Menu
Two Kiwi health regulatory boards pinged for lax ICT security

Two Kiwi health regulatory boards pinged for lax ICT security

IT security firm Echo IT found two regulatory boards had posted confidential documents on their web servers.

Private and confidential documents were found to be accessible on two health board web servers

Private and confidential documents were found to be accessible on two health board web servers

The IT security of two health regulators has been found wanting after an Upper Hutt IT security firm found confidential documents available online.

Echo IT found that the Optometrists and Dispensing Opticians Board and the Physiotherapy Board were storing internally sensitive and private information on their public websites.

Echo IT security engineer James Winstanley said while he was confident that both organisations were committed to their privacy obligations, there was evidence that poor understanding of information security practices was a factor in both boards’ decisions to store private documents in unsecured and publicly accessible areas of their websites. 

“As companies move to adopt technological frameworks, the question of security becomes directly relevant to one of privacy," Winstanley said.

“It is imperative that organisations consider how their privacy obligations extend into the fields of cyber security, and that they receive the support appropriate for their level of digital exposure." 

Echo IT undertook what it described in a report as an independent research project covering a range of organisations and sectors.

The Optometrists and Dispensing Opticians Board of New Zealand was found to be leaking a large volume of private information, including one instance of a credit card.

The Physiotherapy Board of New Zealand was found to also be leaking private information and was potentially violating a name suppression order.

ECHO IT’s full report can be viewed here.

The Physiotherapy Board said it could assure the public that no confidential personal information has been made public. 

"However a weakness in our website security has been identified and has been dealt with: we have removed all confidential personal information from our web server, and we have shut down the ability for the public to place further information on this server," board CEO Jeanette Woltman-Black said.

The board also expressed its concern at what it described as "unauthorised access" made to its server. 

"In our view the actions taken to bypass our website’s front-end were unethical and wrong," Woltman-Black said.

"We take confidentiality of personal information entrusted to us extremely seriously. The public can be assured that when they engage with us on sensitive issues they can do so in complete confidence."

Winstanley said he believes Echo IT's investigation complied with relevant frameworks.

"Our research has helped both organisations identify and remove the sensitive personal information that was accessible to the wider public. 

"Although Echo IT acknowledges that dealing with leaks of sensitive information can be distressing, we encourage organisations to work with security professionals to address the points of failure, rather than to react with hostility."

The chair of the Optometrists and Dispensing Opticians Board, associate professor Jennifer Craig, said after being notified by Echo IT of the issues this was immediately passed on to the board's website hosting firm for investigation. They helped the board to resolve the issue and also upgraded the Board’s firewall as an extra measure of protection.

"The digital consultancy firm was thanked for bringing this issue to the board’s attention and notified of the action taken to resolve the issue. The Board believes it has taken all possible steps to resolve this issue within its control in accordance with advice provided by the Office of the Privacy Commissioner."

The board has not utilised its ‘member only’ section for a few years, so it does not anticipate any future breaches of this kind.

Craig said the board had no further comment other than that it takes security of information very seriously and will be reviewing all of its policies and procedures.

The two board cases are not identical. The Optometrists and Dispensing Opticians Board website was provided through a custom CMS developed by a web design company that ceased operating in late 2015. 

"This could mean that the website is unsupported or faces reduced access to security updates and improvements," the report said.

Users had the ability to enumerate all the website's hosted documents, the report said. While that was not ideal, it was not strictly a vulnerability. 

"The function works as intended, even if some might argue it is not the most secure method for handling file requests. It was the board's decision to store sensitive files using this method that created problems."

The Physiotherapy Board used a Drupal 7 website. Like the other website, the board's used a single endpoint to reference individual documents.

"Whilst this method has advantages over the method we believed the Optometrists site used, it is still subject to the same enumeration problem. The only difference here was that our method required an extra step, and a modification to the script previously used."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityprivacydata breachhealthboardsEcho IT

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments