelerate cloud adoption to "support improved security and system resilience".

Asked to update the public on this work, the ministry said in a statement:

"The ministry provides advice and assistance for DHBs and other health sector agencies to help ensure they are prepared and they have appropriate security systems in place and have access to advice.

"All health agencies will be involved in a series of investments to improve security - this includes using the latest patches for known software vulnerabilities as well as regularly implementing software upgrades to improve security.

"A key part of the ministry's assistance is helping with information and advice to support significant IT upgrades planned by sector agencies as investment decisions are considered and prioritised by individual agencies."

The health and disability system review in 2020 said: "Planning for the level of digital technology needed to support an effective health and disability system is lagging behind.

"The quality of data, the ability to transfer data securely, and the interconnectedness of the various systems operating around the country are all barriers."

RNZ