Privacy Commissioner John Edwards is warning district health boards (DHBs) to address security failings identified in a Ministry of Health stocktake of health IT systems in 2020.
“We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year," Edwards said in the wake of a major attack on Waikato DHB.
“Our expectation would be that they should have taken, and if they have not should now take, steps to act on any deficiencies in security."
The report, released last June by the National Asset Management Programme for district health boards, found that DHBs had been maintaining their IT assets "in an environment of accumulated underinvestment".
"Audits have shown that IT strategy, governance and asset management have operated at a basic level," it said.
"There are multiple versions and customisations of core applications, ageing infrastructure, limited network capacity and devices not fit for purpose."
This reduced productivity, increased costs for maintenance and support as well as increasing cyber security risk.
“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions," the Privacy Commissioner said today.
Edwards said his office has been notified of the Waikato DHB ransomware breach and is monitoring the situation closely while providing advisory support.
“We are aware that some patient, staff, contractor and other personal information has been distributed to news media organisations by unknown individuals," Edwards said.
"Our expectation is that the DHB would notify and offer support to the individuals identified in that information without delay."
He also expected the DHB would be actively monitoring for potential host sites on the dark web or elsewhere.
Edwards said his office is not investigating to determine any liability at this stage but if a DHB is found not to have taken adequate security measures to protect its information systems, it could be liable to any staff member, contractor or patient who suffers harm as a result.