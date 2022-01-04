Software and systems to be upgraded, assurance and testing strengthened and cloud security services adopted.

Up to $75.7 million will be invested over three years to address cyber security weaknesses in health sector data and digital systems.

The Ministry of Health said work would include increasing security leadership and capability regionally and nationally, upgrading existing software and systems, establishing national security standards and guidelines, strengthening assurance and testing capability, and increasing the use of cloud security services as well as improving identity and access management systems.



The move comes shortly after a $257 million investment pledge for digital health systems, including $87 million targeting legacy technologies and capability deficits.

"The number and sophistication of cyber-attacks is increasing around the world, and healthcare is traditionally one of the most targeted sectors," Shayne Hunter, deputy director-general, data and digital, said.

"We’ve seen with the recent incident at Waikato District Health Board that New Zealand is not exempt from this global trend."

Hunter said the health and disability system was critical infrastructure that would become more dependent on digital technology and information sharing across networks over time. This contributed to better patient care and health outcomes but also increased the risk presented by cyber threats.

While it was not possible to fully eliminate these, improving the resilience of the system was essential to minimise the risk of service disruption and to protect sensitive health information.

All twenty district health boards were continuing to increase the resilience of their systems to reduce the risk and impact of events like the Waikato ransom attack, Hunter said. However, more needed to be done.

"That’s why the Ministry of Health has worked with DHBs to assess the current cybersecurity risks across the sector and prioritise areas for improvement through a cybersecurity roadmap," he said.

The first step was to build a set of core cybersecurity capabilities for hospitals, primary care and community services. This would reduce the likelihood of another successful cyber-attack while laying "solid foundations" for further cybersecurity improvements and the secure implementation of new digital health technologies, Hunter said.

"A focus of our strategy is on sharing resources and capability. A key responsibility of the regional cybersecurity teams will be to help primary care and community providers develop incident response plans so they can continue to provide essential services in the event of a cyber-attack."



Delivery of the roadmap will be governed by a Cybersecurity National Steering Committee, which will include national and regional chief information security officers (CISOs) along with representatives from the ministry, the heath sector, the National Cybersecurity Centre and the Government chief digital officer.