The Auditor-General is urging District Health Boards to be vigilant about data security and disaster recovery after finding weaknesses in some of its audits.
In a report on matters arising from audits spanning 2017 and 2018, Auditor-General John Ryan said it was essential that information systems and technology supporting financial management are secure and well managed.
"Continual reviews and vigilance are needed because of the large amount of DHB spending and because the environment changes quickly," Ryan's report said.
"In 2017/18, we continued to find that many DHBs needed to improve security by strengthening passwords and ensuring that privileged and administrator access is restricted to those who need it.
Ensuring that non-active accounts are deleted is another important step that should be more widely applied."
Several DHBs also needed to prepare or update disaster recovery plans for their information systems.
"Given the extent to which DHBs rely on these systems, an up-to-date disaster recovery plan is essential," the Auditor-General said.
That responsibility did not end when responsibility was shared with service providers.
"It is just as important for these DHBs to be satisfied that information and processes are secure, because responsibility remains with the DHB."
The report said DHBs should question themselves about the level of confidence they have that information systems will be able to support the delivery of services in a reasonable time frame after a disaster.
They also need to ask how secure their systems are, and how to ensure that information security is maintained at an appropriate level.