Published on the 08/10/2019 | Written by Heather Wright
Stress testing after one million records exposed…
Monitoring of the security of New Zealand’s health organisation’s systems has been stepped up with cyber ‘stress testing’ underway after data for up to one million people was exposed in a massive breach.
The breach of Tū Ora Compass Health Primary Health Organisation, which is being investigated by police, the National Cyber Security Centre and the Ministry of Health, was identified in August and affects Tū Ora and five lower North Island based PHOs who have a relationship with the PHO, which itself serves the Wellington, Porirua, Kapiti and Wairarapa regions.
“It was our responsibility to keep people’s data safe and we’ve failed to do that.”
All New Zealand PHOs and district health boards have been ordered to review their cybersecurity and report back to the Ministry of Health by today.
An investigation into the Tū Ora breach found previous cyberattacks dating from 2016 to early March 2019.
Tū Ora Compass says there is ‘no evidence’ that access to patient data has occurred, but it can’t rule out the possibility that some patient data may have been accessed during the cyberattack.
While Tū Ora doesn’t hold GP notes – which are held by individual medical centres – it does hold data on who is enrolled at which medical centre, their National Health Index number and personally identifying information including names, date of birth, ethnicities and addresses.
The PHO says it also holds a range of other information about some patients, including details related to health campaigns, such as whether a patient smokes or has a chronic condition such as diabetes. It also holds a range of data used for analysis and reporting back to medical centres – including information on which children are due for immunisation, who has been admitted to hospital for ‘potentially avoidable conditions’ and who is due to be recalled for cervical screening, heart and diabetes checks.
“We don’t know the motive behind the attacks,” the PHO says. “We cannot say for certain whether or not the cyberattacks resulted in any patient information being accessed. Experts say it is likely we will never know.”
Part of that issue may lie in a lack of audit logs, with the PHO admitting ‘we do not have audit logs back to 2016’.
“As stewards of people’s information, data security is of utmost importance to Tū Ora Compass Health,” Tū Ora Compass chief executive Martin Hefford says.
“We are devastated that we weren’t able to keep people’s information safe. While this was illegal and the work of cyber criminals, it was our responsibility to keep people’s data safe and we’ve failed to do that.
Ashley Bloomfield, Director-General of Health, says the Ministry of Health has been working with the GCSB’s National Cyber Security Centre to investigate the intrusion and check if other PHOs and DHBs might be at risk.
“This work is ongoing and we expect to have an initial assessment in the next two weeks,” Bloomfield says. “We are also commissioning further independent reviews of the security of PHO and DHB information systems.”
The Ministry says it and the GCSB believe the testing will identify areas where further action can be taken to strengthen information security measures at PHOs and DHBs.
“The Ministry will be publicly reporting on progress with this work for the remainder of the year.”
Tū Ora admits the breach has left patients affected ‘potentially more susceptible to scams’.
“We are advised that cyber criminals, even if they have no actual information, try to scam people by claiming they have it even when they don’t. Unfortunately, if they do have it,then there is also the likelihood of more scams or attempts to use any information they hold to get more or to obtain money.”
Tū Ora went public with the breach in August, admitting its site was targeted ‘as part of a widespread global cyber incident in which a number of organisations’ websites were defaced’.
“Shortly after we became aware of the incident on 05 August, we contained it by taking the compromised server offline,” then acting chief executive Justine Thorpe said at the time. “This stopped all access to any applications and data on that server and elsewhere within our network.”
The PHO says it has already moved its public websites to a new platform and has bolstered its security play with enhanced antivirus and email scanning software, a SIEM system and Web Application Firewall. It has also established a security operations centre to monitor and resolve threats.
The PHO is also currently moving to a ‘more modern and more secure infrastructure’ using Microsoft Azure in an upgrade expected to be completed by April 2020.
“The new Tū Ora Microsoft Azure environment will be fully secured with a defence in depth approach to protecting all our electronic assets,” the PHO says. “Tū Ora will also be using the Advanced Threat Protection features available from our investment in the Microsoft 365 suite of products, including device and application protection, data loss protection and full data encryption.”
The PHO says it’s also working with the Ministry of Health and other agencies to consider the option of enabling patients to opt out of having data collected by GPs – something it says is currently not possible due to ‘system limitations’.