Privacy Commissioner warns DHBs to lift their cyber security games

Privacy Commissioner warns DHBs to lift their cyber security games

Warnings in a damning sector stocktake come back to haunt cash-strapped DHBs.

Privacy Commissioner John Edwards

Privacy Commissioner John Edwards

Credit: Supplied

Privacy Commissioner John Edwards is warning district health boards (DHBs) to address security failings identified in a Ministry of Health stocktake of health IT systems in 2020.

“We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year," Edwards said in the wake of a major attack on Waikato DHB.

“Our expectation would be that they should have taken, and if they have not should now take, steps to act on any deficiencies in security."

The report, released last June by the National Asset Management Programme for district health boards, found that DHBs had been maintaining their IT assets "in an environment of accumulated underinvestment". 

"Audits have shown that IT strategy, governance and asset management have operated at a basic level," it said. 

"There are multiple versions and customisations of core applications, ageing infrastructure, limited network capacity and devices not fit for purpose." 

This reduced productivity, increased costs for maintenance and support as well as increasing cyber security risk. 

“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions," the Privacy Commissioner said today.

Edwards said his office has been notified of the Waikato DHB ransomware breach and is monitoring the situation closely while providing advisory support.

“We are aware that some patient, staff, contractor and other personal information has been distributed to news media organisations by unknown individuals," Edwards said. 

"Our expectation is that the DHB would notify and offer support to the individuals identified in that information without delay."

He also expected the DHB would be actively monitoring for potential host sites on the dark web or elsewhere.

Edwards said his office is not investigating to determine any liability at this stage but if a DHB is found not to have taken adequate security measures to protect its information systems, it could be liable to any staff member, contractor or patient who suffers harm as a result.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyhealthprivacy commissionerwaikato dhbdistrict health boardsransomware attackscyber security



Channel gathers for Nextgen New Zealand's Summer (Somewhere) Party

Channel gathers for Nextgen New Zealand's Summer (Somewhere) Party

Held in Auckland, Nextgen New Zealand's Summer (Somewhere) Party was an opportunity for celebration with a tangerine taste of summer. Nexgen's channel community seized the opportunity to catch-up with familiar faces and enjoy an in-person gathering.

Channel gathers for Nextgen New Zealand's Summer (Somewhere) Party
Show Comments