Menu
Privacy Commissioner warns DHBs to lift their cyber security games

Privacy Commissioner warns DHBs to lift their cyber security games

Warnings in a damning sector stocktake come back to haunt cash-strapped DHBs.

Privacy Commissioner John Edwards

Privacy Commissioner John Edwards

Credit: Supplied

Privacy Commissioner John Edwards is warning district health boards (DHBs) to address security failings identified in a Ministry of Health stocktake of health IT systems in 2020.

“We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year," Edwards said in the wake of a major attack on Waikato DHB.

“Our expectation would be that they should have taken, and if they have not should now take, steps to act on any deficiencies in security."

The report, released last June by the National Asset Management Programme for district health boards, found that DHBs had been maintaining their IT assets "in an environment of accumulated underinvestment". 

"Audits have shown that IT strategy, governance and asset management have operated at a basic level," it said. 

"There are multiple versions and customisations of core applications, ageing infrastructure, limited network capacity and devices not fit for purpose." 

This reduced productivity, increased costs for maintenance and support as well as increasing cyber security risk. 

“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions," the Privacy Commissioner said today.

Edwards said his office has been notified of the Waikato DHB ransomware breach and is monitoring the situation closely while providing advisory support.

“We are aware that some patient, staff, contractor and other personal information has been distributed to news media organisations by unknown individuals," Edwards said. 

"Our expectation is that the DHB would notify and offer support to the individuals identified in that information without delay."

He also expected the DHB would be actively monitoring for potential host sites on the dark web or elsewhere.

Edwards said his office is not investigating to determine any liability at this stage but if a DHB is found not to have taken adequate security measures to protect its information systems, it could be liable to any staff member, contractor or patient who suffers harm as a result.



Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyhealthprivacy commissionerwaikato dhbdistrict health boardsransomware attackscyber security

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments