Menu
Two Kiwi health regulatory boards pinged for lax ICT security

Two Kiwi health regulatory boards pinged for lax ICT security

IT security firm Echo IT found two regulatory boards had posted confidential documents on their web servers.

Private and confidential documents were found to be accessible on two health board web servers

Private and confidential documents were found to be accessible on two health board web servers

The IT security of two health regulators has been found wanting after an Upper Hutt IT security firm found confidential documents available online.

Echo IT found that the Optometrists and Dispensing Opticians Board and the Physiotherapy Board were storing internally sensitive and private information on their public websites.

Echo IT security engineer James Winstanley said while he was confident that both organisations were committed to their privacy obligations, there was evidence that poor understanding of information security practices was a factor in both boards’ decisions to store private documents in unsecured and publicly accessible areas of their websites. 

“As companies move to adopt technological frameworks, the question of security becomes directly relevant to one of privacy," Winstanley said.

“It is imperative that organisations consider how their privacy obligations extend into the fields of cyber security, and that they receive the support appropriate for their level of digital exposure." 

Echo IT undertook what it described in a report as an independent research project covering a range of organisations and sectors.

The Optometrists and Dispensing Opticians Board of New Zealand was found to be leaking a large volume of private information, including one instance of a credit card.

The Physiotherapy Board of New Zealand was found to also be leaking private information and was potentially violating a name suppression order.

ECHO IT’s full report can be viewed here.

The Physiotherapy Board said it could assure the public that no confidential personal information has been made public. 

"However a weakness in our website security has been identified and has been dealt with: we have removed all confidential personal information from our web server, and we have shut down the ability for the public to place further information on this server," board CEO Jeanette Woltman-Black said.

The board also expressed its concern at what it described as "unauthorised access" made to its server. 

"In our view the actions taken to bypass our website’s front-end were unethical and wrong," Woltman-Black said.

"We take confidentiality of personal information entrusted to us extremely seriously. The public can be assured that when they engage with us on sensitive issues they can do so in complete confidence."

Winstanley said he believes Echo IT's investigation complied with relevant frameworks.

"Our research has helped both organisations identify and remove the sensitive personal information that was accessible to the wider public. 

"Although Echo IT acknowledges that dealing with leaks of sensitive information can be distressing, we encourage organisations to work with security professionals to address the points of failure, rather than to react with hostility."

The chair of the Optometrists and Dispensing Opticians Board, associate professor Jennifer Craig, said after being notified by Echo IT of the issues this was immediately passed on to the board's website hosting firm for investigation. They helped the board to resolve the issue and also upgraded the Board’s firewall as an extra measure of protection.

"The digital consultancy firm was thanked for bringing this issue to the board’s attention and notified of the action taken to resolve the issue. The Board believes it has taken all possible steps to resolve this issue within its control in accordance with advice provided by the Office of the Privacy Commissioner."

The board has not utilised its ‘member only’ section for a few years, so it does not anticipate any future breaches of this kind.

Craig said the board had no further comment other than that it takes security of information very seriously and will be reviewing all of its policies and procedures.

The two board cases are not identical. The Optometrists and Dispensing Opticians Board website was provided through a custom CMS developed by a web design company that ceased operating in late 2015. 

"This could mean that the website is unsupported or faces reduced access to security updates and improvements," the report said.

Users had the ability to enumerate all the website's hosted documents, the report said. While that was not ideal, it was not strictly a vulnerability. 

"The function works as intended, even if some might argue it is not the most secure method for handling file requests. It was the board's decision to store sensitive files using this method that created problems."

The Physiotherapy Board used a Drupal 7 website. Like the other website, the board's used a single endpoint to reference individual documents.

"Whilst this method has advantages over the method we believed the Optometrists site used, it is still subject to the same enumeration problem. The only difference here was that our method required an extra step, and a modification to the script previously used."


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags Echo IThealthboardssecuritydata breachprivacy

Featured

Slideshows

HP channel recognised at 2017 Partner Awards

HP channel recognised at 2017 Partner Awards

The HP Partner Awards 2017 at Shed 10 kicked off with an AMD-sponsored hackers lounge, a mysterious gaming style area filled with dry ice and red lasers, the waiters wearing Mr Robot style masks.

HP channel recognised at 2017 Partner Awards
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Show Comments